1 / 10

File Transfer and Use of Clear Text Passwords Update

File Transfer and Use of Clear Text Passwords Update. NERSC Users Group Meeting Stephen Lau NERSC October 22, 2014. Clear Text Passwords. Clear Text Passwords pose significant security risk Major source of security compromises NERSC policy to eliminate clear text passwords

rhona
Download Presentation

File Transfer and Use of Clear Text Passwords Update

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. File Transfer and Use ofClear Text Passwords Update NERSC Users Group Meeting Stephen Lau NERSC October 22, 2014

  2. Clear Text Passwords • Clear Text Passwords pose significant security risk • Major source of security compromises • NERSC policy to eliminate clear text passwords • NERSC does not allow clear text shell sessions • Current primary exposure for NERSC is in file transfer NUG Meeting October 22, 2014

  3. Clear Text Password Goals and Challenges • Goals • Eliminate all clear text password access to NERSC • Continue to allow outbound ftp to non-NERSC sites • Challenges • Unlike telnet/ssh, no universal cross-platform solution • Many solutions still in development phase NUG Meeting October 22, 2014

  4. File Transfer Options • Use scp or sftp • http://hpcf.nersc.gov/help/access/ssh.html • scp • Works with SSHv1 and SSHv2 • Data stream encrypted (performance hit) • sftp • Works with SSHv2 • Data stream encrypted (performance hit) • Similar interface to ftp NUG Meeting October 22, 2014

  5. File Transfer Options • If performance becomes an issue try ftp with ssh tunneling • http://hpcf.nersc.gov/help/access/ssh.html • ftp with ssh tunneling • Works with SSHv1 and SSHv2 • Data stream unencrypted (no performance hit) • Caveats • Requires set up • Potential port collision failures NUG Meeting October 22, 2014

  6. Availability • sftp, ssh, scp available on: • Seaborg • Crays • Newton - Symbolic Mathematics and Statistics Server • Escher – Visualization Server • PDSF NUG Meeting October 22, 2014

  7. File Transfer to HPSS • sftp, ssh, scp not available to HPSS • Possible future solution of gsi_ftp • Not production ready • Allow use of current clients without transmitting easily sniffed passwords • http://hpcf.nersc.gov/storage/hpss/ftp_nopass.html NUG Meeting October 22, 2014

  8. Key Points to Remember • Protect your private keys • Don’t put them on publicly accessible systems • Put a passphrase on your keys • Ssh-keygen allows you to generate a key with no passphrase • DO NOT do this • Don’t telnet from home to work and then SSH into NERSC • Defeats the use of SSH NUG Meeting October 22, 2014

  9. NERSC PKI Infrastructure • DOE Science Grid Certificate Authority • ESNet • Establishes identity • Site Registration Authorities / Managers • Site authorization • Current state • ESnet has working CA • NERSC has a prototype RA NUG Meeting October 22, 2014

  10. NERSC PKI Infrastructure • Key points • ESNet verifies certificates • NERSC provides authorization • Still need to go through NERSC authorization process • Certificate interoperability with NIM • Even if certificate issued by another organization NUG Meeting October 22, 2014

More Related