Well - it comes down to if they violated their CPS for their
certificate, or their conditions of use for the VO. The former is
unlikely - I couldn't casually (from home) lay my hands on the later.
Even if they violated their VO membership, intent is in my opinion an
important part of the issue. Unless we believe that it was malicious or
persistent when asked to stop then I think that a low key approach is
perfectly reasonable.
Many users have always stretched the bounds of what they can do. Instead
of landing like a ton of bricks we should simply ask them to desist and
close the gaps. If they didn't stop when asked or were up to no good it
is of course a different matter.
Regards
Andrew
> -----Original Message-----
> From: Testbed Support for GridPP member institutes
> [mailto:[log in to unmask]] On Behalf Of Cornwall, LA (Linda)
> Sent: 13 June 2005 17:16
> To: [log in to unmask]
> Subject: Re: [Fwd: Re: [LCG-ROLLOUT] How to blacklist a
> certificate at site level ??]
>
>
> A vulnerability that has been exploited is an incident. But
> since the user presumably didn't access anything beyond their
> rights then is it an incident?
> If the user had achieved access to anything they should not,
> or caused any damage then it would be an incident. I tend to
> think the reminder about the ssh setup sent by Jeremy is the
> appropriate response.
>
> Linda
>
> > -----Original Message-----
> > From: Testbed Support for GridPP member institutes [mailto:TB-
> > [log in to unmask]] On Behalf Of owen maroney
> > Sent: 13 June 2005 17:08
> > To: [log in to unmask]
> > Subject: Re: [Fwd: Re: [LCG-ROLLOUT] How to blacklist a
> certificate at
> > site level ??]
> >
> > Hi Linda,
> >
> > The situation is more serious. If this is a vulnerability then the
> > vulnerability has been exploited.
> >
> > This makes it an incident.
> >
> > Cornwall, LA (Linda) wrote:
> > > Looks like a vulnerability to me - if someone can leave
> an ssh key
> > > behind! So simple. Another reason not to recycle accounts.
> > >
> > > Linda
> > >
> > >
> > >>-----Original Message-----
> > >>From: Testbed Support for GridPP member institutes [mailto:TB-
> > >>[log in to unmask]] On Behalf Of owen maroney
> > >>Sent: 13 June 2005 16:52
> > >>To: [log in to unmask]
> > >>Subject: [Fwd: Re: [LCG-ROLLOUT] How to blacklist a certificate at
> > >
> > > site
> > >
> > >>level ??]
> > >>
> > >>
> > >>
> > >>-------- Original Message --------
> > >>Subject: Re: [LCG-ROLLOUT] How to blacklist a certificate at site
> > >
> > > level ??
> > >
> > >>Date: Mon, 13 Jun 2005 16:49:31 +0100
> > >>From: owen maroney <[log in to unmask]>
> > >>Reply-To: LHC Computer Grid - Rollout
> > >
> > > <[log in to unmask]>
> > >
> > >>To: [log in to unmask]
> > >>References:
> >
> >><[log in to unmask]>
> > >> <[log in to unmask]>
> > >>
> > >>Hi,
> > >>
> > >>Hmm.
> > >>
> > >>Just checked the CE here and found that at 12:43 today someone
> copied
> > >>ssh keys into ~/.ssh
> > >>
> > >>This seems fairly clearly an abuse of someones certificate.
> > >>
> > >>I am entirely happen to 'name' this person. I suggest other sites
> may
> > >>want to check ls -latrh /home/*/.ssh
> > >>
> > >>Owen.
> > >>
> > >>Dan Schrager wrote:
> > >>
> > >>
> > >>>I could give you the details of the certificate.
> > >>>There is someone that had tried to bypass the certificate
> > >
> > > authentication
> > >
> > >>>by inserting ssh keys into the ~/.ssh directory to which it had
> been
> > >>>mapped on our public CE.
> > >>>
> > >>>Until further checks I will postpone the "name and
> shame" policy...
> > >>>
> > >>>
> > >>>
> > >>>Bly, MJ (Martin) wrote:
> > >>>
> > >>>
> > >>>>I suppose it is politic to ask: if you feel the need to
> urgently
> > >>>>blacklist a user, should we all be doing the same? Martin.
> > >>>>
> > >>>>-----Original Message-----
> > >>>>From: LHC Computer Grid - Rollout
> > >>>>[mailto:[log in to unmask]] On Behalf Of Dan
> Schrager
> > >>>>Sent: Monday, June 13, 2005 3:57 PM
> > >>>>To: [log in to unmask]
> > >>>>Subject: [LCG-ROLLOUT] How to blacklist a certificate at site
> level
> > >
> > > ??
> > >
> > >>>>
> > >>>>Hi everybody,
> > >>>>
> > >>>>There is an urgent need at our site to blacklist a certificate.
> > >>>>
> > >>>>Please advice how can this be done at local,
> gatekeeper(?) level.
> > >>>>
> > >>>>Regards,
> > >>>>Dan
> > >>>>
> > >>>>
> > >>
> > >>--
> > >>=====================================================
> > >>Dr O J E Maroney # London Tier 2 Technical Co-ordinator
> > >>
> > >>Tel. (+44)20 759 47802
> > >>
> > >>Imperial College London
> > >>High Energy Physics Department
> > >>The Blackett Laboratory
> > >>Prince Consort Road, London, SW7 2BW
> > >>==================================
> > >>
> > >>
> > >>
> > >>--
> > >>=====================================================
> > >>Dr O J E Maroney # London Tier 2 Technical Co-ordinator
> > >>
> > >>Tel. (+44)20 759 47802
> > >>
> > >>Imperial College London
> > >>High Energy Physics Department
> > >>The Blackett Laboratory
> > >>Prince Consort Road, London, SW7 2BW
> > >>==================================
> > >
> > >
> >
> > --
> > ======================================================
> > Dr O J E Maroney # London Tier 2 Technical Co-ordinator
> >
> > Tel. (+44)20 759 47802
> >
> > Imperial College London
> > High Energy Physics Department
> > The Blackett Laboratory
> > Prince Consort Road, London, SW7 2BW
> > ===================================
>
|