Protection of the HPC account
Source: Freepik
At least a little less than a dozen of Europe’s supercomputers were taken offline simultaneously in May 2020. Several university centres in Europe have been attacked by hackers and had to go offline. The unknown perpetrators hacked the accounts of the users in order to gain access to the supercomputers. Fortunately, our high-performance computer was not affected, but JURECA, JUWELS and JUDAC at the Jülich Supercomputing Centre, Hawk at the Stuttgart High Performance Computing Centre and the supercomputers at the Leibzig Computing Centre (LRZ), for example, fell victim to the attack.
What Did the Attacks Look Like?
The researchers do not connect directly to the supercomputer on site, but use online access via the universities’ secure VPN network. At RWTH, logging in was done with the respective HPC account, the corresponding password and a voluntary so-called SSH key (security shell key) until the end of 2022. The hackers combined two vulnerabilities in their attacks, the LRZ reported. They used compromised accounts of users on external systems whose SSH keys were configured with empty passphrases. In addition, the LRZ reported that a bug in the software led to the hackers being able to use administration rights. [0]
Two-Factor Authentication at the IT Center
Against the background of these attacks and regular phishing incidents, access to our HPC systems will in future be protected against misuse by third parties by means of two-factor authentication (2FA). Especially with regard to the protection of your research data, we recommend that you use MFA. Currently, we are still in a pilot phase and the two-factor authentication is only activated on the node login18-4.hpc.itc.rwth-aachen.de. For broad security, we are planning to extend it to other nodes in the coming months. For the time being, logging in to other nodes remains possible without a second factor.
But What Is Two-Factor Authentication?
The topic of 2FA will probably already sound familiar to you. Multifactor-authentication (MFA) is the combination of at least two factors, ideally of different types. We use this data pair to authenticate ourselves on various websites. You can find a detailed explanation with background knowledge in our blog post on RegApp.
Implementing Two-Factor Authentication in the RegApp
You can decide to use two-factor authentication by adding a second factor in the form of an authentication token to your RegApp account. The prerequisite is, of course, an active HPC account. You can choose between two token variants. Smartphone tokens or a TAN list. To use the smartphone token, you need a suitable app in accordance with RFC 6238, such as Google Authenticator, Microsoft Authenticator, FreeOTP or Sophos Authenticator.
The TAN list serves as a backup in case you no longer have access to your other tokens. Detailed instructions on how to set up and use multifactor-authentication can be found on IT Center Help. If you have activated MFA, you will be asked for the second factor every time you try to log in. If you want to avoid having to enter it all the time, you can create an SSH key pair and link it to your account. If the private key is on your private computer, you will only have to enter the second factor every 10 hours.
We have put together a step-by-step guide to using multifactor-authentication on CLAIX for you on IT Center Help.
What Are SSH keys?
The Secure Shell (SSH) enables encrypted access to the command line on HPC systems as well as encrypted data transfer. Authentication can be done via key pairs instead of entering a password. The SSH key pairs consist of a private key and a public key. The public key is stored on the HPC system and the private key is stored on the user’s computer.
The private key must be particularly protected:
- It must not fall into the hands of others. Whoever gets hold of the private key also has access to the HPC system.
- For this reason, we recommend that you secure the SSH key with a passphrase. The passphrase is entered when the key pair. It is to be selected like a kind of password.
- It makes sense to generate a separate key pair for each HPC system.
- Keys with as many bits as possible should be created.
You can find out how to integrate an SSH key into your HPC account on IT Center Help.
In order to strengthen the protection of your HPC account and your research data, it makes sense to use two-factor authentication and also to deal with the security instructions of the SSH keys. That way, together we can make our HPC system even more secure.
We have compiled further guidance around multifactor-authentication and the RegApp for you on IT Center Help.
Sources:
Responsible for the content of this article are Tim Cramer, Simon Schwitanski und Janin Vreydal.
