Maybe one can learn a bit from all of this!!!!
before dubiously ban someone out, just ask what he is doing
cheers
MArio
----- Forwarded message from George Tsouloupas <[log in to unmask]> -----
Date: Mon, 13 Jun 2005 19:46:59 +0300
From: George Tsouloupas <[log in to unmask]>
Reply-To: George Tsouloupas <[log in to unmask]>
Subject: Re: [LCG-ROLLOUT] How to blacklist a certificate at site level ??
To: [log in to unmask]
Hi Mario,
Maybe you could forward this to the list.
I've sent numerous mails to our ROC but it looks like the information
I provide is not making it back to the lists.
Again, This is NOT a malicious attack of any kind. As part of a
benchmarking/testing tool we are developing, this
was an attempt to run an MPI job, that requires passwordless ssh between
WN's in order to work.
I used to do this routinely within CrossGrid to test-and-fix MPI
support for my account at a site
There was no attempt to by-pass any queuing systems or gain
unaccounted-for access to
the worker nodes. The generated keys were unique to each site and never
left the site.
There was NO INTENTION and NO ATTEMPT to compromise security NOR was
security compromised. I was using the tools available so I could do my
job. Again, security WAS NOT compromised, nothing was copied to anywhere
but my account, there is no attempt to get unauthorized access. I was
simply trying to get my processes to cooperate after submitting an MPI job
If this is unacceptable behavior then we must really figure out a way to
prevent it, otherwise the next time
it could be someone malicious.!
Thanks
George
[log in to unmask] wrote:
>OK
>so I know this guy
>has someone even remember to ask him directly what was he trying todo??
>If not I will do it
>
>George, you are going to be banned soon from the LCG testbed
>so explain what you are trying to do
>
>cheers
>
>Mario
>
>Quoting Dan Schrager <[log in to unmask]>:
>
>
>
>>And the receipe to protect your site from similar attempts would be to
>>mkdir -p ~/.ssh/cucu
>>chown root.root ~/.ssh
>>chmod 0 ~/.ssh
>>The directory ~/.ssh should not be empty -- otherwise it can be removed
>>by the simple user, hence the inside directory "cucu"...
>>
>>
>>
>>Dan Schrager wrote:
>>
>>
>>
>>>I could give you the details of the certificate.
>>>There is someone that had tried to bypass the certificate
>>>authentication by inserting ssh keys into the ~/.ssh directory to
>>>which it had been mapped on our public CE.
>>>
>>>Until further checks I will postpone the "name and shame" policy...
>>>
>>>
>>>
>>>Bly, MJ (Martin) wrote:
>>>
>>>
>>>
>>>>I suppose it is politic to ask: if you feel the need to urgently
>>>>blacklist a user, should we all be doing the same?
>>>>Martin.
>>>>
>>>>-----Original Message-----
>>>>From: LHC Computer Grid - Rollout
>>>>[mailto:[log in to unmask]] On Behalf Of Dan Schrager
>>>>Sent: Monday, June 13, 2005 3:57 PM
>>>>To: [log in to unmask]
>>>>Subject: [LCG-ROLLOUT] How to blacklist a certificate at site level ??
>>>>
>>>>
>>>>Hi everybody,
>>>>
>>>>There is an urgent need at our site to blacklist a certificate.
>>>>
>>>>Please advice how can this be done at local, gatekeeper(?) level.
>>>>
>>>>Regards,
>>>>Dan
>>>>
>>>>
>>>>
>>>>
>
>
>
>
>
----- End forwarded message -----
|