While that's absolutely a significant issue, here's how we solved it,
despite still using user keys. This basically assures that while people
can SSH around with keys within our cluster, they get into the login
nodes using SSH keys. Combine that with the required enrollment in 2FA,
and I think we're doing decently well.
Network routing rules and switch ACLs prevent users from getting into
the non-login nodes from outside the cluster.
(excerpt from sshd_config on login nodes only - It's much simpler on
non-login nodes):
# default behavior - disallow PubKeyAuthentication
PubKeyAuthentication no
# default behavior - force people to the "you must enroll in 2FA"
message, and then exit
ForceCommand /usr/local/bin/2fa_notice.sh
#All users enrolled in 2FA, are part of the twofactusers group
Match group twofactusers
ForceCommand none
#Allow PubKeyAuthentication for subnets that are internal to the cluster
Match Address ListOfClusterInternalSubnets
PubKeyAuthentication yes
Lloyd
On 5/27/21 9:27 AM, Michael Jennings wrote:
As far as abuse of keys goes: What's stopping your user from taking
that private key you created for them (which is, as you recall,
*unencrypted*) outside of your cluster to another host somewhere else
on campus. Maybe something that has tons of untrusted folks with
root. Then any of those folks can SSH to your cluster as that user.
--
Lloyd Brown
HPC Systems Administrator
Office of Research Computing
Brigham Young University
http://marylou.byu.edu
