File Transfer and Use of Clear Text Passwords Update

1
File Transfer and Use ofClear Text Passwords
Update

• NERSC Users Group Meeting
• Stephen Lau
• NERSC
• November 26, 2009

2
Clear Text Passwords

• Clear Text Passwords pose significant security
  risk
• Major source of security compromises
• NERSC policy to eliminate clear text passwords
• NERSC does not allow clear text shell sessions
• Current primary exposure for NERSC is in file
  transfer

3
Clear Text Password Goals and Challenges

• Goals
• Eliminate all clear text password access to NERSC
• Continue to allow outbound ftp to non-NERSC sites
• Challenges
• Unlike telnet/ssh, no universal cross-platform
  solution
• Many solutions still in development phase

4
File Transfer Options

• Use scp or sftp
• http//hpcf.nersc.gov/help/access/ssh.html
• scp
• Works with SSHv1 and SSHv2
• Data stream encrypted (performance hit)
• sftp
• Works with SSHv2
• Data stream encrypted (performance hit)
• Similar interface to ftp

5
File Transfer Options

• If performance becomes an issue try ftp with ssh
  tunneling
• http//hpcf.nersc.gov/help/access/ssh.html
• ftp with ssh tunneling
• Works with SSHv1 and SSHv2
• Data stream unencrypted (no performance hit)
• Caveats
• Requires set up
• Potential port collision failures

6
Availability

• sftp, ssh, scp available on
• Seaborg
• Crays
• Newton - Symbolic Mathematics and Statistics
  Server
• Escher Visualization Server
• PDSF

7
File Transfer to HPSS

• sftp, ssh, scp not available to HPSS
• Possible future solution of gsi_ftp
• Not production ready
• Allow use of current clients without transmitting
  easily sniffed passwords
• http//hpcf.nersc.gov/storage/hpss/ftp_nopass.html

8
Key Points to Remember

• Protect your private keys
• Dont put them on publicly accessible systems
• Put a passphrase on your keys
• Ssh-keygen allows you to generate a key with no
  passphrase
• DO NOT do this
• Dont telnet from home to work and then SSH into
  NERSC
• Defeats the use of SSH

9
NERSC PKI Infrastructure

• DOE Science Grid Certificate Authority
• ESNet
• Establishes identity
• Site Registration Authorities / Managers
• Site authorization
• Current state
• ESnet has working CA
• NERSC has a prototype RA

10
NERSC PKI Infrastructure

• Key points
• ESNet verifies certificates
• NERSC provides authorization
• Still need to go through NERSC authorization
  process
• Certificate interoperability with NIM
• Even if certificate issued by another
  organization