Security
The security aspect is very important to us. Password login to each cluster requires a 2nd factor (MFA). It is also possible to log into the cluster via a registered ssh key. We suggest ed25519 combined with a strong passphrase. CLAIX implements the RegApp-based MFA login process that requires a password + second authentication factor every time you login to one of the frontend nodes when not using one of the following exceptions:
SSH key to simplify the access:
Within a work session (10h), you can login to the frontend nodes using your SSH key without the requirement to surpass the whole password + MFA authentication steps every login. The SSH key must be imported in the RegApp and expires automatically. Old keys cannot be re-used.
Note: The password and MFA token are required for the initial login. Henceforth, you must not disable the password authentication method in your SSH config.
Please refer to the ITC Help how to set-up the MFA and SSH key in the RWTH RegApp
SSH keys for recurring and/or automated tasks:
For recurring and/or automated tasks you can configure SSH command keys that do not require the password + MFA authentication when used in order to access the cluster. The can be used like an MFA-less SSH key-based access. However, the command keys are tied to a specific command and can only be used for the latter.
Each command key’s command is audited and needs to be permitted or rejected by the HPC admins to prevent from misuse.
From time to time we must adapt our configuration to ensure the cluster’s security, e.g. disabling insecure authentication methods. Please keep informed on breaking changes that may impact the accessibility (cf. blog posts). A list of supported authentication methods can be found at ...
