"SSH Receipts"

The goal of the "SSH receipts" notification send to users is to detect compromised accounts.

We have seen in the past compromized (Linux or Windows) computers or Web applications at remote sites, labs or universities stealing password from those who log into these computers. Users might not necessarily notice that their password got stolen, and continue to connect to CERN using SSH, CERN SSO, or the CERN Terminal Service. Usually they do this from a small number of defined locations, e.g. from home, from his university,... Attackers, who have gained knowledge of the credentials of a particular user, will also use these credentials to connect to CERN, too, but not necessarily from that user's "usual" locations.

Therefore, each time the Security Team detects a new connection from a location "never" used before, the user will be sent such a "SSH receipt" ("never" means for the last few months). This "new" domain or location can be a conference venue or a hotel used during private or professional travel. For each new connection, there are two possibilities:

  • If this connection was a legitimate connection, e.g. if you were indeed connecting from that conference hotel or from his friends, everything is fine and no further action is expected;
  • If this connection was not initiated by the user, you are advised to contact Computer.Security@cern.ch, since your account might most likely have been misused;
  • If in doubt, we recommended that you change your password.

Notifications will only be sent for each new domain, or geographical location, but not for every new IP in that domain. In any case, however, the new domain or location will be whitelisted, so you are not notified again when using it again. Given our past experience, we accept that we might not detect a compromized account if the attacker uses the same location as you. Only if this domain/location remains idle for about three months, we will purge it from the whitelist.

Please note that for humans, "locations" are much easier to understand than "IP addresses". Therefore, we are using a geolocalization service to try to give you an idea where this IP belongs to. Usually this works pretty well, but sometime there are mis-matches. Have mercy. Check for example at http://en.utrace.de and type in the IP address you want to localize.

Also note that CERN offers multiple ways to access its services, including Web, Mail, and SSH. There is constant work to improve the quality of the "SSH Receipts" service, but not all authenticated services can be covered at this time. As a result, depending on the authentication service used, you may or may not receive a notification.