Action Needed: check SSH key age

[moz-hwine]

@mozilla/admin-all-org-members <= all Mozilla org members.

Warning

On Tuesday, 2015-10-20, we will enable some new security settings on the Mozilla organization (see post). If your SSH key was linked to your github account prior to February of 2014, it MAY NOT be accepted any longer, and you will not have access to the mozilla organization until you upload a new key.

How to check if you'll be impacted

• Go to your ssh settings
• If you see a warning, you will be impacted. Please fix as directed.
• If you see an "Added on" date before February 2014, you will be impacted. Please re-upload your key!

  Notes

• Some folks are reporting they have an older key, and do not have a warning. I'm seeking clarification from github support on this, but likely won't have an answer until Monday.
• I know (from personal experience) that if you're locked out, you do have a warning.
• All that is needed is to re-upload the key, not regenerate (unless github gives you further warnings)
  • if you do regenerate, please see EIS's handy suggestions (thanks, Kang!)

[jruderman]

https://github.com/settings/ssh says my key was added in 2012, but I don't see a warning...

On Fri, Oct 16, 2015 at 11:35 AM, Hal Wine (admin) <notifications@github.com

wrote:

@mozilla/admin-all-org-members https://github.com/orgs/mozilla/teams/admin-all-org-members <= all Mozilla org members. Warning

On Tuesday, 2015-10-20, we will enable some new security settings on the Mozilla organization (see post https://groups.google.com/forum/#!topic/mozilla.dev.platform/UjutypdmWss ). If your SSH key was linked to your github account prior to February of 2014, IT WILL NO LONGER BE ACCEPTED, and you will not have access to the mozilla organization until you upload a new key. How to check if you'll be impacted

• Go to your ssh settings https://github.com/settings/ssh
• If you see a warning, you will be impacted. Please fix as directed.

— Reply to this email directly or view it on GitHub https://github.com/mozilla/admin_for_mozilla/issues/1.

[mykmelez]

https://github.com/settings/ssh says my key was added in 2012, but I don't see a warning...

Hmm, that page doesn't tell me when my key was added. Perhaps because I added it more recently (although I thought I did so years ago). Can you provide the exact text of the message (or a screenshot)?

[gdestuynder]

If generating a new key, while you're at it, have a look at https://wiki.mozilla.org/Security/Key_Management and/or https://wiki.mozilla.org/Security/Guidelines/OpenSSH#Key_generation

Also, deep-linked from the initial comment: https://help.github.com/articles/about-third-party-application-restrictions/

[TimAbraldes]

I see " Added on Mar 22, 2013" but I don't see any kind of error message

On 10/16/15 4:34 PM, Guillaume Destuynder wrote:

If generating a new key, while you're at it, have a look at https://wiki.mozilla.org/Security/Key_Management and/or https://wiki.mozilla.org/Security/Guidelines/OpenSSH#Key_generation

Also, deep-linked from the initial comment: https://help.github.com/articles/about-third-party-application-restrictions/

— Reply to this email directly or view it on GitHub https://github.com/mozilla/admin_for_mozilla/issues/1#issuecomment-148865387.

[kyoshino]

Same here, my key was "Added on Nov 30, 2012" but no warnings. Will update it anyway.

[KWierso]

If it has a green check mark next to it, I think it's fine. If it has accept/reject buttons, you need to verify it.

---

From: Tim Abraldesmailto:notifications@github.com Sent: ‎10/‎16/‎2015 4:37 PM To: mozilla/admin_for_mozillamailto:admin_for_mozilla@noreply.github.com Cc: KWiersomailto:kwierso@gmail.com Subject: Re: [admin_for_mozilla] Action Needed: check SSH key age (#1)

I see " Added on Mar 22, 2013" but I don't see any kind of error message

On 10/16/15 4:34 PM, Guillaume Destuynder wrote:

If generating a new key, while you're at it, have a look at https://wiki.mozilla.org/Security/Key_Management and/or https://wiki.mozilla.org/Security/Guidelines/OpenSSH#Key_generation

Also, deep-linked from the initial comment: https://help.github.com/articles/about-third-party-application-restrictions/

— Reply to this email directly or view it on GitHub https://github.com/mozilla/admin_for_mozilla/issues/1#issuecomment-148865387.

---

Reply to this email directly or view it on GitHub: https://github.com/mozilla/admin_for_mozilla/issues/1#issuecomment-148865773

[mykmelez]

If it has a green check mark next to it, I think it's fine. If it has accept/reject buttons, you need to verify it.

I don't have a check mark, but I do have a dot. is.gd?

[tonymec]

I'm not using local clones of github repositories at the moment (for Vim I use the Mercurial mirror on bitbucket, and that only for pull and not push; for my own fork of mozilla/nightlytt I use only the web interface) so IIUC my SSH key can stay disabled.

Best regards, Tony.

[indygreg]

This is also a good time to audit the type and strength of your SSH keys.

Look in ~/.ssh/ for id_* files. Then ssh-keygen -l -f <file> to print key info. e.g. ssh-keygen -l -f ~/.ssh/id_rsa. If you have DSA keys or if you have a RSA key and the first integer is 1024 or smaller, you should stop what you are doing and regenerate SSH keys because your keys aren't that strong.

https://wiki.mozilla.org/Security/Guidelines/OpenSSH#Key_generation says how to generate secure keys. A number of SSH servers don't yet support ed25519, so 4096 byte RSA is probably your best bet.

SSH keys registered with Mozilla can be updated at https://login.mozilla.com/. No need to file a bug and wait for someone to update your keys.

[sole]

hi, I've added your info to the wiki page as I think it will do good there and not be lost in e-mails/github issues

https://wiki.mozilla.org/Security/Guidelines/OpenSSH#Key_generation

I also added a new section for key auditing https://wiki.mozilla.org/Security/Guidelines/OpenSSH#Auditing_your_existing_machine_keys

I don't know what is the purpose of updating keys to login.m.o, so I didn't add that bit - care to explain?

[selenamarie]

@sole SSH keys for logging into IT-managed infrastructure are distributed through login.m.o.

[jvehent]

login.m.o stores public ssh keys in LDAP. IT puppet uses it to distribute to its systems, and I'm working on an integration to use it in Cloud Services too. Not sure if releng uses it yet, but it should :)

[vvuk]

Also, OpenSSH >= 7 stops offering DSA keys by default (need to explicitly set PubkeyAcceptedKeyTypes to ssh-dss). So it's a good time to start migrating off of DSA keys.

- Vlad

On Sat, Oct 17, 2015 at 3:13 PM Gregory Szorc notifications@github.com wrote:

This is also a good time to audit the type and strength of your SSH keys.

Look in ~/.ssh/ for id_* files. Then ssh-keygen -l -f to print key info. e.g. ssh-keygen -l -f ~/.ssh/id_rsa. If you have DSA keys or if you have a RSA key and the first integer is 1024 or smaller, you should stop what you are doing and regenerate SSH keys because your keys aren't that strong.

https://wiki.mozilla.org/Security/Guidelines/OpenSSH#Key_generation says how to generate secure keys. A number of SSH servers don't yet support ed25519, so 4096 byte RSA is probably your best bet.

SSH keys registered with Mozilla can be updated at https://login.mozilla.com/. No need to file a bug and wait for someone to update your keys.

— Reply to this email directly or view it on GitHub https://github.com/mozilla/admin_for_mozilla/issues/1#issuecomment-148944931 .

[djmitche]

Releng uses it too.

[dmose]

I have an old key, which has a grey dot, but no warning and no checkmark. I generated a new key this morning (4096-bit RSA) and submitted it to github, and it looks exactly the same (grey dot, no warning, no checkmark).

It also appears to be impossible to update your own key on login.mozilla.com unless you've got a Mozilla 2-factor auth token.

[joewalker]

If you use the key does it turn green? I think the green/grey distinction relates to how recently it was used. The idea being that you should remove access to anything that you're not actively using.

Joe.

On Mon, Oct 19, 2015 at 6:48 PM Dan Mosedale notifications@github.com wrote:

I have an old key, which has a grey dot, but no warning and no checkmark. I generated a new key this morning (4096-bit RSA) and submitted it to github, and it looks exactly the same (grey dot, no warning, no checkmark).

It also appears to be impossible to update your own key on login.mozilla.com unless you've got a Mozilla 2-factor auth token.

— Reply to this email directly or view it on GitHub https://github.com/mozilla/admin_for_mozilla/issues/1#issuecomment-149294922 .

[indygreg]

@dmose login.mozilla.com requires 2FA for a number of operations as of a few weeks ago. You should go to the "Multi Factor Authentication" section of login.mozilla.com and enroll a new device. A lot of the docs say to use Duo. But it's TOTP, so apps like Google Authenticator work just fine.

The reason 2FA is required to modify SSH keys is because if it weren't, a compromise of just your username/password could lead to someone installing a new SSH key and gaining access to servers or services (assuming they aren't using 2FA for login - which some SSH servers at Mozilla now do).

[fmarier]

You should go to the "Multi Factor Authentication" section of login.mozilla.com and enroll a new device. A lot of the docs say to use Duo. But it's TOTP, so apps like Google Authenticator work just fine.

I don't see this "Multi Factor Authentication" section. I've only got these sections when I visit https://login.mozilla.com:

• Dashboard
• LDAP Password Reset
• SSH Keys
• PGP Fingerprint
• OpenVPN

[gdestuynder]

As an update to @fmarier's comment - currently to get the MFA panel on login.mozilla.com you need to get added to that group. In the future I expect everyone will get it by default. If you need to be added, you might have to fill a bug to https://bugzilla.mozilla.org/enter_bug.cgi?product=Infrastructure%20%26%20Operations&component=Infrastructure%3A%20Other in the mean time

[dmose]

@joewalker I've used the old key within the last three weeks, and it's not green. I'll try the new one.

[nils-ohlmeier]

My key had a green dot last week when I checked. It had a grey dot next to it this morning when I checked again to upload a new key. Doing a ‘ssh -T git@github.com’ turns the dot green, as the mouse over tells you green means the key was successfully used within the last 7 days.

On Oct 19, 2015, at 13:43, Dan Mosedale notifications@github.com wrote:

@joewalker https://github.com/joewalker I've used the old key within the last three weeks, and it's not green. I'll try the new one.

— Reply to this email directly or view it on GitHub https://github.com/mozilla/admin_for_mozilla/issues/1#issuecomment-149341356.

[sr-murthy]

I recently deleted my old keys and generated a new key, which I've activated, so it has a green dot.

[dmose]

OK, got it all sorted. Thanks, y'all!

[SimonSapin]

Removing keys should not require 2FA. My laptop was stolen a few days ago. I changed my LDAP password, but did not bother setting up 2FA just to remove the SSH key in LDAP that I haven't used in months.

[gdestuynder]

update to the login.mozilla.com situation, everyone is in the group now so it functions as previously expected :)

[skinny97214]

Please, for please, stop hitting reply all and including my personal email.

Love, c

On Tue, Oct 20, 2015 at 1:14 AM Simon Sapin notifications@github.com wrote:

Removing keys should not require 2FA. My laptop was stolen a few days ago. I changed my LDAP password, but did not bother setting up 2FA just to remove the SSH key in LDAP that I haven't used in months.

— Reply to this email directly or view it on GitHub https://github.com/mozilla/admin_for_mozilla/issues/1#issuecomment-149473066 .

[slifty]

(You can easily "mute" conversations in most mail clients)

I'm super nerdy but I like hearing these kinds of conversations ;)

On Tue, Oct 20, 2015 at 10:14 AM Crystal Beasley notifications@github.com wrote:

Please, for please, stop hitting reply all and including my personal email.

Love, c

On Tue, Oct 20, 2015 at 1:14 AM Simon Sapin notifications@github.com wrote:

Removing keys should not require 2FA. My laptop was stolen a few days ago. I changed my LDAP password, but did not bother setting up 2FA just to remove the SSH key in LDAP that I haven't used in months.

— Reply to this email directly or view it on GitHub < https://github.com/mozilla/admin_for_mozilla/issues/1#issuecomment-149473066

.

— Reply to this email directly or view it on GitHub https://github.com/mozilla/admin_for_mozilla/issues/1#issuecomment-149636866 .

Dan Schultz P: (215) 400-1233 E: schultzd@media.mit.edu T: @slifty W: http://www.slifty.com C: http://calendly.com/slifty

[jryans]

I think all that's needed is to visit this issue page and click "Unsubscribe" to end future notifications.

[vladikoff]

update to the login.mozilla.com situation, everyone is in the group now so it functions as previously expected :)

Still not seeing it, is it under an existing section or a new section?

[jaredhirsch]

@skinny97214 I (finally, belatedly) removed you from the mozilla github org, enjoy your eternal sunshine of the spotless inbox

[indygreg]

We flipped the settings change on the mozilla org ~30 minutes ago. Join #github on irc.mozilla.org or email github-owners@mozilla.org if you see issues.

Now might be a good time to check your hooks, apps, services, etc are working correctly. If something broke today, it is almost certainly related to this change.

[moz-hwine]

All done - for any further questions please refer to wikimo Github page.