Red Hat's Fedora team had its server hacked in a mysterious break in which could have compromised the security on the Linux distribution.

In August 2008, the Fedora team noticed irregularities on its server. Fedora admins found a change in the package complement which should not have been there and it turned out to be tampering by an intruder. The server was pulled off the net while security experts had a look under the bonnet.

What the experts could not find out was how the hacker got inside the server. Apparently he used no hacker tools but authenticated himself using a copy of an SSH private key that was not passphrase-protected. The key belonged to a Fedora admin which suggests the hacker either guessed, cracked or found out the admin's password. How he then got to the SSH private key is anyone's guess.

The hacker got access to the Fedora package signing key and used this to create modified versions of OpenSSH and RPM that would allow access to user passphrases on the build system to secure the package signing key. It would have meant that he could have fraudulently signed modified packages sent to Fedora users. It never got that far because the packages were discovered before they were signed.

As a result of the hack, the Fedora project has rebuilt its infrastructure, generated new package signing keys and came up with a new security policy. All admins got new SSH keys. A new repo security policy also required Fedora admin groups to use passphrases on their private keys.