On 22 Nov 2004, at 10:23, Jeff Templon wrote:

> Hi
>
> Ouch.  First I'd try eliminating some possibilities:
>
> 1) can you log in as ANY user at all on that machine?

I believe, there are no other users on the WN except the root and the
experiment specific users created by LCG. I can't login as root and
don't know how to login as one of those experiment specific users. Is
that possible??


> 2) what does ssh et al say when you try to log in as root?  Have you
> looked at the output of ssh -v?

On the terminal, it just says "Login incorrect" but ssh -v says a lot
but can't fine any thing serious. Here is what I got:

[root@serv05 source]# ssh -v root@farm006
OpenSSH_3.1p1, SSH protocols 1.5/2.0, OpenSSL 0x0090602f
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Rhosts Authentication disabled, originating port will not be
trusted.
debug1: restore_uid
debug1: ssh_connect: getuid 0 geteuid 0 anon 1
debug1: Connecting to farm006 [131.111.66.206] port 22.
debug1: temporarily_use_uid: 0/0 (e=0)
debug1: restore_uid
debug1: temporarily_use_uid: 0/0 (e=0)
debug1: restore_uid
debug1: Connection established.
debug1: read PEM private key done: type DSA
debug1: read PEM private key done: type RSA
debug1: identity file /root/.ssh/identity type -1
debug1: identity file /root/.ssh/id_rsa type -1
debug1: identity file /root/.ssh/id_dsa type -1
debug1: Remote protocol version 1.99, remote software version
OpenSSH_3.1p1
debug1: match: OpenSSH_3.1p1 pat OpenSSH*
Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_3.1p1
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: dh_gen_key: priv key bits set: 112/256
debug1: bits set: 1584/3191
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'farm006' is known and matches the RSA host key.
debug1: Found key in /root/.ssh/known_hosts:9
debug1: bits set: 1563/3191
debug1: ssh_rsa_verify: signature correct
debug1: kex_derive_keys
debug1: newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: waiting for SSH2_MSG_NEWKEYS
debug1: newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: done: ssh_kex2.
debug1: send SSH2_MSG_SERVICE_REQUEST
debug1: service_accept: ssh-userauth
debug1: got SSH2_MSG_SERVICE_ACCEPT
debug1: authentications that can continue:
publickey,password,keyboard-interactive
debug1: next auth method to try is publickey
debug1: try privkey: /root/.ssh/identity
debug1: try privkey: /root/.ssh/id_rsa
debug1: try privkey: /root/.ssh/id_dsa
debug1: next auth method to try is keyboard-interactive
debug1: authentications that can continue:
publickey,password,keyboard-interactive
debug1: next auth method to try is password
root@farm006's password:
debug1: packet_send2: adding 64 (len 55 padlen 9 extra_pad 64)
debug1: authentications that can continue:
publickey,password,keyboard-interactive
Permission denied, please try again.

> 3) can you log on to OTHER worker nodes as root?

Yes, I can. I can change the password from LCFG as well, and can use
the new one on other WNs.

>
> If you can log on as a mortal to the WN in question, you can always
> look
> around for sneaky processes.  You should also look for a rdxprof
> process, since this is the thing that is looking for password changes.
> Check on the LCFG server that when you remade the profiles that it
> really did work -- i.e. no errors in the profile compilation, mkxprof
> is
> sometimes a bit too quiet about this.
>
I think, that worked, because the password changed for other nodes and
I didn't get any error messages at the time of remaking the profile. I
think, can't check the rdxprof if it's running or not without logging
in.

Santanu

> If mkxprof successfully made a profile, and the root password really
> did
> change -- meaning that you didn't change something that gets overridden
> later anyway -- and rdxprof is running on the WN, then the password
> change *will* happen.  If rdxprof is no longer running, you will have
> to
> reboot AFAIK.
>
> Good luck.
>
>                                         JT
>
> On Mon, 2004-11-22 at 11:07, Santanu Das wrote:
>> Hi,
>>
>> We are suspecting that one of our WNs may have been compromised by a
>> wide-scale ssh probe on Sat from a Taiwanese host, 192.192.73.5 and as
>> a result, now I can't log in as root on that WN. I changed the
>> password-cfg.h on LCFG and remake the profile for that particular node
>> but still I can't use that new password on that WN. I don't want to
>> reboot that WN just now. Does anyone know, how that "change of
>> password"  works between LCFG and the WN? Or any idea how can I change
>> the password on that compromised WN so that I can log in without
>> rebooting the node?
>>
>> Thanks,
>> Santanu