100 likes | 216 Views
File Transfer and Use of Clear Text Passwords Update. NERSC Users Group Meeting Stephen Lau NERSC October 22, 2014. Clear Text Passwords. Clear Text Passwords pose significant security risk Major source of security compromises NERSC policy to eliminate clear text passwords
E N D
File Transfer and Use ofClear Text Passwords Update NERSC Users Group Meeting Stephen Lau NERSC October 22, 2014
Clear Text Passwords • Clear Text Passwords pose significant security risk • Major source of security compromises • NERSC policy to eliminate clear text passwords • NERSC does not allow clear text shell sessions • Current primary exposure for NERSC is in file transfer NUG Meeting October 22, 2014
Clear Text Password Goals and Challenges • Goals • Eliminate all clear text password access to NERSC • Continue to allow outbound ftp to non-NERSC sites • Challenges • Unlike telnet/ssh, no universal cross-platform solution • Many solutions still in development phase NUG Meeting October 22, 2014
File Transfer Options • Use scp or sftp • http://hpcf.nersc.gov/help/access/ssh.html • scp • Works with SSHv1 and SSHv2 • Data stream encrypted (performance hit) • sftp • Works with SSHv2 • Data stream encrypted (performance hit) • Similar interface to ftp NUG Meeting October 22, 2014
File Transfer Options • If performance becomes an issue try ftp with ssh tunneling • http://hpcf.nersc.gov/help/access/ssh.html • ftp with ssh tunneling • Works with SSHv1 and SSHv2 • Data stream unencrypted (no performance hit) • Caveats • Requires set up • Potential port collision failures NUG Meeting October 22, 2014
Availability • sftp, ssh, scp available on: • Seaborg • Crays • Newton - Symbolic Mathematics and Statistics Server • Escher – Visualization Server • PDSF NUG Meeting October 22, 2014
File Transfer to HPSS • sftp, ssh, scp not available to HPSS • Possible future solution of gsi_ftp • Not production ready • Allow use of current clients without transmitting easily sniffed passwords • http://hpcf.nersc.gov/storage/hpss/ftp_nopass.html NUG Meeting October 22, 2014
Key Points to Remember • Protect your private keys • Don’t put them on publicly accessible systems • Put a passphrase on your keys • Ssh-keygen allows you to generate a key with no passphrase • DO NOT do this • Don’t telnet from home to work and then SSH into NERSC • Defeats the use of SSH NUG Meeting October 22, 2014
NERSC PKI Infrastructure • DOE Science Grid Certificate Authority • ESNet • Establishes identity • Site Registration Authorities / Managers • Site authorization • Current state • ESnet has working CA • NERSC has a prototype RA NUG Meeting October 22, 2014
NERSC PKI Infrastructure • Key points • ESNet verifies certificates • NERSC provides authorization • Still need to go through NERSC authorization process • Certificate interoperability with NIM • Even if certificate issued by another organization NUG Meeting October 22, 2014