Lab Security Policy: Difference between revisions
Jump to navigation
Jump to search
No edit summary |
|||
| Line 8: | Line 8: | ||
'''You can only access our cluster via ssh from a secure machine''' | '''You can only access our cluster via ssh from a secure machine''' | ||
What is a secure machine you may ask? As of Monday, | What is a secure machine you may ask? As of Monday, June 16, our answer is as follows. | ||
"A secure machine is one that we control and can thus protect." This includes: | "A secure machine is one that we control and can thus protect." This includes: | ||
* The | * The portals | ||
* Desktops we control in CCBR | * Desktops we control in CCBR, BH and GH. | ||
* | * Your laptop, using our own VPN. | ||
No other machine is assumed secure. This includes | * Machines in racks we control. | ||
No other machine is assumed secure. This includes other groups' clusters in BH and GH, the QB3 shared cluster, and connections via UCSF's VPN. To access our cluster from these or any other machines we do not treat as secure, you must use a portal or our own VPN. | |||
== Rules == | == Rules == | ||
* You can only access the portals using an ssh key. | * You can only access the portals using an ssh key. | ||
* | * Insecure ssh keys will be revoked without notice. [[How_to_generate_ssh_keys_securely]]. | ||
== Advice == | == Advice == | ||
| Line 28: | Line 28: | ||
== Conclusion == | == Conclusion == | ||
* Misuse of sshkeys is a very serious matter. Please guard your ssh key access as you would your bank account. | * Misuse of sshkeys is a very serious matter. Please guard your ssh key access as you would your bank account. | ||
* some people call ssh keys "ssl keys". It is the same thing, and ssl is arguably more correct. | * some people call ssh keys "ssl keys". It is the same thing, and ssl is arguably more correct. Nevermind. | ||
If you have any doubts about appropriate use of ssh keys or passwords, or suggestions about how to improve security, please write the [[sysadmin]]s. | If you have any doubts about appropriate use of ssh keys or passwords, or suggestions about how to improve security, please write the [[sysadmin]]s. | ||
Revision as of 15:37, 16 June 2014
No security system is perfect. There is a tradeoff between security and ease of use. We have tried to find a way to let you do your work in peace. Getting hacked is a big deal. Please be mindful.
Summary
Our security policy can be summarized as follows:
You can only access our cluster via ssh from a secure machine
What is a secure machine you may ask? As of Monday, June 16, our answer is as follows.
"A secure machine is one that we control and can thus protect." This includes:
- The portals
- Desktops we control in CCBR, BH and GH.
- Your laptop, using our own VPN.
- Machines in racks we control.
No other machine is assumed secure. This includes other groups' clusters in BH and GH, the QB3 shared cluster, and connections via UCSF's VPN. To access our cluster from these or any other machines we do not treat as secure, you must use a portal or our own VPN.
Rules
- You can only access the portals using an ssh key.
- Insecure ssh keys will be revoked without notice. How_to_generate_ssh_keys_securely.
Advice
- Ssh keys must be protected at all times and must never be shared with anyone, even family members or labmates.
- Use different passwords for your bank, your email, and your cluster access. If one is hacked, the damage is contained.
- If you have an account on a system that is hacked, please a. tell us you were hacked so we can revoke your ssh key and b. change your password asap if you think it could have been compromised.
Conclusion
- Misuse of sshkeys is a very serious matter. Please guard your ssh key access as you would your bank account.
- some people call ssh keys "ssl keys". It is the same thing, and ssl is arguably more correct. Nevermind.
If you have any doubts about appropriate use of ssh keys or passwords, or suggestions about how to improve security, please write the sysadmins.