Note: This web site is only kept up to date for OSG Software 1.2 (VDT 2.0.0). If you are looking for information for the most recent release, the RPM-based OSG Software 3.0, please see the OSG documentation web site

GSI OpenSSH Vulnerability

Summary

GSI OpenSSH server, in combination with certain system settings, can allow an authenticated user to become any user on the system.

Relevant Versions

This advisory affects the following VDT versions:

Date Announced

2004-07-13

Description

A security advisory is available from the GSI OpenSSH web page:

http://grid.ncsa.uiuc.edu/ssh/implicitlogin.adv

It does not affect OpenSSH, just GSI OpenSSH.

By default, the VDT does not configure computers to use GSI OpenSSH as a server, and we are not aware of very many VDT users that do this configuration automatically. If you are not aware of any changes you made to use GSI OpenSSH from the VDT as a server, you are not impacted. However, if you are using GSI OpenSSH as a server, it may affect you.

Solution

Affected users have several options:

Questions

Please contact vdt-support@opensciencegrid.org if you have any questions.