GSI OpenSSH Vulnerability
Summary
GSI OpenSSH server, in combination with certain system settings, can allow an authenticated user to become any user on the system.
Relevant Versions
This advisory affects the following VDT versions:
Date Announced
2004-07-13
Description
A security advisory is available from the GSI OpenSSH web page:
http://grid.ncsa.uiuc.edu/ssh/implicitlogin.adv
It does not affect OpenSSH, just GSI OpenSSH.
By default, the VDT does not configure computers to use GSI OpenSSH as a
server, and we are not aware of very many VDT users that do this
configuration automatically. If you are not aware of any changes you made
to use GSI OpenSSH from the VDT as a server, you are not impacted.
However, if you are using GSI OpenSSH as a server, it may affect you.
Solution
Affected users have several options:
- Make configuration changes to GSI OpenSSH so that the exploit is
unavailable. This is described in the advisory as option #2.
- Stop using the GSI OpenSSH server.
- Upgrade to a new version of GSI OpenSSH.
- Upgrade to VDT 1.2.0 or higher.
Questions
Please contact
vdt-support@opensciencegrid.org if you have any questions.
