Hi all,
I think we do have a problem here.
The dteam user in question has put .ssh keys on CE's and WN's.
We do not yet know why he did this.
If this exploit is run on a site which has account recycling turned on,
then it becomes possible to steal another users proxy.
And then use that proxy to launch this exploit against a lot of sites.
We do not yet even know if this was done with a stolen proxy.
I suggest that whatever security team/people LCG has needs to *urgently*
determine the exact nature of this action.
Cornwall, LA (Linda) wrote:
> A vulnerability that has been exploited is an incident. But since the
> user presumably didn't access anything beyond their rights then is it an
> incident?
> If the user had achieved access to anything they should not, or caused
> any damage then it would be an incident. I tend to think the reminder
> about the ssh setup sent by Jeremy is the appropriate response.
>
> Linda
>
>
>>-----Original Message-----
>>From: Testbed Support for GridPP member institutes [mailto:TB-
>>[log in to unmask]] On Behalf Of owen maroney
>>Sent: 13 June 2005 17:08
>>To: [log in to unmask]
>>Subject: Re: [Fwd: Re: [LCG-ROLLOUT] How to blacklist a certificate at
>>site level ??]
>>
>>Hi Linda,
>>
>>The situation is more serious. If this is a vulnerability then the
>>vulnerability has been exploited.
>>
>>This makes it an incident.
>>
>>Cornwall, LA (Linda) wrote:
>>
>>>Looks like a vulnerability to me - if someone can leave an ssh key
>>>behind!
>>>So simple. Another reason not to recycle accounts.
>>>
>>>Linda
>>>
>>>
>>>
>>>>-----Original Message-----
>>>>From: Testbed Support for GridPP member institutes [mailto:TB-
>>>>[log in to unmask]] On Behalf Of owen maroney
>>>>Sent: 13 June 2005 16:52
>>>>To: [log in to unmask]
>>>>Subject: [Fwd: Re: [LCG-ROLLOUT] How to blacklist a certificate at
>>>
>>>site
>>>
>>>
>>>>level ??]
>>>>
>>>>
>>>>
>>>>-------- Original Message --------
>>>>Subject: Re: [LCG-ROLLOUT] How to blacklist a certificate at site
>>>
>>>level ??
>>>
>>>
>>>>Date: Mon, 13 Jun 2005 16:49:31 +0100
>>>>From: owen maroney <[log in to unmask]>
>>>>Reply-To: LHC Computer Grid - Rollout
>>>
>>><[log in to unmask]>
>>>
>>>>To: [log in to unmask]
>>>>References:
>>>><[log in to unmask]>
>>>> <[log in to unmask]>
>>>>
>>>>Hi,
>>>>
>>>>Hmm.
>>>>
>>>>Just checked the CE here and found that at 12:43 today someone
>
> copied
>
>>>>ssh keys into ~/.ssh
>>>>
>>>>This seems fairly clearly an abuse of someones certificate.
>>>>
>>>>I am entirely happen to 'name' this person. I suggest other sites
>
> may
>
>>>>want to check ls -latrh /home/*/.ssh
>>>>
>>>>Owen.
>>>>
>>>>Dan Schrager wrote:
>>>>
>>>>
>>>>
>>>>>I could give you the details of the certificate.
>>>>>There is someone that had tried to bypass the certificate
>>>
>>>authentication
>>>
>>>
>>>>>by inserting ssh keys into the ~/.ssh directory to which it had
>
> been
>
>>>>>mapped on our public CE.
>>>>>
>>>>>Until further checks I will postpone the "name and shame" policy...
>>>>>
>>>>>
>>>>>
>>>>>Bly, MJ (Martin) wrote:
>>>>>
>>>>>
>>>>>
>>>>>>I suppose it is politic to ask: if you feel the need to urgently
>>>>>>blacklist a user, should we all be doing the same?
>>>>>>Martin.
>>>>>>
>>>>>>-----Original Message-----
>>>>>>From: LHC Computer Grid - Rollout
>>>>>>[mailto:[log in to unmask]] On Behalf Of Dan
>
> Schrager
>
>>>>>>Sent: Monday, June 13, 2005 3:57 PM
>>>>>>To: [log in to unmask]
>>>>>>Subject: [LCG-ROLLOUT] How to blacklist a certificate at site
>
> level
>
>>>??
>>>
>>>
>>>>>>Hi everybody,
>>>>>>
>>>>>>There is an urgent need at our site to blacklist a certificate.
>>>>>>
>>>>>>Please advice how can this be done at local, gatekeeper(?) level.
>>>>>>
>>>>>>Regards,
>>>>>>Dan
>>>>>>
>>>>>>
>>>>
>>>>--
>>>>=====================================================
>>>>Dr O J E Maroney # London Tier 2 Technical Co-ordinator
>>>>
>>>>Tel. (+44)20 759 47802
>>>>
>>>>Imperial College London
>>>>High Energy Physics Department
>>>>The Blackett Laboratory
>>>>Prince Consort Road, London, SW7 2BW
>>>>==================================
>>>>
>>>>
>>>>
>>>>--
>>>>=====================================================
>>>>Dr O J E Maroney # London Tier 2 Technical Co-ordinator
>>>>
>>>>Tel. (+44)20 759 47802
>>>>
>>>>Imperial College London
>>>>High Energy Physics Department
>>>>The Blackett Laboratory
>>>>Prince Consort Road, London, SW7 2BW
>>>>==================================
>>>
>>>
>>--
>>======================================================
>>Dr O J E Maroney # London Tier 2 Technical Co-ordinator
>>
>>Tel. (+44)20 759 47802
>>
>>Imperial College London
>>High Energy Physics Department
>>The Blackett Laboratory
>>Prince Consort Road, London, SW7 2BW
>>===================================
>
>
--
=======================================================
Dr O J E Maroney # London Tier 2 Technical Co-ordinator
Tel. (+44)20 759 47802
Imperial College London
High Energy Physics Department
The Blackett Laboratory
Prince Consort Road, London, SW7 2BW
====================================
|