Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

FEATURE REQUEST: Configure SSH Server in dandi-hub (staging-hub) #167

Open
ovalerio opened this issue Jul 11, 2024 · 2 comments
Open

FEATURE REQUEST: Configure SSH Server in dandi-hub (staging-hub) #167

ovalerio opened this issue Jul 11, 2024 · 2 comments

Comments

@ovalerio
Copy link

Hello Dandi Hub Team,

I'm very thankful that you are providing us with a platform and compute infrastructure to run the notebooks.

As I mentioned in the title I would like to request that the SSH Server is enabled for the JupyterHub. The reason is that I would like to connect to the hub via VSCode. This is very useful for me as a developer because I can make use of other installed extensions.

I assume that you are using PrimeHub to manage the JupyterHub. This is the relevant documentation I found in this regard: https://docs.primehub.io/docs/guide_manual/ssh-config

I am happy to help debugging/testing the feature.

Thanks,
~
Omar

NOTE: Here is a little bit of background on how I use this feature to address the caveats mentioned in the article linked below.
https://help.lsit.ucsb.edu/hc/en-us/articles/13315129284123-Using-VSCode-and-JupyterHub
@jwodder jwodder changed the title FEATURE REQUEST: Configure SSH Server in dandi-hub (staging-hub) FEATURE REQUEST: Configure SSH Server in dandi-hub (staging-hub) Jul 11, 2024
@asmacdo
Copy link
Member

asmacdo commented Jul 11, 2024

I'm very thankful that you are providing us with a platform and compute infrastructure to run the notebooks.

Thank YOU for contributing to the project with this request, and for testing the staging hub!

I agree this would be useful, including collaboration. (Imagine how cool shared tmux sessions would be!)

There are security concerns though. As a colleague recently said, Jupyterhubs are "arbitrary code execution as a service", which requires severe caution on the admin side. We put a lot of trust our users, but it only takes 1 user accidentally committing their private key while focused on glorious science hacking to leave us vulnerable to expensive shenanigans. So currently, we explicitly disallow incoming traffic from the internet on user hubs in JupyterHub.

I'm going to leave this issue open though. If anyone has suggestions on how we might lock this down and reduce risk, the value of this could well be worth the effort.

(btw we do not use PrimeHub, we manage it ourselves using an upstream Jupyterhub helm-chart)

@ovalerio
Copy link
Author

@asmacdo Thank you for the fast reply. :)

Unfortunately, I have not much experience regarding hardening systems.
But for risk reduction, I could suggest enforcing short lived keys (max 5 days), and using 2048 bit keys.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@asmacdo @ovalerio