A vulnerability that has been exploited is an incident. But since the
user presumably didn't access anything beyond their rights then is it an
incident?
If the user had achieved access to anything they should not, or caused
any damage then it would be an incident. I tend to think the reminder
about the ssh setup sent by Jeremy is the appropriate response.
Linda
> -----Original Message-----
> From: Testbed Support for GridPP member institutes [mailto:TB-
> [log in to unmask]] On Behalf Of owen maroney
> Sent: 13 June 2005 17:08
> To: [log in to unmask]
> Subject: Re: [Fwd: Re: [LCG-ROLLOUT] How to blacklist a certificate at
> site level ??]
>
> Hi Linda,
>
> The situation is more serious. If this is a vulnerability then the
> vulnerability has been exploited.
>
> This makes it an incident.
>
> Cornwall, LA (Linda) wrote:
> > Looks like a vulnerability to me - if someone can leave an ssh key
> > behind!
> > So simple. Another reason not to recycle accounts.
> >
> > Linda
> >
> >
> >>-----Original Message-----
> >>From: Testbed Support for GridPP member institutes [mailto:TB-
> >>[log in to unmask]] On Behalf Of owen maroney
> >>Sent: 13 June 2005 16:52
> >>To: [log in to unmask]
> >>Subject: [Fwd: Re: [LCG-ROLLOUT] How to blacklist a certificate at
> >
> > site
> >
> >>level ??]
> >>
> >>
> >>
> >>-------- Original Message --------
> >>Subject: Re: [LCG-ROLLOUT] How to blacklist a certificate at site
> >
> > level ??
> >
> >>Date: Mon, 13 Jun 2005 16:49:31 +0100
> >>From: owen maroney <[log in to unmask]>
> >>Reply-To: LHC Computer Grid - Rollout
> >
> > <[log in to unmask]>
> >
> >>To: [log in to unmask]
> >>References:
> >><[log in to unmask]>
> >> <[log in to unmask]>
> >>
> >>Hi,
> >>
> >>Hmm.
> >>
> >>Just checked the CE here and found that at 12:43 today someone
copied
> >>ssh keys into ~/.ssh
> >>
> >>This seems fairly clearly an abuse of someones certificate.
> >>
> >>I am entirely happen to 'name' this person. I suggest other sites
may
> >>want to check ls -latrh /home/*/.ssh
> >>
> >>Owen.
> >>
> >>Dan Schrager wrote:
> >>
> >>
> >>>I could give you the details of the certificate.
> >>>There is someone that had tried to bypass the certificate
> >
> > authentication
> >
> >>>by inserting ssh keys into the ~/.ssh directory to which it had
been
> >>>mapped on our public CE.
> >>>
> >>>Until further checks I will postpone the "name and shame" policy...
> >>>
> >>>
> >>>
> >>>Bly, MJ (Martin) wrote:
> >>>
> >>>
> >>>>I suppose it is politic to ask: if you feel the need to urgently
> >>>>blacklist a user, should we all be doing the same?
> >>>>Martin.
> >>>>
> >>>>-----Original Message-----
> >>>>From: LHC Computer Grid - Rollout
> >>>>[mailto:[log in to unmask]] On Behalf Of Dan
Schrager
> >>>>Sent: Monday, June 13, 2005 3:57 PM
> >>>>To: [log in to unmask]
> >>>>Subject: [LCG-ROLLOUT] How to blacklist a certificate at site
level
> >
> > ??
> >
> >>>>
> >>>>Hi everybody,
> >>>>
> >>>>There is an urgent need at our site to blacklist a certificate.
> >>>>
> >>>>Please advice how can this be done at local, gatekeeper(?) level.
> >>>>
> >>>>Regards,
> >>>>Dan
> >>>>
> >>>>
> >>
> >>--
> >>=====================================================
> >>Dr O J E Maroney # London Tier 2 Technical Co-ordinator
> >>
> >>Tel. (+44)20 759 47802
> >>
> >>Imperial College London
> >>High Energy Physics Department
> >>The Blackett Laboratory
> >>Prince Consort Road, London, SW7 2BW
> >>==================================
> >>
> >>
> >>
> >>--
> >>=====================================================
> >>Dr O J E Maroney # London Tier 2 Technical Co-ordinator
> >>
> >>Tel. (+44)20 759 47802
> >>
> >>Imperial College London
> >>High Energy Physics Department
> >>The Blackett Laboratory
> >>Prince Consort Road, London, SW7 2BW
> >>==================================
> >
> >
>
> --
> ======================================================
> Dr O J E Maroney # London Tier 2 Technical Co-ordinator
>
> Tel. (+44)20 759 47802
>
> Imperial College London
> High Energy Physics Department
> The Blackett Laboratory
> Prince Consort Road, London, SW7 2BW
> ===================================
|