As reported in this ggus-ticket, in certain circumstances VOMS Admin accepts membership requests from users without a valid X.509 certificate.
This has no security impact on the server, but can lead to VO admins receiving membership request with strange user certificate subject, like the following:
Any VOMS Admin version >= 3.4.0
You can use the check-vo.sh script embedded in this gist to check if the VO is affected.
You need curl
to run the script.
Run the script like in the following example:
$ VOMS_HOST=voms.hellasgrid.gr VOMS_VO=dteam sh check-vo.sh
The VO dteam at voms.hellasgrid.gr is NOT affected by the misconfigured unauthenticated client problem.
In this case the script exits with a 0.
When an instance is affected the output will be like:
$ VOMS_HOST=dev.local.io VOMS_VO=test sh check-vo.sh
The VO test at dev.local.io is AFFECTED by the misconfigured unauthenticated client problem.
and the script exits with a 1.
You need the help of the VOMS service administrator for the VO. He can use the check-voms-db.sh script embedded in this gist to check and eventually fix the affected VO.
The script is simple to use, just try to run it and it will print usage information, but here is an example (xxx,yyy,zzz stand for values that who runs the script has to provide):
# MYSQL_USER=xxx MYSQL_PASSWORD=yyy MYSQL_DB=zzz check-voms-db.sh
Checking if VOMS database 'zzz' has the '/O=VOMS/O=System/CN=Unauthenticated Client' internal admin correctly setup.
Detected VOMS Admin database version: 4
'/O=VOMS/O=System/CN=Unauthenticated Client' internal admin found, no action required
If the internal admin is not found, the script will create it and the output will look like:
# MYSQL_USER=xxx MYSQL_PASSWORD=yyy MYSQL_DB=zzz sh check-db.sh
Checking if VOMS database 'zzz' has the '/O=VOMS/O=System/CN=Unauthenticated Client' internal admin correctly setup.
Detected VOMS Admin database version: 4
'/O=VOMS/O=System/CN=Unauthenticated Client' internal admin not found, will create it now
VOMS db 'zzz' is now ok.
Submit a GGUS ticket and we will provide help.