|Using Jazz | Getting Started | About the LCRC | Presentations | Status | FAQ | Search | Main Page|
This document explains the policies users must follow when creating, storing, and using SSHv2 keys for accessing the LCRC Jazz cluster.
The ability to crack SSHv2 keys depends directly on the type of key, the number of bits in the key, and the strength/quality and secrecy of the passphrase. The above guidelines are intended to minimize the risk of compromise if someone obtained a copy of your keys or was able to intercept your SSH session.
Failure to comply with the strong passphrase guidelines may make your passphrase guessable by people who are resourceful in finding information about you, or crackable using commonly available cracking software.
You should NOT use the passphrase to your Jazz SSH key(s) as a password on any other machines. If you share passwords or passphrases between resources and one resource is compromised and passwords or passphrases are stolen, they could be used to compromise Jazz.
If you learn of a security compromise at a remote site where you have an account please notify email@example.com.
NEVER GIVE YOUR PASSPHRASE TO ANYONE! Never tell anyone over the phone your passphrase or password. Nobody from MCS or LCRC will ask for your passphrase or password over the phone. (We can access your account without it. System administrators never need to know your passphrase or password.) If someone calls you and asks for your passphrase or password, please report this by sending mail to firstname.lastname@example.org. If you receive electronic mail (email) from someone requesting your passphrase or password (including email@example.com and root), please inform us immediately.
NEVER WRITE YOUR PASSPHRASE OR PASSWORD DOWN. Make your passphrase unique but something you can remember so you don't have to write it down. Having a longer passphrase can help you remember it. If the piece of paper you write your passphrase down on is stolen, your SSH keys could be compromised.
Protecting your ssh private keys is important:
Public keys don't need to be protected:
Security of SSH keys depends on keeping both the private key and the passphrase secret. The best way to keep the private key secure is to store it on known secure machines like a personal laptop or workstation. When a machine is compromised the private keys on that machine are available to the hacker. It's very important to keep your private keys on as few machines as possible, to pick the most secure machines possible, and to avoid whenever possible storing them on machines and file-systems available to many users.
If you wish to be even more secure, you can keep your keys on external media, such as a USB memory stick. Then when you wish to log onto a remote computer, mount the external media on your local system, add the key to your ssh-agent with a very short timeout (1 minute is reasonable), unmount the external media and open the connection to the remote system. This allows you get access to the remote system while keeping your private key virtually inaccessible to any remote hacker. For information on using ssh-agent read the ssh-agent section of the 'Setting up SSH on Jazz' document or read the ssh-agent man page.
For the remote machine to accept your ssh connection it must have your public key. Your SSHv2 public keys should be stored in the ~/.ssh/authorized_keys file. Instructions for setting up your keys on Jazz are available at http://www.lcrc.anl.gov/jazz/Documentation/General/sshkey.php.
If you ssh many times and you wish to avoid typing in the passphrase every time, you can use an ssh-agent. An ssh-agent allows your client machine to keep a decrypted form of your ssh private key in memory for use when ssh'ing to multiple machines. For information on using ssh-agent read the ssh-agent section of the 'Setting up SSH on Jazz' document or read the ssh-agent man page.
You may use ssh-agent forwarding when connecting thru one machine to another machine. But, because of security issues, you should only enable agent forwarding for connections where you will need it and shutdown the connection as soon as you are finished using it.
set CYGWIN=tty nteain C:\cygwin\cygwin.bat. With this,
chmod 0600 ~/.ssh/id_rsaworks as in Unix.
You should also restrict access to your cygwin directory under windows to yourself and your system administrators only.
Last Updated: 4/28/2004 As of Monday, April 26th, you will need to be onsite or using the VPN for the above command to work. If you are not, please visit https://www-accounts.mcs.anl.gov/account.php and upload your public key and call the Help Desk at (630) 252-6813 to have that key moved to your authorized_keys file.