Okay, if there is nothing else, I would say let's start.

Okay, as I said, this is a controversial topic.

As you might have heard it was in the press.

There were security incidents on a lot of HPC systems across Europe and also large German systems were down due to the security breach, especially HRS, and I think also you'll again and LSD.

And it's not yet clear what happened. But this was.

Yeah, the, the, the starting point to say, okay, this probably a topic that's interesting also for us at our side. We don't know of any security breach, but I will talk about this general issues in a moment.

So, first of all, secure authentication on computer systems.

Security is is difficult topic on computers because you cannot really ensure security. It's a very complex environment. And due to this complexity, you never can be really guarantee that everything is safe, just not possible.

And even agencies or people really care about security get hacked. So that beforehand, and that's also the reason why this topic is so emotional and controversial because people feel so don't understand what's going on.

They don't have a clear knowledge about what they should do what's necessary. What's not necessary. It's a bit like Corona viewers are also there. We don't know what's real and what's necessary.

And what's not because we just don't know it's a complex topic and we don't know yet what's going on. And it's the same with computer security.

And therefore, at some point, this trans, there is a transition to believe. Yeah. So a lot of people and say, I believe this is not necessary. Yeah.

I'm no security expert. I can just tell you best practice or what is commonly regarded to be a good idea. And even in our group, there are really very diverse opinions about this.

People from and you have those a lot in computer science from security is a you cannot have security anyway. So how do you care? And if someone wants to get in there, he gets in there.

So to make it complicated makes no sense to on the other end, people who have a very deliberate and thought over plan how to ensure security.

So they encrypt the hard disk and they have a very well planned key management and so on. So we have everything even in the group between those extremes.

So now some basics about secure authentication.

So there are authentication factors and you have three factors. There are knowledge factors, knowledge factors are things you know, things like password, passphrase, a pin, for example, to your E.C. card is also a knowledge factor.

Then you have owner ownership factors. This is something you own, obviously. So like the ID card, your cell phone, a hardware token, and also, for example, the secure shell public key or the private key.

I have to say the private key is also an ownership factor because you have to own a software token, so to say.

And finally, you have inheritance factors. This is a fingerprint signature, but also your location might be your face or anything that's connected to you.

And in security, it is accepted or that to really have high security, you want to have as many different independent factors as possible.

So multi factor authentication is mandatory and all major Internet providers, single sign on providers like Apple or Amazon, everybody now at least offers two factor authentication. So you have to have your password.

And then in addition as a second factor, for example, you get a pin sent on your smartphone, which you have to own. And there you are.

And also, if you see with banking is also multi factor because you have to own the card and you have to know the pin to use it. So just owning the card is not enough.

Always with security is always a compromise between security and convenience because you are still need to be able to use the system.

So the computing system need to be productive still and to have everything secured and locked down as far as possible, you might end up with a setting where you don't want to do anything on the system.

So this is always keep that in mind. And this is especially a topic with HPC because there are there are people that think that in HPC, those things are not confident anyway.

So if a user account gets hacked, it's not really a problem.

And that being said, in a multi user system, I asked our admins and it seems to be accepted that this happens.

You cannot prevent it. User accounts in such a massive multi user context will get hacked because people lose their password, pin it on their screen, whatever.

In HPC environments, the de facto standard for authentication or remotely accessing the system is secure shell.

And first, I want to tell you some common security guidelines before I get to secure shell.

So just commonly accepted things. And this is a moving target. So this looked different five, ten years ago.

So obvious things, trivial things, never share a password or a key for different hosts and systems.

So I mean, you do shopping probably on the Internet a lot and you have tons of passwords.

You have password for Amazon, for eBay, for Google and so on. And you don't want to use the same password. Why?

Well, it's obvious. If one gets breached, you don't want that someone can access all your accounts. So if a password gets lost, you only want to be one thing to be lost.

And then you already see what you also have today are those so-called single sign on passwords where one password is the key to a lot of other passwords.

And of course, this password is especially precious and you have to especially care that this is not lost. This is again a trade off.

Because at least me, I cannot remember dozens of passwords.

So you never should store a password, clear text anywhere in any form, not in a file, not on a paper. I know that's tempting.

I know people have a small drawer with cards and write the passwords on there.

Whatever. I mean, at the end, an encrypted password is nothing else than having such a key card drawer in a safe, for example.

Then use strong passwords. What is a strong password? Again, you can discuss about that.

I read 15 to 20 characters. Others say, are you crazy? No one can remember 15 to 20 character password.

It can contain all character classes. And as you may know from XKCD, there is a comic on that.

So it is totally fine to have words and sentences. The length is more important than the randomness, so to say.

I will come to a moment how to manage that. We didn't speak about how to manage that because we already realized we have a lot of passwords nowadays.

If you need 15 to 20 characters, I don't know. One thing is clear. The longer, the harder it is to hack. That's fact.