Instance-wide removal of SSH public keys
Today at around 12 pm all SSH keys will be deleted in central HZDR systems. This affects GitLab as well. Afterwards, you will no longer be able to interact with gitlab.hzdr.de via SSH without adding a new SSH public key. Please do not reuse your previous keys. More information about GitLab and SSH can be found here.
If you need help or have questions, please comment in this issue.
In the course of this week, a security incident was reported that affects numerous computer centres of research institutes and universities across Europe, that operate high-performance computing systems (HPC systems). According to current knowledge, potential attackers are using compromised ssh logins and/or ssh keys to gain access to HPC systems. This also affects individual systems at the HZDR, more precisely: hypnos5, fes, fes2 and uts.
For this reason, the FWC department has decided to take the following measures (please note the times given):
All affected systems will not be accessible via ssh from today (15.05.2020) 12 o'clock until 22.05.2020. (As an alternative to the uts, the mup.hzdr.de can be used)
On all affected systems and on gitlab.hzdr.de, the ssh keys of all users will be removed today (15.05.2020) 12 noon.
All employees of the HZDR and external users with HZDR login are requested to change the password of their HZDR access from today (15.05.2020) 12 o'clock until 22.05.2020 (You will again receive a separate email from the HZDR user database).
Due to the shutdown of the fes (central file exchange server) there is temporarily no external storage available in the HZDRcloud.
In the course of the password change, a new ssh key pair will be created via the user database, which can then be used for login via ssh, also on other currently not affected systems. The corresponding keys can be downloaded from your myData page.
To change your personal password please use the website https://www.hzdr.de/passwd.
In order to minimize the support effort, please note that after changing your password, the new password is also valid for email access and eduroam. This means that the password has to be changed in the corresponding clients as well.
For working in HomeOffice on HZDR Windows computers please note the following:
- When using the local VPN client before changing the password: o Right-click on the icon of the VPN client -> "VPN Options" -> "Advanced" -> Check "Enable secure domain login". The next time you log on, the Windows login should work with the new password.
- Without VPN client, the password for Windows logon remains unchanged on the HomeOffice computer. The new password will only become active when you reconnect to the HZDR network.
We ask for your understanding for this measure.
If you have any questions or problems, the hotline of the computer center (Tel.: 3317) and I will be happy to help you.