On Mon, Jun 13, 2005 at 05:26:57PM +0100 or thereabouts, owen maroney wrote:
> Hi all,
>
> I think we do have a problem here.
>
> The dteam user in question has put .ssh keys on CE's and WN's.
>
> We do not yet know why he did this.
He did it because he wanted to run MPI jobs, WN<->WN communitation
required.
>
> If this exploit is run on a site which has account recycling turned on,
> then it becomes possible to steal another users proxy.
>
> And then use that proxy to launch this exploit against a lot of sites.
>
> We do not yet even know if this was done with a stolen proxy.
>
> I suggest that whatever security team/people LCG has needs to *urgently*
> determine the exact nature of this action.
I noticed before the announcement, I was suspicious of the job called
"fix_ssh.sh" that appeared in qstat and contacted him though
mainly because his jobs were failing because he was submitting them
wrongly to RAL. The greek ROC is in touch with the user in question and
they are in touch with the security folks. No doubt there will be a report.
Steve
>
>
>
> Cornwall, LA (Linda) wrote:
>
> >A vulnerability that has been exploited is an incident. But since the
> >user presumably didn't access anything beyond their rights then is it an
> >incident?
> >If the user had achieved access to anything they should not, or caused
> >any damage then it would be an incident. I tend to think the reminder
> >about the ssh setup sent by Jeremy is the appropriate response.
> >
> >Linda
> >
> >
> >>-----Original Message-----
> >>From: Testbed Support for GridPP member institutes [mailto:TB-
> >>[log in to unmask]] On Behalf Of owen maroney
> >>Sent: 13 June 2005 17:08
> >>To: [log in to unmask]
> >>Subject: Re: [Fwd: Re: [LCG-ROLLOUT] How to blacklist a certificate at
> >>site level ??]
> >>
> >>Hi Linda,
> >>
> >>The situation is more serious. If this is a vulnerability then the
> >>vulnerability has been exploited.
> >>
> >>This makes it an incident.
> >>
> >>Cornwall, LA (Linda) wrote:
> >>
> >>>Looks like a vulnerability to me - if someone can leave an ssh key
> >>>behind!
> >>>So simple. Another reason not to recycle accounts.
> >>>
> >>>Linda
> >>>
> >>>
> >>>
> >>>>-----Original Message-----
> >>>>From: Testbed Support for GridPP member institutes [mailto:TB-
> >>>>[log in to unmask]] On Behalf Of owen maroney
> >>>>Sent: 13 June 2005 16:52
> >>>>To: [log in to unmask]
> >>>>Subject: [Fwd: Re: [LCG-ROLLOUT] How to blacklist a certificate at
> >>>
> >>>site
> >>>
> >>>
> >>>>level ??]
> >>>>
> >>>>
> >>>>
> >>>>-------- Original Message --------
> >>>>Subject: Re: [LCG-ROLLOUT] How to blacklist a certificate at site
> >>>
> >>>level ??
> >>>
> >>>
> >>>>Date: Mon, 13 Jun 2005 16:49:31 +0100
> >>>>From: owen maroney <[log in to unmask]>
> >>>>Reply-To: LHC Computer Grid - Rollout
> >>>
> >>><[log in to unmask]>
> >>>
> >>>>To: [log in to unmask]
> >>>>References:
> >>>><[log in to unmask]>
> >>>> <[log in to unmask]>
> >>>>
> >>>>Hi,
> >>>>
> >>>>Hmm.
> >>>>
> >>>>Just checked the CE here and found that at 12:43 today someone
> >
> >copied
> >
> >>>>ssh keys into ~/.ssh
> >>>>
> >>>>This seems fairly clearly an abuse of someones certificate.
> >>>>
> >>>>I am entirely happen to 'name' this person. I suggest other sites
> >
> >may
> >
> >>>>want to check ls -latrh /home/*/.ssh
> >>>>
> >>>>Owen.
> >>>>
> >>>>Dan Schrager wrote:
> >>>>
> >>>>
> >>>>
> >>>>>I could give you the details of the certificate.
> >>>>>There is someone that had tried to bypass the certificate
> >>>
> >>>authentication
> >>>
> >>>
> >>>>>by inserting ssh keys into the ~/.ssh directory to which it had
> >
> >been
> >
> >>>>>mapped on our public CE.
> >>>>>
> >>>>>Until further checks I will postpone the "name and shame" policy...
> >>>>>
> >>>>>
> >>>>>
> >>>>>Bly, MJ (Martin) wrote:
> >>>>>
> >>>>>
> >>>>>
> >>>>>>I suppose it is politic to ask: if you feel the need to urgently
> >>>>>>blacklist a user, should we all be doing the same?
> >>>>>>Martin.
> >>>>>>
> >>>>>>-----Original Message-----
> >>>>>>From: LHC Computer Grid - Rollout
> >>>>>>[mailto:[log in to unmask]] On Behalf Of Dan
> >
> >Schrager
> >
> >>>>>>Sent: Monday, June 13, 2005 3:57 PM
> >>>>>>To: [log in to unmask]
> >>>>>>Subject: [LCG-ROLLOUT] How to blacklist a certificate at site
> >
> >level
> >
> >>>??
> >>>
> >>>
> >>>>>>Hi everybody,
> >>>>>>
> >>>>>>There is an urgent need at our site to blacklist a certificate.
> >>>>>>
> >>>>>>Please advice how can this be done at local, gatekeeper(?) level.
> >>>>>>
> >>>>>>Regards,
> >>>>>>Dan
> >>>>>>
> >>>>>>
> >>>>
> >>>>--
> >>>>=====================================================
> >>>>Dr O J E Maroney # London Tier 2 Technical Co-ordinator
> >>>>
> >>>>Tel. (+44)20 759 47802
> >>>>
> >>>>Imperial College London
> >>>>High Energy Physics Department
> >>>>The Blackett Laboratory
> >>>>Prince Consort Road, London, SW7 2BW
> >>>>==================================
> >>>>
> >>>>
> >>>>
> >>>>--
> >>>>=====================================================
> >>>>Dr O J E Maroney # London Tier 2 Technical Co-ordinator
> >>>>
> >>>>Tel. (+44)20 759 47802
> >>>>
> >>>>Imperial College London
> >>>>High Energy Physics Department
> >>>>The Blackett Laboratory
> >>>>Prince Consort Road, London, SW7 2BW
> >>>>==================================
> >>>
> >>>
> >>--
> >>======================================================
> >>Dr O J E Maroney # London Tier 2 Technical Co-ordinator
> >>
> >>Tel. (+44)20 759 47802
> >>
> >>Imperial College London
> >>High Energy Physics Department
> >>The Blackett Laboratory
> >>Prince Consort Road, London, SW7 2BW
> >>===================================
> >
> >
>
> --
> =======================================================
> Dr O J E Maroney # London Tier 2 Technical Co-ordinator
>
> Tel. (+44)20 759 47802
>
> Imperial College London
> High Energy Physics Department
> The Blackett Laboratory
> Prince Consort Road, London, SW7 2BW
> ====================================
> begin:vcard
> fn:Owen Maroney
> n:Maroney;Owen
> org:Imperial College London;High Energy Physics Department
> adr:Prince Consort Road;;The Blackett Laboratory;London;;SW7 2BW;United Kingdom
> email;internet:[log in to unmask]
> title:London Tier 2 Technical Co-ordinator
> tel;work:(+44)2075947802
> x-mozilla-html:FALSE
> version:2.1
> end:vcard
>
--
Steve Traylen
[log in to unmask]
http://www.gridpp.ac.uk/
|