On Mon, Jun 13, 2005 at 05:57:28PM +0100 or thereabouts, Alex Martin wrote:
> On Monday 13 June 2005 17:37, Steve Traylen wrote:
> > On Mon, Jun 13, 2005 at 05:26:57PM +0100 or thereabouts, owen maroney wrote:
> > > Hi all,
> > >
> > > I think we do have a problem here.
> > >
> > > The dteam user in question has put .ssh keys on CE's and WN's.
> > >
> > > We do not yet know why he did this.
> >
> > He did it because he wanted to run MPI jobs, WN<->WN communitation
> > required.
> >
>
> 1) This shouldn't be necessary if the site is setup correctly, and it
> wouldn't work, at our site anyway since the grid /home directories aren't
> shared.
Hi Alex,
He was trying to use sites not set up for MPI for MPI, e.g using rsync
and ssh to get around the lack of a shared /home area.
>
> 2) Its fairly easy to prevent this, by e.g. creating as root with
> appropriate promissions ~/.ssh and contents for the GRID accounts (as we
> have done here for a long time)...so this this should be integrated into any
> standard integration tools.
What permissions do you have for this. The ideas at
http://goc.grid.sinica.edu.tw/gocwiki/Blocking_batch_jobs_from_creating_ssh_back_doors
some one correctly pointed out as being rubbish today since someone can
still
mv .ssh .sshOLD
even if they can't `rm -rf .ssh`
Steve
>
>
> > > If this exploit is run on a site which has account recycling turned on,
> > > then it becomes possible to steal another users proxy.
> > >
> > > And then use that proxy to launch this exploit against a lot of sites.
> > >
> > > We do not yet even know if this was done with a stolen proxy.
> > >
> > > I suggest that whatever security team/people LCG has needs to *urgently*
> > > determine the exact nature of this action.
> >
> > I noticed before the announcement, I was suspicious of the job called
> > "fix_ssh.sh" that appeared in qstat and contacted him though
> > mainly because his jobs were failing because he was submitting them
> > wrongly to RAL. The greek ROC is in touch with the user in question and
> > they are in touch with the security folks. No doubt there will be a report.
> >
> > Steve
> >
> > > Cornwall, LA (Linda) wrote:
> > > >A vulnerability that has been exploited is an incident. But since the
> > > >user presumably didn't access anything beyond their rights then is it an
> > > >incident?
> > > >If the user had achieved access to anything they should not, or caused
> > > >any damage then it would be an incident. I tend to think the reminder
> > > >about the ssh setup sent by Jeremy is the appropriate response.
> > > >
> > > >Linda
> > > >
> > > >>-----Original Message-----
> > > >>From: Testbed Support for GridPP member institutes [mailto:TB-
> > > >>[log in to unmask]] On Behalf Of owen maroney
> > > >>Sent: 13 June 2005 17:08
> > > >>To: [log in to unmask]
> > > >>Subject: Re: [Fwd: Re: [LCG-ROLLOUT] How to blacklist a certificate at
> > > >>site level ??]
> > > >>
> > > >>Hi Linda,
> > > >>
> > > >>The situation is more serious. If this is a vulnerability then the
> > > >>vulnerability has been exploited.
> > > >>
> > > >>This makes it an incident.
> > > >>
> > > >>Cornwall, LA (Linda) wrote:
> > > >>>Looks like a vulnerability to me - if someone can leave an ssh key
> > > >>>behind!
> > > >>>So simple. Another reason not to recycle accounts.
> > > >>>
> > > >>>Linda
> > > >>>
> > > >>>>-----Original Message-----
> > > >>>>From: Testbed Support for GridPP member institutes [mailto:TB-
> > > >>>>[log in to unmask]] On Behalf Of owen maroney
> > > >>>>Sent: 13 June 2005 16:52
> > > >>>>To: [log in to unmask]
> > > >>>>Subject: [Fwd: Re: [LCG-ROLLOUT] How to blacklist a certificate at
> > > >>>
> > > >>>site
> > > >>>
> > > >>>>level ??]
> > > >>>>
> > > >>>>
> > > >>>>
> > > >>>>-------- Original Message --------
> > > >>>>Subject: Re: [LCG-ROLLOUT] How to blacklist a certificate at site
> > > >>>
> > > >>>level ??
> > > >>>
> > > >>>>Date: Mon, 13 Jun 2005 16:49:31 +0100
> > > >>>>From: owen maroney <[log in to unmask]>
> > > >>>>Reply-To: LHC Computer Grid - Rollout
> > > >>>
> > > >>><[log in to unmask]>
> > > >>>
> > > >>>>To: [log in to unmask]
> > > >>>>References:
> > > >>>><[log in to unmask]>
> > > >>>> <[log in to unmask]>
> > > >>>>
> > > >>>>Hi,
> > > >>>>
> > > >>>>Hmm.
> > > >>>>
> > > >>>>Just checked the CE here and found that at 12:43 today someone
> > > >
> > > >copied
> > > >
> > > >>>>ssh keys into ~/.ssh
> > > >>>>
> > > >>>>This seems fairly clearly an abuse of someones certificate.
> > > >>>>
> > > >>>>I am entirely happen to 'name' this person. I suggest other sites
> > > >
> > > >may
> > > >
> > > >>>>want to check ls -latrh /home/*/.ssh
> > > >>>>
> > > >>>>Owen.
> > > >>>>
> > > >>>>Dan Schrager wrote:
> > > >>>>>I could give you the details of the certificate.
> > > >>>>>There is someone that had tried to bypass the certificate
> > > >>>
> > > >>>authentication
> > > >>>
> > > >>>>>by inserting ssh keys into the ~/.ssh directory to which it had
> > > >
> > > >been
> > > >
> > > >>>>>mapped on our public CE.
> > > >>>>>
> > > >>>>>Until further checks I will postpone the "name and shame" policy...
> > > >>>>>
> > > >>>>>Bly, MJ (Martin) wrote:
> > > >>>>>>I suppose it is politic to ask: if you feel the need to urgently
> > > >>>>>>blacklist a user, should we all be doing the same?
> > > >>>>>>Martin.
> > > >>>>>>
> > > >>>>>>-----Original Message-----
> > > >>>>>>From: LHC Computer Grid - Rollout
> > > >>>>>>[mailto:[log in to unmask]] On Behalf Of Dan
> > > >
> > > >Schrager
> > > >
> > > >>>>>>Sent: Monday, June 13, 2005 3:57 PM
> > > >>>>>>To: [log in to unmask]
> > > >>>>>>Subject: [LCG-ROLLOUT] How to blacklist a certificate at site
> > > >
> > > >level
> > > >
> > > >>>??
> > > >>>
> > > >>>>>>Hi everybody,
> > > >>>>>>
> > > >>>>>>There is an urgent need at our site to blacklist a certificate.
> > > >>>>>>
> > > >>>>>>Please advice how can this be done at local, gatekeeper(?) level.
> > > >>>>>>
> > > >>>>>>Regards,
> > > >>>>>>Dan
> > > >>>>
> > > >>>>--
> > > >>>>=====================================================
> > > >>>>Dr O J E Maroney # London Tier 2 Technical Co-ordinator
> > > >>>>
> > > >>>>Tel. (+44)20 759 47802
> > > >>>>
> > > >>>>Imperial College London
> > > >>>>High Energy Physics Department
> > > >>>>The Blackett Laboratory
> > > >>>>Prince Consort Road, London, SW7 2BW
> > > >>>>==================================
> > > >>>>
> > > >>>>
> > > >>>>
> > > >>>>--
> > > >>>>=====================================================
> > > >>>>Dr O J E Maroney # London Tier 2 Technical Co-ordinator
> > > >>>>
> > > >>>>Tel. (+44)20 759 47802
> > > >>>>
> > > >>>>Imperial College London
> > > >>>>High Energy Physics Department
> > > >>>>The Blackett Laboratory
> > > >>>>Prince Consort Road, London, SW7 2BW
> > > >>>>==================================
> > > >>
> > > >>--
> > > >>======================================================
> > > >>Dr O J E Maroney # London Tier 2 Technical Co-ordinator
> > > >>
> > > >>Tel. (+44)20 759 47802
> > > >>
> > > >>Imperial College London
> > > >>High Energy Physics Department
> > > >>The Blackett Laboratory
> > > >>Prince Consort Road, London, SW7 2BW
> > > >>===================================
> > >
> > > --
> > > =======================================================
> > > Dr O J E Maroney # London Tier 2 Technical Co-ordinator
> > >
> > > Tel. (+44)20 759 47802
> > >
> > > Imperial College London
> > > High Energy Physics Department
> > > The Blackett Laboratory
> > > Prince Consort Road, London, SW7 2BW
> > > ====================================
> > >
> > > begin:vcard
> > > fn:Owen Maroney
> > > n:Maroney;Owen
> > > org:Imperial College London;High Energy Physics Department
> > > adr:Prince Consort Road;;The Blackett Laboratory;London;;SW7 2BW;United
> > > Kingdom email;internet:[log in to unmask]
> > > title:London Tier 2 Technical Co-ordinator
> > > tel;work:(+44)2075947802
> > > x-mozilla-html:FALSE
> > > version:2.1
> > > end:vcard
>
> --
> ------------------------------------------------------------------------------
> | |
> | Dr. Alex Martin |
> | e-Mail: [log in to unmask] Queen Mary, University of London, |
> | Phone : +44-(0)20-7882-5033 Mile End Road, |
> | Fax : +44-(0)20-8981-9465 London, UK E1 4NS |
> | |
> ------------------------------------------------------------------------------
--
Steve Traylen
[log in to unmask]
http://www.gridpp.ac.uk/
|