[Toolserver-l] [SECURITY] SSH / Password login
River Tarnell
river.tarnell at wikimedia.de
Sun Mar 6 16:57:12 UTC 2011
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
During the maintenance on December 6th, 2010 I switched the Toolserver
SSH server from Sun SSH to OpenSSH. A difference in how OpenSSH uses
PAM to authenticate users meant that after the change, users were able
to log via SSH using their LDAP password, without using an SSH key.
This error has now been fixed.
If you have no LDAP password set, or if you have a strong password[0],
then this should not have affected you. However, if you had a weak or
easily guessable password set, or if your LDAP password could have been
compromised (e.g. if you wrote it down in plain text somewhere) then
it's possible someone could have used it to gain access to your account.
In that case, I suggest you immediately change your password (via
'passwd'), then review your home directory to ensure no unauthorised
changes have been made (e.g. new SSH keys added, or shell rc files
changed). If you have sensitive data such as SSH or PGP keys on the
Toolserver, you may wish to revoke them and issue new ones. (However,
storing that kind of data on the Toolserver is probably a bad idea in
any case.)
I'm very sorry for the inconvenience this issue might cause to users,
and I will be reviewing our authentication configuration to reduce the
chance of something like this happening in the future.
- river.
[0] Which is somewhat enforced by the LDAP password policy, but it's
still possible to set a weak password if you try hard enough.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (NetBSD)
iEYEARECAAYFAk1zvOgACgkQIXd7fCuc5vJpowCeMoLig31BAHnStWakKgeU/ZOr
pCYAoKMEF/6+yzzKGQNVYxXqJuhM2f63
=ykB1
-----END PGP SIGNATURE-----
More information about the Toolserver-l
mailing list