-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Hi,
During the maintenance on December 6th, 2010 I switched the Toolserver SSH server from Sun SSH to OpenSSH. A difference in how OpenSSH uses PAM to authenticate users meant that after the change, users were able to log via SSH using their LDAP password, without using an SSH key. This error has now been fixed.
If you have no LDAP password set, or if you have a strong password[0], then this should not have affected you. However, if you had a weak or easily guessable password set, or if your LDAP password could have been compromised (e.g. if you wrote it down in plain text somewhere) then it's possible someone could have used it to gain access to your account.
In that case, I suggest you immediately change your password (via 'passwd'), then review your home directory to ensure no unauthorised changes have been made (e.g. new SSH keys added, or shell rc files changed). If you have sensitive data such as SSH or PGP keys on the Toolserver, you may wish to revoke them and issue new ones. (However, storing that kind of data on the Toolserver is probably a bad idea in any case.)
I'm very sorry for the inconvenience this issue might cause to users, and I will be reviewing our authentication configuration to reduce the chance of something like this happening in the future.
- river.
[0] Which is somewhat enforced by the LDAP password policy, but it's still possible to set a weak password if you try hard enough.