HPCC rely on TTU e-raider authentication system to check user credentials on our
systems. All users use their e-raider id and password to log in HPCC clusters.
HPCC systems have RSA authentication enabled for passwordless login. You may choose
whether to enable this on each system by adding RSA keys from remote systems to ~/.ssh/authorized_keys.
Please be careful. If enabled, this allows an intruder to enter all of your accounts
if one is cracked. We strongly suggest that you do not add a key for a system that
is itself insecure (MS Windows, security not up to date, telnet enabled, etc.) as
this allows intruders user access to HPCC systems which can then be escalated to root
access and total control.
Cluster Internal Security
On first login to a cluster head node, SSH may ask you for a key phrase. This is not
generally needed. It is reasonably secure, and makes login to the compute nodes simpler,
if you leave this key blank (hit the enter key at this prompt). From the head node,
you should be able to either ssh or rsh to all of the compute nodes in that cluster
without a password. If either ssh or rsh prompts for a password on cluster head to
compute login, please contact HPCC staff at firstname.lastname@example.org, as parallel software generally depends on passwordless login. More complex methods
will be required if you have a non-blank SSH key phrase on the cluster head nodes.
Remote shell or rsh only works within each cluster. If you are extremely concerned
about security, you may wish to use only ssh within clusters. rsh is faster as it
does not encrypt each transmission, but the transmissions can be intercepted and decoded.
This is generally not an issue, since root access to the cluster is required to intercept
the messages, and this interception procedure would not be necessary for a cracker
who already had root access.
MPI on clusters also uses either ssh or rsh for data transmission. Alternative MPI
libraries are provided which use ssh or rsh, and for each Fortran compiler, in /home/local.
Please include, link, and mpirun from the same library. The Fortran version does not
matter if you use only gcc/g++.
We currently store data on a resilient system and back up a limited amount of user
data, however we strongly encourage users to maintain a copy of all the data which is absolutely
critical for their research. Ultimately, we do not have the budget to guarantee that data will not be lost.
As a result, it is the researcher's responsibility to back up their own important data on their
own systems. In HPCC systems, the conflict between performance, size, cost, and reliability is
generally resolved in favor of large size at medium performance at low cost. Reliability
necessarily suffers. Most of the cluster disk storage is composed of arrays of consumer-grade
disks. Disk failures are relatively common, but single-disk failures are usually automatically
handled by RAID software.
Critical files, such as source code and output required for a paper or dissertation,
should be periodically copied to each user's personal machine and further backed up
to removable media and stored offsite.
By default in Linux systems, users have read, write and execute permissions to the
directories and files that they own. Meanwhile the directories and files are readable and executable to other users, including the
users in the same group of the owner. Basically a user is the owner of the directories /home/user-id, /lustre/work/user-id,
and /lustre/scratch/user-id, as well as all files and directories under them. A user
also owns the temporary files or directories in /state/partition1 on compute nodes,
if their jobs create temporary output there. If you are concerned about the permission
settings, for example, you do not want others to read your files, you can change the
permission by command "chmod" with appropriate options. For the details, please run
"man chmod" to get the manual of chmod command, or contact email@example.com.
Regardless of the directory permissions, root users (HPCC staff and anyone who might
completely crack the system), Sponsoring faculty/staff can read your files. If you
want to make extremely sure that no-one reads your files, install the PGP package
and encrypt your critical files. You would also need to eliminate backup copies from
the Tivoli system. However, if you encrypt and then forget your pass phrase, the files
can be extremely difficult to decrypt depending on the size of your encryption key.