Note: This web site is only kept up to date for OSG Software 1.2 (VDT 2.0.0). If you are looking for information for the most recent release, the RPM-based OSG Software 3.0, please see the OSG documentation web site

GSI OpenSSH Vulnerability


GSI OpenSSH server, in combination with certain system settings, can allow an authenticated user to become any user on the system.

Relevant Versions

This advisory affects the following VDT versions:

Date Announced



A security advisory is available from the GSI OpenSSH web page:

It does not affect OpenSSH, just GSI OpenSSH.

By default, the VDT does not configure computers to use GSI OpenSSH as a server, and we are not aware of very many VDT users that do this configuration automatically. If you are not aware of any changes you made to use GSI OpenSSH from the VDT as a server, you are not impacted. However, if you are using GSI OpenSSH as a server, it may affect you.


Affected users have several options:


Please contact if you have any questions.