Hello CARC team,
My colleagues and I were disappointed to see your announcement yesterday that all login and transfer nodes will require VPN from off campus. From a user/outside layperson perspective, this will add a lot of hassle and seems unnecessary for already well locked down systems with 2FA requirements. Is duo no longer deemed sufficient for protected systems? Are all university services that are already duo protected going to also go behind VPN, or was this a choice made just for this system?
Explaining the rationale for taking such a step could go a long way to making this easier to swallow. Especially in the context of why this requirement is needed for CARC, when other computing centers that operate on larger scales do not have this requirement (e.g., TACC), including more sensitive DOE machines (e.g., ORNL).
As a user who primarily works off campus, the new barriers imposed by this change include:
- I need to do 2 duo sign ins in order to first connect. I can of course live with this one, it’s just another annoyance.
- I must now install and manage VPN connections on every device that I ever use to log in and check job status, read logs, and resubmit jobs, or choose to no longer do any work when away from my primary workstation. A workaround for this would be for you to provide a publicly accessible proxy host where we could SSH into, and then SSH into the login nodes, for situations where VPN is unavailable (an annoyance but at least it would still be possible).
- Outside users at other institutions with guest accounts will now need to VPN in from their institution to USC, breaking connections with any local resources. This may also be either blocked or prohibited by other institutions.
- Hopefully VPN performance is better now, but when I last used it regularly performance issues were common
Thank you for your consideration,