On Monday 13 June 2005 17:37, Steve Traylen wrote:
> On Mon, Jun 13, 2005 at 05:26:57PM +0100 or thereabouts, owen maroney wrote:
> > Hi all,
> >
> > I think we do have a problem here.
> >
> > The dteam user in question has put .ssh keys on CE's and WN's.
> >
> > We do not yet know why he did this.
>
> He did it because he wanted to run MPI jobs, WN<->WN communitation
> required.
>
1) This shouldn't be necessary if the site is setup correctly, and it
wouldn't work, at our site anyway since the grid /home directories aren't
shared.
2) Its fairly easy to prevent this, by e.g. creating as root with
appropriate promissions ~/.ssh and contents for the GRID accounts (as we
have done here for a long time)...so this this should be integrated into any
standard integration tools.
> > If this exploit is run on a site which has account recycling turned on,
> > then it becomes possible to steal another users proxy.
> >
> > And then use that proxy to launch this exploit against a lot of sites.
> >
> > We do not yet even know if this was done with a stolen proxy.
> >
> > I suggest that whatever security team/people LCG has needs to *urgently*
> > determine the exact nature of this action.
>
> I noticed before the announcement, I was suspicious of the job called
> "fix_ssh.sh" that appeared in qstat and contacted him though
> mainly because his jobs were failing because he was submitting them
> wrongly to RAL. The greek ROC is in touch with the user in question and
> they are in touch with the security folks. No doubt there will be a report.
>
> Steve
>
> > Cornwall, LA (Linda) wrote:
> > >A vulnerability that has been exploited is an incident. But since the
> > >user presumably didn't access anything beyond their rights then is it an
> > >incident?
> > >If the user had achieved access to anything they should not, or caused
> > >any damage then it would be an incident. I tend to think the reminder
> > >about the ssh setup sent by Jeremy is the appropriate response.
> > >
> > >Linda
> > >
> > >>-----Original Message-----
> > >>From: Testbed Support for GridPP member institutes [mailto:TB-
> > >>[log in to unmask]] On Behalf Of owen maroney
> > >>Sent: 13 June 2005 17:08
> > >>To: [log in to unmask]
> > >>Subject: Re: [Fwd: Re: [LCG-ROLLOUT] How to blacklist a certificate at
> > >>site level ??]
> > >>
> > >>Hi Linda,
> > >>
> > >>The situation is more serious. If this is a vulnerability then the
> > >>vulnerability has been exploited.
> > >>
> > >>This makes it an incident.
> > >>
> > >>Cornwall, LA (Linda) wrote:
> > >>>Looks like a vulnerability to me - if someone can leave an ssh key
> > >>>behind!
> > >>>So simple. Another reason not to recycle accounts.
> > >>>
> > >>>Linda
> > >>>
> > >>>>-----Original Message-----
> > >>>>From: Testbed Support for GridPP member institutes [mailto:TB-
> > >>>>[log in to unmask]] On Behalf Of owen maroney
> > >>>>Sent: 13 June 2005 16:52
> > >>>>To: [log in to unmask]
> > >>>>Subject: [Fwd: Re: [LCG-ROLLOUT] How to blacklist a certificate at
> > >>>
> > >>>site
> > >>>
> > >>>>level ??]
> > >>>>
> > >>>>
> > >>>>
> > >>>>-------- Original Message --------
> > >>>>Subject: Re: [LCG-ROLLOUT] How to blacklist a certificate at site
> > >>>
> > >>>level ??
> > >>>
> > >>>>Date: Mon, 13 Jun 2005 16:49:31 +0100
> > >>>>From: owen maroney <[log in to unmask]>
> > >>>>Reply-To: LHC Computer Grid - Rollout
> > >>>
> > >>><[log in to unmask]>
> > >>>
> > >>>>To: [log in to unmask]
> > >>>>References:
> > >>>><[log in to unmask]>
> > >>>> <[log in to unmask]>
> > >>>>
> > >>>>Hi,
> > >>>>
> > >>>>Hmm.
> > >>>>
> > >>>>Just checked the CE here and found that at 12:43 today someone
> > >
> > >copied
> > >
> > >>>>ssh keys into ~/.ssh
> > >>>>
> > >>>>This seems fairly clearly an abuse of someones certificate.
> > >>>>
> > >>>>I am entirely happen to 'name' this person. I suggest other sites
> > >
> > >may
> > >
> > >>>>want to check ls -latrh /home/*/.ssh
> > >>>>
> > >>>>Owen.
> > >>>>
> > >>>>Dan Schrager wrote:
> > >>>>>I could give you the details of the certificate.
> > >>>>>There is someone that had tried to bypass the certificate
> > >>>
> > >>>authentication
> > >>>
> > >>>>>by inserting ssh keys into the ~/.ssh directory to which it had
> > >
> > >been
> > >
> > >>>>>mapped on our public CE.
> > >>>>>
> > >>>>>Until further checks I will postpone the "name and shame" policy...
> > >>>>>
> > >>>>>Bly, MJ (Martin) wrote:
> > >>>>>>I suppose it is politic to ask: if you feel the need to urgently
> > >>>>>>blacklist a user, should we all be doing the same?
> > >>>>>>Martin.
> > >>>>>>
> > >>>>>>-----Original Message-----
> > >>>>>>From: LHC Computer Grid - Rollout
> > >>>>>>[mailto:[log in to unmask]] On Behalf Of Dan
> > >
> > >Schrager
> > >
> > >>>>>>Sent: Monday, June 13, 2005 3:57 PM
> > >>>>>>To: [log in to unmask]
> > >>>>>>Subject: [LCG-ROLLOUT] How to blacklist a certificate at site
> > >
> > >level
> > >
> > >>>??
> > >>>
> > >>>>>>Hi everybody,
> > >>>>>>
> > >>>>>>There is an urgent need at our site to blacklist a certificate.
> > >>>>>>
> > >>>>>>Please advice how can this be done at local, gatekeeper(?) level.
> > >>>>>>
> > >>>>>>Regards,
> > >>>>>>Dan
> > >>>>
> > >>>>--
> > >>>>=====================================================
> > >>>>Dr O J E Maroney # London Tier 2 Technical Co-ordinator
> > >>>>
> > >>>>Tel. (+44)20 759 47802
> > >>>>
> > >>>>Imperial College London
> > >>>>High Energy Physics Department
> > >>>>The Blackett Laboratory
> > >>>>Prince Consort Road, London, SW7 2BW
> > >>>>==================================
> > >>>>
> > >>>>
> > >>>>
> > >>>>--
> > >>>>=====================================================
> > >>>>Dr O J E Maroney # London Tier 2 Technical Co-ordinator
> > >>>>
> > >>>>Tel. (+44)20 759 47802
> > >>>>
> > >>>>Imperial College London
> > >>>>High Energy Physics Department
> > >>>>The Blackett Laboratory
> > >>>>Prince Consort Road, London, SW7 2BW
> > >>>>==================================
> > >>
> > >>--
> > >>======================================================
> > >>Dr O J E Maroney # London Tier 2 Technical Co-ordinator
> > >>
> > >>Tel. (+44)20 759 47802
> > >>
> > >>Imperial College London
> > >>High Energy Physics Department
> > >>The Blackett Laboratory
> > >>Prince Consort Road, London, SW7 2BW
> > >>===================================
> >
> > --
> > =======================================================
> > Dr O J E Maroney # London Tier 2 Technical Co-ordinator
> >
> > Tel. (+44)20 759 47802
> >
> > Imperial College London
> > High Energy Physics Department
> > The Blackett Laboratory
> > Prince Consort Road, London, SW7 2BW
> > ====================================
> >
> > begin:vcard
> > fn:Owen Maroney
> > n:Maroney;Owen
> > org:Imperial College London;High Energy Physics Department
> > adr:Prince Consort Road;;The Blackett Laboratory;London;;SW7 2BW;United
> > Kingdom email;internet:[log in to unmask]
> > title:London Tier 2 Technical Co-ordinator
> > tel;work:(+44)2075947802
> > x-mozilla-html:FALSE
> > version:2.1
> > end:vcard
--
------------------------------------------------------------------------------
| |
| Dr. Alex Martin |
| e-Mail: [log in to unmask] Queen Mary, University of London, |
| Phone : +44-(0)20-7882-5033 Mile End Road, |
| Fax : +44-(0)20-8981-9465 London, UK E1 4NS |
| |
------------------------------------------------------------------------------
|