New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SSH key hygiene #164
Comments
@davidhenty (EPCC) mentioned The linked article suggests this is a stop-gap, with passphrase-protected SSH keys and passwords to be required as the real solution. However, at this time, that is not the case. If I've paraphrased the situation correctly, this unfortunate chain of events underscores the need for SSH key hygiene training, with strong encouragement to purge weak keys. |
I was being slightly over-dramatic when I said getting people logged on was a nightmare! It was just that, over the 6 years of the service, we had managed to get this stage completely seamless so having any issues at all came as a bit of a culture shock. This run of the course, just after the security incident, had a bit of a perfect storm of novice users, brand new security policies and documentation that was in its first pass and so hadn't yet been completely perfected or tailored for novice users. However, you're right that this does underscore the need for people to be properly trained on SSH and keys. My understanding was that the main vector for the worldwide attacks was through user SSH keys which had no passwords. |
Security protocols differ from site to site. Introducing ssh keys is a good idea, material can be taken from https://arc-lessons.github.io/security/00_schedule.html as indicated. However, it may be good to have some of this material in the git lessons as well, perhaps even using a repository where ssh keys are required. |
At a minimum, include this in a callout / discussion block:
https://arc-lessons.github.io/security/00_schedule.html
The text was updated successfully, but these errors were encountered: