SSH key hygiene

[tkphd]

At a minimum, include this in a callout / discussion block:

https://arc-lessons.github.io/security/00_schedule.html

[tkphd]

@davidhenty (EPCC) mentioned some "nightmares" greater-than-typical difficulty running the course last week. During May's crypto-mining attack, stolen SSH keys were used by the ne'er-do-wells to easily hop from one supercomputer to the next. As a result, all SSH keys were purged, and users are currently required to use a strong password – with an SSH key uploaded to a separate server for authentication purposes.

The linked article suggests this is a stop-gap, with passphrase-protected SSH keys and passwords to be required as the real solution. However, at this time, that is not the case.

If I've paraphrased the situation correctly, this unfortunate chain of events underscores the need for SSH key hygiene training, with strong encouragement to purge weak keys.

[davidhenty]

I was being slightly over-dramatic when I said getting people logged on was a nightmare! It was just that, over the 6 years of the service, we had managed to get this stage completely seamless so having any issues at all came as a bit of a culture shock. This run of the course, just after the security incident, had a bit of a perfect storm of novice users, brand new security policies and documentation that was in its first pass and so hadn't yet been completely perfected or tailored for novice users.

However, you're right that this does underscore the need for people to be properly trained on SSH and keys. My understanding was that the main vector for the worldwide attacks was through user SSH keys which had no passwords.

[bkmgit]

Security protocols differ from site to site. Introducing ssh keys is a good idea, material can be taken from https://arc-lessons.github.io/security/00_schedule.html as indicated. However, it may be good to have some of this material in the git lessons as well, perhaps even using a repository where ssh keys are required.