Download
file transfer and use of clear text passwords update n.
Skip this Video
Loading SlideShow in 5 Seconds..
File Transfer and Use of Clear Text Passwords Update PowerPoint Presentation
Download Presentation
File Transfer and Use of Clear Text Passwords Update

File Transfer and Use of Clear Text Passwords Update

87 Views Download Presentation
Download Presentation

File Transfer and Use of Clear Text Passwords Update

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. File Transfer and Use ofClear Text Passwords Update NERSC Users Group Meeting Stephen Lau NERSC August 10, 2014

  2. Clear Text Passwords • Clear Text Passwords pose significant security risk • Major source of security compromises • NERSC policy to eliminate clear text passwords • NERSC does not allow clear text shell sessions • Current primary exposure for NERSC is in file transfer NUG Meeting August 10, 2014

  3. Clear Text Password Goals and Challenges • Goals • Eliminate all clear text password access to NERSC • Continue to allow outbound ftp to non-NERSC sites • Challenges • Unlike telnet/ssh, no universal cross-platform solution • Many solutions still in development phase NUG Meeting August 10, 2014

  4. File Transfer Options • Use scp or sftp • http://hpcf.nersc.gov/help/access/ssh.html • scp • Works with SSHv1 and SSHv2 • Data stream encrypted (performance hit) • sftp • Works with SSHv2 • Data stream encrypted (performance hit) • Similar interface to ftp NUG Meeting August 10, 2014

  5. File Transfer Options • If performance becomes an issue try ftp with ssh tunneling • http://hpcf.nersc.gov/help/access/ssh.html • ftp with ssh tunneling • Works with SSHv1 and SSHv2 • Data stream unencrypted (no performance hit) • Caveats • Requires set up • Potential port collision failures NUG Meeting August 10, 2014

  6. Availability • sftp, ssh, scp available on: • Seaborg • Crays • Newton - Symbolic Mathematics and Statistics Server • Escher – Visualization Server • PDSF NUG Meeting August 10, 2014

  7. File Transfer to HPSS • sftp, ssh, scp not available to HPSS • Possible future solution of gsi_ftp • Not production ready • Allow use of current clients without transmitting easily sniffed passwords • http://hpcf.nersc.gov/storage/hpss/ftp_nopass.html NUG Meeting August 10, 2014

  8. Key Points to Remember • Protect your private keys • Don’t put them on publicly accessible systems • Put a passphrase on your keys • Ssh-keygen allows you to generate a key with no passphrase • DO NOT do this • Don’t telnet from home to work and then SSH into NERSC • Defeats the use of SSH NUG Meeting August 10, 2014

  9. NERSC PKI Infrastructure • DOE Science Grid Certificate Authority • ESNet • Establishes identity • Site Registration Authorities / Managers • Site authorization • Current state • ESnet has working CA • NERSC has a prototype RA NUG Meeting August 10, 2014

  10. NERSC PKI Infrastructure • Key points • ESNet verifies certificates • NERSC provides authorization • Still need to go through NERSC authorization process • Certificate interoperability with NIM • Even if certificate issued by another organization NUG Meeting August 10, 2014