Potential security issue on "Connecting to the remote HPC system" page #22
Comments
|
@mattgillucl Thanks for raising this. Many people use a password manager (e.g. LastPass) where you can store the password and copy and paste it across so I think this is a valid statement. However, I think a callout with a note that you should not store passwords saved in normal files and that password managers are out there to help with this issue would be a useful addition. Do you want to write something and issue a PR? If you are not able to do this, then I am happy to look at it. |
|
Hi @aturner-epcc It's probably best if you do this please, as it might be a little while before I can do it. Thanks |
|
Good catch, @mattgillucl. We should rephrase this to focus on using the SSH agent, with a timeout, to teach & encourage best practices with SSH keys. |
|
I agree, IMHO the sentence should be dropped. AS suggested earlier, a notice should be prepared about security issues related to
manual password stores, password managers, ssh keys, ssh keys without passphrases ... oh my, that is an entire lesson on it's
own. I know that @aturner-epcc knows some HPC slated material along these lines.
Long story short: drop the sentence and we should put up a warning.
|
|
Actually, I am wondering if PuTTY should be used on this course for a Windows user... On the "Moving around and looking at things" episode, at one point it tells the user to open a second terminal, such that they have one open on the remote server and one on their local system. ("Open a second terminal window on your local computer and run the ls command without logging in remotely. What differences do you see?") I emailed the maintainer of PuTTY, Simon Tatham, and asked him if PuTTY could be used in a Unix-like way on a Windows PC. This was his response:
|
|
Indeed, we need to update this. (I think this should be a separate issue) There are other choices for Windows users too:
- git bash has a working `ssh` binary coming with it AFAIK
- [MobaXterm](https://mobaxterm.mobatek.net/) (supporting multiple parallel sessions)
- there is the windows subsystem for Win10 and (likely) any version above
- there is good old putty
- there is cygwin
For our learners, I would prefer:
1. mobaxterm (a plain to install GUI which is cross-windows platform)
2. WSL or git bash
3. putty if need be
4. cygwin
|
At the moment, the following text appears on this page:
"Note that you may want to paste in your password rather than typing it. Use control/Ctrl plus a right-click of the mouse to paste content from the clipboard to the PuTTY terminal."
This implies that the user has copied it from somewhere else, e.g. a file storing the password in plain text.
That isn't good practice, so I suggest this text be removed.
The text was updated successfully, but these errors were encountered: