hpc-shell
hpc-shell copied to clipboard
hpc-carpentry
Potential security issue on "Connecting to the remote HPC system" page
At the moment, the following text appears on this page:
"Note that you may want to paste in your password rather than typing it. Use control/Ctrl plus a right-click of the mouse to paste content from the clipboard to the PuTTY terminal."
This implies that the user has copied it from somewhere else, e.g. a file storing the password in plain text.
That isn't good practice, so I suggest this text be removed.
@mattgillucl Thanks for raising this. Many people use a password manager (e.g. LastPass) where you can store the password and copy and paste it across so I think this is a valid statement. However, I think a callout with a note that you should not store passwords saved in normal files and that password managers are out there to help with this issue would be a useful addition.
Do you want to write something and issue a PR? If you are not able to do this, then I am happy to look at it.
Hi @aturner-epcc It's probably best if you do this please, as it might be a little while before I can do it.
Thanks
Good catch, @mattgillucl. We should rephrase this to focus on using the SSH agent, with a timeout, to teach & encourage best practices with SSH keys.
I agree, IMHO the sentence should be dropped. AS suggested earlier, a notice should be prepared about security issues related to manual password stores, password managers, ssh keys, ssh keys without passphrases ... oh my, that is an entire lesson on it's own. I know that @aturner-epcc knows some HPC slated material along these lines.
Long story short: drop the sentence and we should put up a warning.
Actually, I am wondering if PuTTY should be used on this course for a Windows user...
On the "Moving around and looking at things" episode, at one point it tells the user to open a second terminal, such that they have one open on the remote server and one on their local system. ("Open a second terminal window on your local computer and run the ls command without logging in remotely. What differences do you see?")
I emailed the maintainer of PuTTY, Simon Tatham, and asked him if PuTTY could be used in a Unix-like way on a Windows PC. This was his response:
If you want to navigate the filesystem of a Windows machine in a Unixlike way rather than using Windows-native approaches like cmd.exe or Powershell, then you'll need to install a Unixlike shell and its supporting utilities on the machine.
Personally I do this using Cygwin, because it's what I'm used to from a decade or more of previous versions of Windows. These days there is also WSL, but I can't tell you anything about that, because I've never yet found time to sit down and have a play with it.
Indeed, we need to update this. (I think this should be a separate issue) There are other choices for Windows users too:
- git bash has a working
sshbinary coming with it AFAIK - MobaXterm (supporting multiple parallel sessions)
- there is the windows subsystem for Win10 and (likely) any version above
- there is good old putty
- there is cygwin
For our learners, I would prefer:
- mobaxterm (a plain to install GUI which is cross-windows platform)
- WSL or git bash
- putty if need be
- cygwin
Yes @psteinb this should be a separate issue; the security issue highlighted above is separate from (but related to) whether we should even be using PuTTY in the first place.
I will create a separate issue and link to it from here - done - see #23
PS I should stress I have nothing against PuTTY!