>
> > 2) Its fairly easy to prevent this, by e.g. creating as root with
> > appropriate promissions ~/.ssh and contents for the GRID accounts (as
> > we have done here for a long time)...so this this should be integrated
> > into any standard integration tools.
>
> What permissions do you have for this. The ideas at
> http://goc.grid.sinica.edu.tw/gocwiki/Blocking_batch_jobs_from_creating_ssh
>_back_doors
>
> some one correctly pointed out as being rubbish today since someone can
>
> still
>
> mv .ssh .sshOLD
>
> even if they can't `rm -rf .ssh`
>
yes
> Steve
>
Steve,
what we do is actually a bit complicated because we in fact use ssh
to handle the job request.
I had to remind myself exactly what we do. Basically we use a PBS service
certificate to allow the inital PBS request and then start a ssh agent on
the machine running the task. In the job epilogue we kill the agent and
restore the service key (which would delete any attempt to modifying the key
file). Of course one has to take care of the case where their are multiple
jobs owned by the same user on the same machine.
I can provide the prologue/epilogue files if anyone is interested.
cheers,
Alex
> > > > If this exploit is run on a site which has account recycling turned
> > > > on, then it becomes possible to steal another users proxy.
> > > >
> > > > And then use that proxy to launch this exploit against a lot of
> > > > sites.
> > > >
> > > > We do not yet even know if this was done with a stolen proxy.
> > > >
> > > > I suggest that whatever security team/people LCG has needs to
> > > > *urgently* determine the exact nature of this action.
> > >
> > > I noticed before the announcement, I was suspicious of the job called
> > > "fix_ssh.sh" that appeared in qstat and contacted him though
> > > mainly because his jobs were failing because he was submitting them
> > > wrongly to RAL. The greek ROC is in touch with the user in question and
> > > they are in touch with the security folks. No doubt there will be a
> > > report.
> > >
> > > Steve
> > >
> > > > Cornwall, LA (Linda) wrote:
> > > > >A vulnerability that has been exploited is an incident. But since
> > > > > the user presumably didn't access anything beyond their rights then
> > > > > is it an incident?
> > > > >If the user had achieved access to anything they should not, or
> > > > > caused any damage then it would be an incident. I tend to think
> > > > > the reminder about the ssh setup sent by Jeremy is the appropriate
> > > > > response.
> > > > >
> > > > >Linda
> > > > >
> > > > >>-----Original Message-----
> > > > >>From: Testbed Support for GridPP member institutes [mailto:TB-
> > > > >>[log in to unmask]] On Behalf Of owen maroney
> > > > >>Sent: 13 June 2005 17:08
> > > > >>To: [log in to unmask]
> > > > >>Subject: Re: [Fwd: Re: [LCG-ROLLOUT] How to blacklist a certificate
> > > > >> at site level ??]
> > > > >>
> > > > >>Hi Linda,
> > > > >>
> > > > >>The situation is more serious. If this is a vulnerability then the
> > > > >>vulnerability has been exploited.
> > > > >>
> > > > >>This makes it an incident.
> > > > >>
> > > > >>Cornwall, LA (Linda) wrote:
> > > > >>>Looks like a vulnerability to me - if someone can leave an ssh key
> > > > >>>behind!
> > > > >>>So simple. Another reason not to recycle accounts.
> > > > >>>
> > > > >>>Linda
> > > > >>>
> > > > >>>>-----Original Message-----
> > > > >>>>From: Testbed Support for GridPP member institutes [mailto:TB-
> > > > >>>>[log in to unmask]] On Behalf Of owen maroney
> > > > >>>>Sent: 13 June 2005 16:52
> > > > >>>>To: [log in to unmask]
> > > > >>>>Subject: [Fwd: Re: [LCG-ROLLOUT] How to blacklist a certificate
> > > > >>>> at
> > > > >>>
> > > > >>>site
> > > > >>>
> > > > >>>>level ??]
> > > > >>>>
> > > > >>>>
> > > > >>>>
> > > > >>>>-------- Original Message --------
> > > > >>>>Subject: Re: [LCG-ROLLOUT] How to blacklist a certificate at site
> > > > >>>
> > > > >>>level ??
> > > > >>>
> > > > >>>>Date: Mon, 13 Jun 2005 16:49:31 +0100
> > > > >>>>From: owen maroney <[log in to unmask]>
> > > > >>>>Reply-To: LHC Computer Grid - Rollout
> > > > >>>
> > > > >>><[log in to unmask]>
> > > > >>>
> > > > >>>>To: [log in to unmask]
> > > > >>>>References:
> > > > >>>><[log in to unmask]
> > > > >>>>k> <[log in to unmask]>
> > > > >>>>
> > > > >>>>Hi,
> > > > >>>>
> > > > >>>>Hmm.
> > > > >>>>
> > > > >>>>Just checked the CE here and found that at 12:43 today someone
> > > > >
> > > > >copied
> > > > >
> > > > >>>>ssh keys into ~/.ssh
> > > > >>>>
> > > > >>>>This seems fairly clearly an abuse of someones certificate.
> > > > >>>>
> > > > >>>>I am entirely happen to 'name' this person. I suggest other
> > > > >>>> sites
> > > > >
> > > > >may
> > > > >
> > > > >>>>want to check ls -latrh /home/*/.ssh
> > > > >>>>
> > > > >>>>Owen.
> > > > >>>>
> > > > >>>>Dan Schrager wrote:
> > > > >>>>>I could give you the details of the certificate.
> > > > >>>>>There is someone that had tried to bypass the certificate
> > > > >>>
> > > > >>>authentication
> > > > >>>
> > > > >>>>>by inserting ssh keys into the ~/.ssh directory to which it had
> > > > >
> > > > >been
> > > > >
> > > > >>>>>mapped on our public CE.
> > > > >>>>>
> > > > >>>>>Until further checks I will postpone the "name and shame"
> > > > >>>>> policy...
> > > > >>>>>
> > > > >>>>>Bly, MJ (Martin) wrote:
> > > > >>>>>>I suppose it is politic to ask: if you feel the need to
> > > > >>>>>> urgently blacklist a user, should we all be doing the same?
> > > > >>>>>>Martin.
> > > > >>>>>>
> > > > >>>>>>-----Original Message-----
> > > > >>>>>>From: LHC Computer Grid - Rollout
> > > > >>>>>>[mailto:[log in to unmask]] On Behalf Of Dan
> > > > >
> > > > >Schrager
> > > > >
> > > > >>>>>>Sent: Monday, June 13, 2005 3:57 PM
> > > > >>>>>>To: [log in to unmask]
> > > > >>>>>>Subject: [LCG-ROLLOUT] How to blacklist a certificate at site
> > > > >
> > > > >level
> > > > >
> > > > >>>??
> > > > >>>
> > > > >>>>>>Hi everybody,
> > > > >>>>>>
> > > > >>>>>>There is an urgent need at our site to blacklist a certificate.
> > > > >>>>>>
> > > > >>>>>>Please advice how can this be done at local, gatekeeper(?)
> > > > >>>>>> level.
> > > > >>>>>>
> > > > >>>>>>Regards,
> > > > >>>>>>Dan
> > > > >>>>
> > > > >>>>--
> > > > >>>>=====================================================
> > > > >>>>Dr O J E Maroney # London Tier 2 Technical Co-ordinator
> > > > >>>>
> > > > >>>>Tel. (+44)20 759 47802
> > > > >>>>
> > > > >>>>Imperial College London
> > > > >>>>High Energy Physics Department
> > > > >>>>The Blackett Laboratory
> > > > >>>>Prince Consort Road, London, SW7 2BW
> > > > >>>>==================================
> > > > >>>>
> > > > >>>>
> > > > >>>>
> > > > >>>>--
> > > > >>>>=====================================================
> > > > >>>>Dr O J E Maroney # London Tier 2 Technical Co-ordinator
> > > > >>>>
> > > > >>>>Tel. (+44)20 759 47802
> > > > >>>>
> > > > >>>>Imperial College London
> > > > >>>>High Energy Physics Department
> > > > >>>>The Blackett Laboratory
> > > > >>>>Prince Consort Road, London, SW7 2BW
> > > > >>>>==================================
> > > > >>
> > > > >>--
> > > > >>======================================================
> > > > >>Dr O J E Maroney # London Tier 2 Technical Co-ordinator
> > > > >>
> > > > >>Tel. (+44)20 759 47802
> > > > >>
> > > > >>Imperial College London
> > > > >>High Energy Physics Department
> > > > >>The Blackett Laboratory
> > > > >>Prince Consort Road, London, SW7 2BW
> > > > >>===================================
> > > >
> > > > --
> > > > =======================================================
> > > > Dr O J E Maroney # London Tier 2 Technical Co-ordinator
> > > >
> > > > Tel. (+44)20 759 47802
> > > >
> > > > Imperial College London
> > > > High Energy Physics Department
> > > > The Blackett Laboratory
> > > > Prince Consort Road, London, SW7 2BW
> > > > ====================================
> > > >
> > > > begin:vcard
> > > > fn:Owen Maroney
> > > > n:Maroney;Owen
> > > > org:Imperial College London;High Energy Physics Department
> > > > adr:Prince Consort Road;;The Blackett Laboratory;London;;SW7
> > > > 2BW;United Kingdom email;internet:[log in to unmask]
> > > > title:London Tier 2 Technical Co-ordinator
> > > > tel;work:(+44)2075947802
> > > > x-mozilla-html:FALSE
> > > > version:2.1
> > > > end:vcard
> >
> > --
> > -------------------------------------------------------------------------
> >-----
> >
> > | Dr. Alex Martin
> > | | e-Mail: [log in to unmask] Queen Mary, University of
> > | London, | Phone : +44-(0)20-7882-5033 Mile End Road,
> > | | Fax : +44-(0)20-8981-9465 London, UK E1
> > | 4NS |
> >
> > -------------------------------------------------------------------------
> >-----
--
------------------------------------------------------------------------------
| |
| Dr. Alex Martin |
| e-Mail: [log in to unmask] Queen Mary, University of London, |
| Phone : +44-(0)20-7882-5033 Mile End Road, |
| Fax : +44-(0)20-8981-9465 London, UK E1 4NS |
| |
------------------------------------------------------------------------------
|