...
Second, we can see that it's normal for users to have to go through a non-trivial process to access a cluster: generating an SSH keypair and uploading the public key to a website. This also implies ECMWF running such a service to manage key uploads.
Furthermore, JASMIN "requires" users to secure their key with a passphrase, but there's no way this can be enforced. It's quite likely users don't bother, and the SSH keys are copied around freely and even lost and replaced, while remaining active for access to the facility.
Third, we also know from other remote cluster providers that it's common to have to connect to a login node or bastion host, and then hop onwards to the final working node. At ECMWF we much prefer users have a single hop for users straight to the HPCF, which has the consequence of more complex gateway requirements, in functionality and securitycluster.
Finally, although our ActivID tokens work well, they are extremely very expensive and the software (at ECMWF's end) is unreliable and troublesome to maintain. We would like to move away from ActivID in the post-BOND timeframe, so any access service should not be bound too tightly to it.
For these reasons, Teleport is a good choice, as it allows separation from ActivID, does not require avoids a complex initiation processes from for the user, nor the ongoing avoids maintenance of SSH keys and their inherent security risks, avoids ECMWF running additional web services, and is single-hop client to server.
| Info |
|---|
If you have any other product for us to look at, please make it known! |
...