Re: [Toolserver-l] [SECURITY] SSH / Password login
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 In article <4d73dec0.9030...@gmail.com>, Platonides wrote: > Wouldn't such login have been logged? Seems easy to find out if any > account was accessed this way. No, because the problem was introduced in December and we don't keep 3 months' worth of old logs around. - river. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (NetBSD) iEYEARECAAYFAk1z3lIACgkQIXd7fCuc5vIokQCeMOScxP+wvLasspBfas+HQ5yA 09UAn1eyDgwbhy03C6jM3w5/TW/MRmPF =wU1u -END PGP SIGNATURE- ___ Toolserver-l mailing list (Toolserver-l@lists.wikimedia.org) https://lists.wikimedia.org/mailman/listinfo/toolserver-l Posting guidelines for this list: https://wiki.toolserver.org/view/Mailing_list_etiquette
Re: [Toolserver-l] [SECURITY] SSH / Password login
River Tarnell wrote: > Hi, > > During the maintenance on December 6th, 2010 I switched the Toolserver > SSH server from Sun SSH to OpenSSH. A difference in how OpenSSH uses > PAM to authenticate users meant that after the change, users were able > to log via SSH using their LDAP password, without using an SSH key. > This error has now been fixed. > > If you have no LDAP password set, or if you have a strong password[0], > then this should not have affected you. However, if you had a weak or > easily guessable password set, or if your LDAP password could have been > compromised (e.g. if you wrote it down in plain text somewhere) then > it's possible someone could have used it to gain access to your account. Wouldn't such login have been logged? Seems easy to find out if any account was accessed this way. The line would look like: localhost sshd[12345]: Accepted password for user from 208.80.152.165 port 23456 ssh2 ___ Toolserver-l mailing list (Toolserver-l@lists.wikimedia.org) https://lists.wikimedia.org/mailman/listinfo/toolserver-l Posting guidelines for this list: https://wiki.toolserver.org/view/Mailing_list_etiquette
Re: [Toolserver-l] [SECURITY] SSH / Password login
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 In article , Marcin Cieslak wrote: > > If you have no LDAP password set, (...) > How do I find out if I have one? I don't remember I ever set this, > or may be it was long ago. Run setpass: willow% setpass setpass: password already set setpass: use passwd(1) to change your password - river. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (NetBSD) iEYEARECAAYFAk1zwhoACgkQIXd7fCuc5vImCQCguZ5c4S6yuVxuzSnK04gl64/G Yn0An389qvaqjjwKd+2vpOw2a3o5cgJ4 =GoHp -END PGP SIGNATURE- ___ Toolserver-l mailing list (Toolserver-l@lists.wikimedia.org) https://lists.wikimedia.org/mailman/listinfo/toolserver-l Posting guidelines for this list: https://wiki.toolserver.org/view/Mailing_list_etiquette
Re: [Toolserver-l] [SECURITY] SSH / Password login
> If you have no LDAP password set, (...) How do I find out if I have one? I don't remember I ever set this, or may be it was long ago. //Marcin ___ Toolserver-l mailing list (Toolserver-l@lists.wikimedia.org) https://lists.wikimedia.org/mailman/listinfo/toolserver-l Posting guidelines for this list: https://wiki.toolserver.org/view/Mailing_list_etiquette
[Toolserver-l] [SECURITY] SSH / Password login
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi, During the maintenance on December 6th, 2010 I switched the Toolserver SSH server from Sun SSH to OpenSSH. A difference in how OpenSSH uses PAM to authenticate users meant that after the change, users were able to log via SSH using their LDAP password, without using an SSH key. This error has now been fixed. If you have no LDAP password set, or if you have a strong password[0], then this should not have affected you. However, if you had a weak or easily guessable password set, or if your LDAP password could have been compromised (e.g. if you wrote it down in plain text somewhere) then it's possible someone could have used it to gain access to your account. In that case, I suggest you immediately change your password (via 'passwd'), then review your home directory to ensure no unauthorised changes have been made (e.g. new SSH keys added, or shell rc files changed). If you have sensitive data such as SSH or PGP keys on the Toolserver, you may wish to revoke them and issue new ones. (However, storing that kind of data on the Toolserver is probably a bad idea in any case.) I'm very sorry for the inconvenience this issue might cause to users, and I will be reviewing our authentication configuration to reduce the chance of something like this happening in the future. - river. [0] Which is somewhat enforced by the LDAP password policy, but it's still possible to set a weak password if you try hard enough. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (NetBSD) iEYEARECAAYFAk1zvOgACgkQIXd7fCuc5vJpowCeMoLig31BAHnStWakKgeU/ZOr pCYAoKMEF/6+yzzKGQNVYxXqJuhM2f63 =ykB1 -END PGP SIGNATURE- ___ Toolserver-l mailing list (Toolserver-l@lists.wikimedia.org) https://lists.wikimedia.org/mailman/listinfo/toolserver-l Posting guidelines for this list: https://wiki.toolserver.org/view/Mailing_list_etiquette
