[please follow up to -project or -admin or just me, depending on what
seems more appropriate.]
Hi,
if you use sudo on project machines this will affect you.
The short version:
If you want to use sudo in the future, go to http://db.debian.org/ and set a
sudo password for you.
A slightly longer version:
We are trying to limit the exposure of login and ldap passwords on project
machines. Currently everybody who is using sudo on a project machine has
to use their login and ldap password, which in case of a compromise can be
used to access other machines and change the user's settings in ldap.
Since sudo uses the pam library to authenticate users, we can make use of a
dedicated passwords file using libpam-pwdfile for authentication to sudo.
Userdir-ldap (http://db.debian.org) has been modified to allow users to set a
(per host if desired) password for their use of sudo. After setting a new sudo
password on the web interface this change has to be confirmed by sending a
signed mail - the web interface should instruct you accordingly. This
confirmation is intended to prevent an attacker who has learned a login/ldap
password to elevate this to sudo-access.
We are slowly updating the machines to use the new config. Please see
https://dsawiki.debian.org/dsawiki/New-Sudo for per machine progress
status.
Cheers,
weasel
[is there a list that all buildd admins are on?]
--
| .''`. ** Debian GNU/Linux **
Peter Palfrader | : :' : The universal
http://www.palfrader.org/ | `. `' Operating System
| `-http://www.debian.org/
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
