River Tarnell wrote: > Hi, > > During the maintenance on December 6th, 2010 I switched the Toolserver > SSH server from Sun SSH to OpenSSH. A difference in how OpenSSH uses > PAM to authenticate users meant that after the change, users were able > to log via SSH using their LDAP password, without using an SSH key. > This error has now been fixed. > > If you have no LDAP password set, or if you have a strong password[0], > then this should not have affected you. However, if you had a weak or > easily guessable password set, or if your LDAP password could have been > compromised (e.g. if you wrote it down in plain text somewhere) then > it's possible someone could have used it to gain access to your account.
Wouldn't such login have been logged? Seems easy to find out if any account was accessed this way. The line would look like: <date time> localhost sshd[12345]: Accepted password for user from 208.80.152.165 port 23456 ssh2 _______________________________________________ Toolserver-l mailing list (Toolserver-l@lists.wikimedia.org) https://lists.wikimedia.org/mailman/listinfo/toolserver-l Posting guidelines for this list: https://wiki.toolserver.org/view/Mailing_list_etiquette
