On Sun, Dec 07, 2003 at 09:16:58PM -0500, Patrick Ouellette wrote: > Instead of a smartcard/token/whatever physical device, this incident > could possibly have been thwarted by requiring developers to pre-register > their machine with the project (using ssh host key for example). The > attacker would have the user's account information, but project machines > would have refused access since the host id did not match the user's > registered hosts. Then the project machine could have alerted both the > project's admin team and the owner of the compromised account.
Given that the easiest way to get a developer's password is to compromise a machine that person logs into Debian systems from, I doubt this well help that much. :-) The only exception I can see would be if the user uses the same password for his/her Debian account and some other system, and the attacker is smart enough (read: wants to go specifically after Debian) to test that password on d.o as well. /* Steinar */ -- Homepage: http://www.sesse.net/
