Security: how to change your connection methods¶
Change your password¶
- Connect to one of the frontend nodes
- Type the command
passwdand answer the questions by indicating the current password and then twice the new password. This will change the password of all the frontals.
Change the SSH connection key¶
If you have configured an SSH key to connect to Myria, you must delete the old key, regenerate the passphrase that protects your private key and add the new public one. If you have not configured an SSH connection key, check the contents of the ~/.ssh/authorized_keys file as indicated below.
- On your workstation:
- Regenerate the file pairs (private key/public key) using the
ssh-keygencommand (on Linux/MacOS) or via theputty-genapplication (on Windows).
For obvious security reasons, prefer a connection with a NON-empty passphrase with, in a pinch, the use of an ssh-agent.
- Regenerate the file pairs (private key/public key) using the
- On Myria :
- clean up the authorized keys in the
~/.ssh/authorized_keysfile.
Only the line with the commentlogin@host(wherehostcan bealtair-adm,antaresormytch) at the end of the line should be kept. It allows you to connect to the cluster.
For the other lines, keep only the essential : connections by password will remain possible. - add the new public key in the
~/.ssh/authorized_keysfile
- clean up the authorized keys in the
Case of connections between computer centers¶
If you have set up SSH keys to connect between computer centers, you must also delete the public and private key pairs on each center, re-generate them and rebroadcast the public keys.
Same remark as before: prefer a connection with a NON empty passphrase...
Attention, very important
your private key (file id_rsa) must never be copied on another server... It must remain only on your workstation.
IDRIS recommendations¶
In addition, here are the recommendations from the National IDRIS Center:
For added security, we ask that you do four things:
- take every precaution on your workstation to protect your private key (strong passphrase, restrictive access rights),
- do not copy your private key on IDRIS servers,
- generate RSA keys of at least 4096 bits, or use elliptic curve cryptography algorithms (ECDSA, ed25519)
- Verify that the fingerprints of the public keys of the IDRIS SSH servers to which you are connecting are referenced in this list
-
restrict these keys to the use of the machines you have declared in the IDRIS filters. To do this, you need to edit the
authorized_keysfile on your local machine and add the following string at the beginning of each line containing a key generated on one of the IDRIS machines:from="your_ip"or possibly;from="machine.domaine_local.fr"or ;from="*.machine.domaine_local.fr".
``bash $ cat ~/.ssh/authorized_keys from="machine.domain_local.fr" ssh-rsa AAAAB3NzaC1yc2EA........... login@host ```