And the receipe to protect your site from similar attempts would be to
mkdir -p ~/.ssh/cucu
chown root.root ~/.ssh
chmod 0 ~/.ssh
The directory ~/.ssh should not be empty -- otherwise it can be removed
by the simple user, hence the inside directory "cucu"...
Dan Schrager wrote:
> I could give you the details of the certificate.
> There is someone that had tried to bypass the certificate
> authentication by inserting ssh keys into the ~/.ssh directory to
> which it had been mapped on our public CE.
>
> Until further checks I will postpone the "name and shame" policy...
>
>
>
> Bly, MJ (Martin) wrote:
>
>> I suppose it is politic to ask: if you feel the need to urgently
>> blacklist a user, should we all be doing the same?
>> Martin.
>>
>> -----Original Message-----
>> From: LHC Computer Grid - Rollout
>> [mailto:[log in to unmask]] On Behalf Of Dan Schrager
>> Sent: Monday, June 13, 2005 3:57 PM
>> To: [log in to unmask]
>> Subject: [LCG-ROLLOUT] How to blacklist a certificate at site level ??
>>
>>
>> Hi everybody,
>>
>> There is an urgent need at our site to blacklist a certificate.
>>
>> Please advice how can this be done at local, gatekeeper(?) level.
>>
>> Regards,
>> Dan
>>
>>
|