> A vulnerability that has been exploited is an incident. But since the
> user presumably didn't access anything beyond their rights then is it an
> incident?
if he is an expert he can gain higher privileges. How do we know he hasn't
exploited anything? if he has ssh'd on a machine he might have had all the
time to do whatever he needed to do...... just hyphotizing.
cheers
alessandra
On Mon, 13 Jun 2005, Cornwall, LA (Linda) wrote:
> If the user had achieved access to anything they should not, or caused
> any damage then it would be an incident. I tend to think the reminder
> about the ssh setup sent by Jeremy is the appropriate response.
>
> Linda
>
>> -----Original Message-----
>> From: Testbed Support for GridPP member institutes [mailto:TB-
>> [log in to unmask]] On Behalf Of owen maroney
>> Sent: 13 June 2005 17:08
>> To: [log in to unmask]
>> Subject: Re: [Fwd: Re: [LCG-ROLLOUT] How to blacklist a certificate at
>> site level ??]
>>
>> Hi Linda,
>>
>> The situation is more serious. If this is a vulnerability then the
>> vulnerability has been exploited.
>>
>> This makes it an incident.
>>
>> Cornwall, LA (Linda) wrote:
>>> Looks like a vulnerability to me - if someone can leave an ssh key
>>> behind!
>>> So simple. Another reason not to recycle accounts.
>>>
>>> Linda
>>>
>>>
>>>> -----Original Message-----
>>>> From: Testbed Support for GridPP member institutes [mailto:TB-
>>>> [log in to unmask]] On Behalf Of owen maroney
>>>> Sent: 13 June 2005 16:52
>>>> To: [log in to unmask]
>>>> Subject: [Fwd: Re: [LCG-ROLLOUT] How to blacklist a certificate at
>>>
>>> site
>>>
>>>> level ??]
>>>>
>>>>
>>>>
>>>> -------- Original Message --------
>>>> Subject: Re: [LCG-ROLLOUT] How to blacklist a certificate at site
>>>
>>> level ??
>>>
>>>> Date: Mon, 13 Jun 2005 16:49:31 +0100
>>>> From: owen maroney <[log in to unmask]>
>>>> Reply-To: LHC Computer Grid - Rollout
>>>
>>> <[log in to unmask]>
>>>
>>>> To: [log in to unmask]
>>>> References:
>>>> <[log in to unmask]>
>>>> <[log in to unmask]>
>>>>
>>>> Hi,
>>>>
>>>> Hmm.
>>>>
>>>> Just checked the CE here and found that at 12:43 today someone
> copied
>>>> ssh keys into ~/.ssh
>>>>
>>>> This seems fairly clearly an abuse of someones certificate.
>>>>
>>>> I am entirely happen to 'name' this person. I suggest other sites
> may
>>>> want to check ls -latrh /home/*/.ssh
>>>>
>>>> Owen.
>>>>
>>>> Dan Schrager wrote:
>>>>
>>>>
>>>>> I could give you the details of the certificate.
>>>>> There is someone that had tried to bypass the certificate
>>>
>>> authentication
>>>
>>>>> by inserting ssh keys into the ~/.ssh directory to which it had
> been
>>>>> mapped on our public CE.
>>>>>
>>>>> Until further checks I will postpone the "name and shame" policy...
>>>>>
>>>>>
>>>>>
>>>>> Bly, MJ (Martin) wrote:
>>>>>
>>>>>
>>>>>> I suppose it is politic to ask: if you feel the need to urgently
>>>>>> blacklist a user, should we all be doing the same?
>>>>>> Martin.
>>>>>>
>>>>>> -----Original Message-----
>>>>>> From: LHC Computer Grid - Rollout
>>>>>> [mailto:[log in to unmask]] On Behalf Of Dan
> Schrager
>>>>>> Sent: Monday, June 13, 2005 3:57 PM
>>>>>> To: [log in to unmask]
>>>>>> Subject: [LCG-ROLLOUT] How to blacklist a certificate at site
> level
>>>
>>> ??
>>>
>>>>>>
>>>>>> Hi everybody,
>>>>>>
>>>>>> There is an urgent need at our site to blacklist a certificate.
>>>>>>
>>>>>> Please advice how can this be done at local, gatekeeper(?) level.
>>>>>>
>>>>>> Regards,
>>>>>> Dan
>>>>>>
>>>>>>
>>>>
>>>> --
>>>> =====================================================
>>>> Dr O J E Maroney # London Tier 2 Technical Co-ordinator
>>>>
>>>> Tel. (+44)20 759 47802
>>>>
>>>> Imperial College London
>>>> High Energy Physics Department
>>>> The Blackett Laboratory
>>>> Prince Consort Road, London, SW7 2BW
>>>> ==================================
>>>>
>>>>
>>>>
>>>> --
>>>> =====================================================
>>>> Dr O J E Maroney # London Tier 2 Technical Co-ordinator
>>>>
>>>> Tel. (+44)20 759 47802
>>>>
>>>> Imperial College London
>>>> High Energy Physics Department
>>>> The Blackett Laboratory
>>>> Prince Consort Road, London, SW7 2BW
>>>> ==================================
>>>
>>>
>>
>> --
>> ======================================================
>> Dr O J E Maroney # London Tier 2 Technical Co-ordinator
>>
>> Tel. (+44)20 759 47802
>>
>> Imperial College London
>> High Energy Physics Department
>> The Blackett Laboratory
>> Prince Consort Road, London, SW7 2BW
>> ===================================
>
--
********************************************
* Dr Alessandra Forti *
* Technical Coordinator - NorthGrid Tier2 *
* http://www.hep.man.ac.uk/u/aforti *
********************************************
|