All
There are concerns about a recent user incident regarding ssh keys. To
be sure to stop such activities in the future please follow the
guidelines here:
http://goc.grid.sinica.edu.tw/gocwiki/Blocking_batch_jobs_from_creating_
ssh_back_doors
It is insufficient to expect to black list users for experimenting and
we ought to be aware of potential problem areas and remove them.
Regards,
Jeremy
-----Original Message-----
From: Testbed Support for GridPP member institutes
[mailto:[log in to unmask]] On Behalf Of Cornwall, LA (Linda)
Sent: 13 June 2005 16:56
To: [log in to unmask]
Subject: Re: [Fwd: Re: [LCG-ROLLOUT] How to blacklist a certificate at
site level ??]
Looks like a vulnerability to me - if someone can leave an ssh key
behind!
So simple. Another reason not to recycle accounts.
Linda
> -----Original Message-----
> From: Testbed Support for GridPP member institutes [mailto:TB-
> [log in to unmask]] On Behalf Of owen maroney
> Sent: 13 June 2005 16:52
> To: [log in to unmask]
> Subject: [Fwd: Re: [LCG-ROLLOUT] How to blacklist a certificate at
site
> level ??]
>
>
>
> -------- Original Message --------
> Subject: Re: [LCG-ROLLOUT] How to blacklist a certificate at site
level ??
> Date: Mon, 13 Jun 2005 16:49:31 +0100
> From: owen maroney <[log in to unmask]>
> Reply-To: LHC Computer Grid - Rollout
<[log in to unmask]>
> To: [log in to unmask]
> References:
> <[log in to unmask]>
> <[log in to unmask]>
>
> Hi,
>
> Hmm.
>
> Just checked the CE here and found that at 12:43 today someone copied
> ssh keys into ~/.ssh
>
> This seems fairly clearly an abuse of someones certificate.
>
> I am entirely happen to 'name' this person. I suggest other sites may
> want to check ls -latrh /home/*/.ssh
>
> Owen.
>
> Dan Schrager wrote:
>
> > I could give you the details of the certificate.
> > There is someone that had tried to bypass the certificate
authentication
> > by inserting ssh keys into the ~/.ssh directory to which it had been
> > mapped on our public CE.
> >
> > Until further checks I will postpone the "name and shame" policy...
> >
> >
> >
> > Bly, MJ (Martin) wrote:
> >
> >> I suppose it is politic to ask: if you feel the need to urgently
> >> blacklist a user, should we all be doing the same?
> >> Martin.
> >>
> >> -----Original Message-----
> >> From: LHC Computer Grid - Rollout
> >> [mailto:[log in to unmask]] On Behalf Of Dan Schrager
> >> Sent: Monday, June 13, 2005 3:57 PM
> >> To: [log in to unmask]
> >> Subject: [LCG-ROLLOUT] How to blacklist a certificate at site level
??
> >>
> >>
> >> Hi everybody,
> >>
> >> There is an urgent need at our site to blacklist a certificate.
> >>
> >> Please advice how can this be done at local, gatekeeper(?) level.
> >>
> >> Regards,
> >> Dan
> >>
> >>
>
> --
> ======================================================
> Dr O J E Maroney # London Tier 2 Technical Co-ordinator
>
> Tel. (+44)20 759 47802
>
> Imperial College London
> High Energy Physics Department
> The Blackett Laboratory
> Prince Consort Road, London, SW7 2BW
> ===================================
>
>
>
> --
> ======================================================
> Dr O J E Maroney # London Tier 2 Technical Co-ordinator
>
> Tel. (+44)20 759 47802
>
> Imperial College London
> High Energy Physics Department
> The Blackett Laboratory
> Prince Consort Road, London, SW7 2BW
> ===================================
|