Hi, As announced last month, I have just finished deploying the change in the PAM configuration requiring a special password to authenticate with sudo on all of torproject.org servers. Preliminary tests do not show any problems, but it's possible you might have trouble running jobs with sudo if there's a configuration problem. Again, that password can be changed in the web interface here: https://db.torproject.org/login.html For all the details, see the original announcement: https://lists.torproject.org/pipermail/tor-project/2019-September/002509.html ... also included below. A. -- Antoine Beaupré torproject.org system administration
--- Begin Message ---
- To: tor-project@xxxxxxxxxxxxxxxxxxxx
- Subject: LDAP sudo passwords change
- From: Antoine Beaupré <anarcat@xxxxxxxxxxxxxx>
- Date: Thu, 26 Sep 2019 15:53:06 -0400
- Organization: Tor
Hello! What ==== In a month from now, the sudo configuration on torproject.org machines will change. While right now your normal LDAP password can be used to authenticate with sudo, but it will then require you to use the dedicated sudo password. When ==== For now, both the LDAP password and the new sudo password will work to authenticate to sudo. Starting in the third week of October (around October 14th), the LDAP password will no longer be accepted for sudo authentication. Note that this was previously announced in March 2016, but never enforced: https://lists.torproject.org/pipermail/tor-project/2016-March/000199.html How === The LDAP password is the one you got sent in encrypted mail when your account was first created on db.torproject.org. You should have changed that on the [web interface][]. This password is the one that also allows you to log into the management interface there and change for instance your mail forwarding configuration or your sudo password. [web interface]: https://db.torproject.org/login.html To set the sudo password: 1. go to the user management website above 2. pick "Update my info" 3. set a new (strong) sudo password If you want, you can set a password that works for all the hosts that are managed by torproject-admin, by using the "wildcard ("*"). Alternatively, or additionally, you can have per-host sudo passwords -- just select the appropriate host in the pull-down box. Once set on the web interface, you will have to confirm the new settings by sending a signed challenge to the mail interface. Please ensure you don't introduce any additional line breaks. Note that setting a sudo password will only enable you to use sudo to configured accounts on configured hosts. Consult the output of "sudo -l" if you don't know what you may do. (If you don't know, chances are you don't need to nor can use sudo.) Why === We prefer to use two authentication factors to access the more powerful "sudo" command, this is a security measure. We want a different password for anything that elevates your privilege, in other words. Who === This change is operated by the Tor Project sysadmins (TPA). If you have any questions or comments, feel free to respond to this message or followup in ticket #6367. -- Antoine Beaupré torproject.org system administrationAttachment: signature.asc
Description: PGP signature
--- End Message ---
_______________________________________________ tor-project mailing list tor-project@xxxxxxxxxxxxxxxxxxxx https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-project