[please follow up to -project or -admin or just me, depending on what
seems more appropriate.]

Hi,

if you use sudo on project machines this will affect you.

The short version:

If you want to use sudo in the future, go to http://db.debian.org/ and set a
sudo password for you.

A slightly longer version:

We are trying to limit the exposure of login and ldap passwords on project
machines. Currently everybody who is using sudo on a project machine has
to use their login and ldap password, which in case of a compromise can be
used to access other machines and change the user's settings in ldap.

Since sudo uses the pam library to authenticate users, we can make use of a
dedicated passwords file using libpam-pwdfile for authentication to sudo.

Userdir-ldap (http://db.debian.org) has been modified to allow users to set a
(per host if desired) password for their use of sudo. After setting a new sudo
password on the web interface this change has to be confirmed by sending a
signed mail - the web interface should instruct you accordingly. This
confirmation is intended to prevent an attacker who has learned a login/ldap
password to elevate this to sudo-access.

We are slowly updating the machines to use the new config. Please see
https://dsawiki.debian.org/dsawiki/New-Sudo for per machine progress
status.

Cheers,
weasel

[is there a list that all buildd admins are on?]
--
| .''`. ** Debian GNU/Linux **
Peter Palfrader | : :' : The universal
http://www.palfrader.org/ | `. `' Operating System
| `- http://www.debian.org/