The proxies you could obtain using this method would be limited proxies
unless you knew where a user was placing full proxies if obtained from
say a myproxy server. Limited proxies cannot run jobs.
A pool account system relies on the fact that after your lease of an
account expires it is cleaned. This /should/ delete the user's sensitive
files, mail spool, crontab (if ever they were allowed to cron) home
directory, etc. So ~/.ssh will not live past the end of your lease.
However, if you are root on one of these nodes you can strip limited
proxy certificates and use them to create .ssh files on other machines
using gsiftp. Then you can ssh in (provided the node runs sshd and allows
ssh-keys) and run what you like as someone else. However, this still
leaves an IP trail.
If you buy into the Globus2 way you accept the risks :)
Solution: restricted proxies, maybe?
Mike
On Mon, 7 Feb 2005, Kostas Georgiou wrote:
> On Mon, Feb 07, 2005 at 12:54:15PM -0000, Burke, S (Stephen) wrote:
>
> > Testbed Support for GridPP member institutes
> > > [mailto:[log in to unmask]] On Behalf Of Kostas Georgiou said:
> > > But how do you prove that the user sumbitted the job ? You can only
> > > prove that his proxy cert was used not *who* used it. Given that quite
> > > a few people can have access to it a user can easily claim that he
> > > didn't submit that specific job.
> >
> > What level of proof do you require? If the user has been careless
> > they're responsible anyway, so the alternative is that a UI, RB or
> > myproxy has been hacked. In general if that's the case you'd expect
> > evidence of it, and it's likely that more than one user would have had
> > their proxy used. If there's no evidence of hacking the balance of
> > probability would certainly be the other way.
>
> It's pretty easy in the worker nodes to add an ssh key or a cron job
> that will collect proxies from the pool account once it gets reused.
> Also lets not forget all the people with root access in the machines
> involved probably more than a few dozen even if it's unlikely that
> they will do something it's one more vector that you need to consider.
>
> > Whether it could be strong
> > enough to get a criminal conviction might be another matter, but
> > hopefully we won't have to find out ...
>
> Let's hope so...
>
> Cheers,
> Kostas
>
--
http://www.sve.man.ac.uk/General/Staff/jonesM/
|