TTU Home IT Division HPCC

Security


1) Login security

HPCC periodically checks all passwords on our systems for security using a dictionary-search algorithm. This form of "cracking" is not feasible for general users because passwords are "shadowed" on HPCC systems, but the check detects insecure passwords which may be guessed. Insecure passwords are those that contain, as substrings, dictionary words or names in any language, forward or reversed. A better password contains a more random collection of characters, but not so random that it must be written on your monitor. A good method is to memorize a sentence and use the first letter of each word, for this sentence Agmitmas... It is also desirable to add numeric and nonalphabetic characters to passwords.

HPCC systems have RSA authentication enabled for passwordless login. You may choose whether to enable this on each system by adding RSA keys from remote systems to ~/.ssh/authorized_keys. Please be careful. If enabled, this allows an intruder to enter all of your accounts if one is cracked. We strongly suggest that you do not add a key for a system that is itself insecure (MS Windows, security not up to date, telnet enabled, etc.) as this allows intruders user access to HPCC systems which can then be escalated to root access and total control.

2) Cluster Internal Security

On first login to a cluster head node, SSH will ask you for a key phrase. This is not generally needed. It is reasonably secure, and makes login to the compute nodes simpler, if you leave this key blank (hit the enter key at this prompt). From the head node, you should be able to either ssh or rsh to all of the compute nodes in that cluster without a password. If either ssh or rsh prompts for a password on cluster head to compute login, please contact HPCC staff, as parallel software generally depends on passwordless login. More complex methods will be required if you have a non-blank SSH key phrase on the cluster head nodes.

Remote shell or rsh only works within each cluster. If you are extremely concerned about security, you may wish to use only ssh within clusters. rsh is faster as it does not encrypt each transmission, but the transmissions can be intercepted and decoded. This is generally not an issue, since root access to the cluster is required to intercept the messages, and this interception procedure would not be necessary for a cracker who already had root access.

MPI on clusters also uses either ssh or rsh for data transmission. Alternative MPI libraries are provided which use ssh or rsh, and for each Fortran compiler, in /home/local. Please include, link, and mpirun from the same library. The Fortran version does not matter if you use only gcc/g++. On Opteron compilers, there will be additional libraries for the IA32 and AMD64 ABI's. There could be as many as 2 remote shells x 3 Fortran versions x 2 ABI's or 12 MPI versions, but not all the Fortran compilers will have AMD64 versions.

3) Data Security

We currently store data on a resilient system and back up a limited amount of user data, however we strongly encourage users to maintain a copy of all the data which is absolutely critical for their research.  Ultimately, we do not have the budget to guarantee that data will not be lost.  As a result, it is the researcher’s responsibility to back up their own important data on their own systems. In HPCC systems, the conflict between performance, size, cost, and reliability is generally resolved in favor of large size at medium performance at low cost. Reliability necessarily suffers. Most of the cluster disk storage is composed of arrays of consumer-grade disks. Disk failures are relatively common, but single-disk failures are usually automatically handled by RAID software.

Critical files, such as source code and output required for a paper or dissertation, should be periodically copied to each user's personal machine and further backed up to removable media and stored offsite.

Regardless of the directory permissions, root users (HPCC staff and anyone who might completely crack the system) can read your files. If you want to make extremely sure that no-one reads your files, install the PGP package and encrypt your critical files. You would also need to eliminate backup copies from the Tivoli system. However, if you encrypt and then forget your pass phrase, the files can be extremely difficult to decrypt depending on the size of your encryption key.