Category: News

Security actions on unprotected SSH Keys (Staff/PhD)

harry

Please follow this guide to encrypt your SSH private keys

 

Self-managed devices

Users on self-managed devices are strongly advised to review the security of their SSH keys and remove them if the are not protected with a passphrase.

You will know if your keys are protected with a passphrase if your get prompted for it when you try to connect to ‘frank’ or any other Compute Server.

Bellow you will find some guidelines to find out if you have unprotected SSH keys for the 3 main Operating Systems:

SSH Private keys generated using Putty or MobaXterm have the extension .ppk. Search your Windows device for files with such extension.

Open the file with Notepad (or any text editor).

Secure Private SSH Key

A secure private key protected with a passphrase has something like that at the top (attention at the ‘Encryption‘ line) :

PuTTY-User-Key-File-2: ssh-rsa
Encryption: aes256-cbc
Comment: rsa-key-20171114
Public-Lines: 6

The ‘Encryption‘ line shows the encryption algorithm used to protect your private key when you generated.

Unprotected Private SSH Key

An unprotected private key has something like that at the top (attention at the ‘Encryption‘ line) :

PuTTY-User-Key-File-2: ssh-rsa
Encryption: none
Comment: rsa-key-20200506
Public-Lines: 6

If your private key mentions there is no Encryption, as above, DELETE the private and public keys immediately and generate a new one, following our guide here: http://support.eecs.qmul.ac.uk/services/ssh/

On your self-managed Linux device, open a Terminal and run the following command on your Private SSH key:

$ ssh-keygen -y -P "" -f <PATH_TO_PRIVATE_SSH_KEY>

Secure Private SSH Key

If the output of the command is incorrect passphrase supplied to decrypt private key , it means your key is already encrypted. For example:

$ ssh-keygen -y -P "" -f /home/harry/.ssh/id_rsa_encrypted
Load key "/home/harry/.ssh/id_rsa)_encrypted": incorrect passphrase supplied to decrypt private key

Unprotected Private SSH Key

If the output is the Public Key, associated to that particular private key, it means your key is not protected, for .e.g:

$ ssh-keygen -y -P "" -f /home/harry/.ssh/id_rsa_no_encryption
ssh-rsa AAFFGFFFAAB3NzaC1yc2EAAAADAQABAAABAQDEzlgGMuIV1dRHo5E7CJbOF8QHMz2G/ndqP8GwKzmqS5jKiwghAKprp1vB2Q5jcHIN7/ycOEYQw4HzvHqKd2BpygArQCiMqnkgHVRogzJEUIuQ0qNAe2ao+krCJz12Ihz

 

On your self-managed MacOS device, open a Terminal and run the following command on your Private SSH key:

$ ssh-keygen -y -P "" -f <PATH_TO_PRIVATE_SSH_KEY>

Secure Private SSH Key

If the output of the command is incorrect passphrase supplied to decrypt private key , it means your key is already encrypted. For example:

$ ssh-keygen -y -P "" -f /home/harry/.ssh/id_rsa_encrypted
Load key "/home/harry/.ssh/id_rsa)_encrypted": incorrect passphrase supplied to decrypt private key

Unprotected Private SSH Key

If the output is the Public Key, associated to that particular private key, it means your key is not protected, for .e.g:

$ ssh-keygen -y -P "" -f /home/harry/.ssh/id_rsa_no_encryption
ssh-rsa AAFFGFFFAAB3NzaC1yc2EAAAADAQABAAABAQDEzlgGMuIV1dRHo5E7CJbOF8QHMz2G/ndqP8GwKzmqS5jKiwghAKprp1vB2Q5jcHIN7/ycOEYQw4HzvHqKd2BpygArQCiMqnkgHVRogzJEUIuQ0qNAe2ao+krCJz12Ihz

 

 

 

 

Anaconda and Miniconda for Research

harry

The latest versions of Miniconda 3 and Anaconda 3 are now available to all EECS Research Servers and Managed Linux Desktops, as environment modules.

We have been recommending against the usage of anaconda in our infrastructure for quite a while, since it was breaking the user’s desktop environments on the desktops when it was used incorrectly, making it hard for the users to recover from that bad state. Using Anaconda and Miniconda as environment modules, gives more control to the user on how, when and where anaconda environments will be initialised, removes the need to initialise the user’s shell with anaconda and removes the complexity of manually modifying your SHELL via the .bashrc file.

Read More

Security Update: SMB/CIFS disabled for unmanaged devices

harry

Due to the recent major incident with the  RYUK Ransomware attack at the School of SEMS, we have DISABLED access to unmanaged devices using the SMB/CIFS protocol to the networks shares on the staff login-server ‘frank.eecs.qmul.ac.uk’.

This change will not affect the EECS Managed Desktops, which will keep using the networks shares via ‘tofu’ using the SMB/CIFS protocol. Also, printing from unmanaged devices (which requires SMB connection to frank.eecs.qmul.ac.uk) will not be affected.

Read More

EECS Big Data Hadoop Cluster (‘Andromeda’)

harry

A new Hadoop Cluster has been deployed in the School of Electronic Engineering and Computer Science, to be used for Big Data Teaching and Research. The cluster is comprised of a NameNode (Head Node) and 24 DataNodes.

In the current setup, the Head Node is called Andromeda and the DataNodes are named Leo nodes.

All of the EECS Student Desktops have the latest CDH 6.3.0 packages available along with custom configuration that allows students to send their jobs to the Hadoop Cluster with minimal configuration. The old studoop configuration has been replaced with the correspondent for andromeda on all Student Desktops and it can be found under /etc/hadoop/conf.andromeda

Read More

[New feature] MATE on Student Desktops

harry

GNOME Desktop environment for CentOS has been removed from the ITL 2F Student Desktops (itl300-417) and has been replaced with MATE.

MATE is more lightweight, faster, highly customisable, has more modern look than GNOME and has many of the features that were missing from GNOME.

ALL EECS Student Desktops in the ITL, Electronics Lab and Institute of Coding lab will move to MATE in the next few days. This will not affect the student home directory or any of your data.
Read More