ok, now we have an appropriate statement about the actions of the user
in question I am willing to calm down!
owen maroney wrote:
> Hi all,
>
> I think we do have a problem here.
>
> The dteam user in question has put .ssh keys on CE's and WN's.
>
> We do not yet know why he did this.
>
> If this exploit is run on a site which has account recycling turned on,
> then it becomes possible to steal another users proxy.
>
> And then use that proxy to launch this exploit against a lot of sites.
>
> We do not yet even know if this was done with a stolen proxy.
>
> I suggest that whatever security team/people LCG has needs to *urgently*
> determine the exact nature of this action.
>
>
>
> Cornwall, LA (Linda) wrote:
>
>> A vulnerability that has been exploited is an incident. But since the
>> user presumably didn't access anything beyond their rights then is it an
>> incident? If the user had achieved access to anything they should not,
>> or caused
>> any damage then it would be an incident. I tend to think the reminder
>> about the ssh setup sent by Jeremy is the appropriate response.
>>
>> Linda
>>
>>
>>> -----Original Message-----
>>> From: Testbed Support for GridPP member institutes [mailto:TB-
>>> [log in to unmask]] On Behalf Of owen maroney
>>> Sent: 13 June 2005 17:08
>>> To: [log in to unmask]
>>> Subject: Re: [Fwd: Re: [LCG-ROLLOUT] How to blacklist a certificate at
>>> site level ??]
>>>
>>> Hi Linda,
>>>
>>> The situation is more serious. If this is a vulnerability then the
>>> vulnerability has been exploited.
>>>
>>> This makes it an incident.
>>>
>>> Cornwall, LA (Linda) wrote:
>>>
>>>> Looks like a vulnerability to me - if someone can leave an ssh key
>>>> behind!
>>>> So simple. Another reason not to recycle accounts.
>>>>
>>>> Linda
>>>>
>>>>
>>>>
>>>>> -----Original Message-----
>>>>> From: Testbed Support for GridPP member institutes [mailto:TB-
>>>>> [log in to unmask]] On Behalf Of owen maroney
>>>>> Sent: 13 June 2005 16:52
>>>>> To: [log in to unmask]
>>>>> Subject: [Fwd: Re: [LCG-ROLLOUT] How to blacklist a certificate at
>>>>
>>>>
>>>> site
>>>>
>>>>
>>>>> level ??]
>>>>>
>>>>>
>>>>>
>>>>> -------- Original Message --------
>>>>> Subject: Re: [LCG-ROLLOUT] How to blacklist a certificate at site
>>>>
>>>>
>>>> level ??
>>>>
>>>>
>>>>> Date: Mon, 13 Jun 2005 16:49:31 +0100
>>>>> From: owen maroney <[log in to unmask]>
>>>>> Reply-To: LHC Computer Grid - Rollout
>>>>
>>>>
>>>> <[log in to unmask]>
>>>>
>>>>> To: [log in to unmask]
>>>>> References:
>>>>> <[log in to unmask]>
>>>>> <[log in to unmask]>
>>>>>
>>>>> Hi,
>>>>>
>>>>> Hmm.
>>>>>
>>>>> Just checked the CE here and found that at 12:43 today someone
>>
>>
>> copied
>>
>>>>> ssh keys into ~/.ssh
>>>>>
>>>>> This seems fairly clearly an abuse of someones certificate.
>>>>>
>>>>> I am entirely happen to 'name' this person. I suggest other sites
>>
>>
>> may
>>
>>>>> want to check ls -latrh /home/*/.ssh
>>>>>
>>>>> Owen.
>>>>>
>>>>> Dan Schrager wrote:
>>>>>
>>>>>
>>>>>
>>>>>> I could give you the details of the certificate.
>>>>>> There is someone that had tried to bypass the certificate
>>>>
>>>>
>>>> authentication
>>>>
>>>>
>>>>>> by inserting ssh keys into the ~/.ssh directory to which it had
>>
>>
>> been
>>
>>>>>> mapped on our public CE.
>>>>>>
>>>>>> Until further checks I will postpone the "name and shame" policy...
>>>>>>
>>>>>>
>>>>>>
>>>>>> Bly, MJ (Martin) wrote:
>>>>>>
>>>>>>
>>>>>>
>>>>>>> I suppose it is politic to ask: if you feel the need to urgently
>>>>>>> blacklist a user, should we all be doing the same?
>>>>>>> Martin.
>>>>>>>
>>>>>>> -----Original Message-----
>>>>>>> From: LHC Computer Grid - Rollout
>>>>>>> [mailto:[log in to unmask]] On Behalf Of Dan
>>
>>
>> Schrager
>>
>>>>>>> Sent: Monday, June 13, 2005 3:57 PM
>>>>>>> To: [log in to unmask]
>>>>>>> Subject: [LCG-ROLLOUT] How to blacklist a certificate at site
>>
>>
>> level
>>
>>>> ??
>>>>
>>>>
>>>>>>> Hi everybody,
>>>>>>>
>>>>>>> There is an urgent need at our site to blacklist a certificate.
>>>>>>>
>>>>>>> Please advice how can this be done at local, gatekeeper(?) level.
>>>>>>>
>>>>>>> Regards,
>>>>>>> Dan
>>>>>>>
>>>>>>>
>>>>>
>>>>> --
>>>>> =====================================================
>>>>> Dr O J E Maroney # London Tier 2 Technical Co-ordinator
>>>>>
>>>>> Tel. (+44)20 759 47802
>>>>>
>>>>> Imperial College London
>>>>> High Energy Physics Department
>>>>> The Blackett Laboratory
>>>>> Prince Consort Road, London, SW7 2BW
>>>>> ==================================
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> =====================================================
>>>>> Dr O J E Maroney # London Tier 2 Technical Co-ordinator
>>>>>
>>>>> Tel. (+44)20 759 47802
>>>>>
>>>>> Imperial College London
>>>>> High Energy Physics Department
>>>>> The Blackett Laboratory
>>>>> Prince Consort Road, London, SW7 2BW
>>>>> ==================================
>>>>
>>>>
>>>>
>>> --
>>> ======================================================
>>> Dr O J E Maroney # London Tier 2 Technical Co-ordinator
>>>
>>> Tel. (+44)20 759 47802
>>>
>>> Imperial College London
>>> High Energy Physics Department
>>> The Blackett Laboratory
>>> Prince Consort Road, London, SW7 2BW
>>> ===================================
>>
>>
>>
>
--
=======================================================
Dr O J E Maroney # London Tier 2 Technical Co-ordinator
Tel. (+44)20 759 47802
Imperial College London
High Energy Physics Department
The Blackett Laboratory
Prince Consort Road, London, SW7 2BW
====================================
|