Strong Authentication at Fermilab

About this Manual

About this Manual

---

This chapter provides an introduction to the Strong Authentication at Fermilab manual. In particular you will find:

• the purpose and intended audience
• additional information resources
• the typeface conventions and symbols used throughout the manual
• where to send comments and questions

1. Purpose and Intended Audiences

Fermilab must demonstrate to the DOE that it implements a computer security system that exercises tight control over who uses the lab's computers and network (which are owned by the government). An analysis of the major computer security incidents at Fermilab over the past several years, as well as the general sense of security incidents prior to that, shows that a common root cause of these incidents is the compromise of user passwords by their transmission in clear text over the network. Once intercepted, passwords can be re-used to gain unauthorized access to the destination system. Further, with user access to a compromised system, hackers have a foothold for much easier attacks to gain privileged root access. In order to protect against unauthorized access to Fermilab computers, the Computing Division has implemented the Kerberos Network Authentication Service V5 to provide what is known as strong authentication over the network.

The manual is targeted to both administrative and end users of UNIX (all supported operating systems: SunOS, IRIX, Scientific Linux) and Windows and Macintosh systems.

2. Resources

• The Fermilab kerberos-users@fnal.gov mailing list archive (compiled since March 2001) is available for anyone to view at http://listserv.fnal.gov/archives/kerberos-users.html. Many of the issues raised on the list have been documented in this manual, but some unusual problems are discussed only there.

  Subscribe to the kerberos-users@fnal.gov mailing list to report problems or errors that occur as you use machines that run strong authentication, and to benefit from the experience of other users. For instructions on subscribing, see http://listserv.fnal.gov/users.asp#subscribe to list.

• Other mailing lists include wrq-users@fnal.gov and macusers@fnal.gov.
• The MIT Kerberos site is: http://web.mit.edu/kerberos/www/.
• The Moron's Guide to Kerberos, offers some explanations in layman's terms, and is fairly short. No offense intended! It can be found at http://www.isi.edu/gost/brian/security/kerberos.html.
• Kerberos A Network Authentication System by Brian Tung, Addison-Wesley Networking Basics Series

3. Notational Conventions

The following notational conventions are used in this document:

bold

Used for product and program names (e.g., telnet).

italic

Used to emphasize a word or concept in the text. Also used to indicate logon ids and node names.

typewriter

Used for filenames, pathnames, contents of files, output of commands.

<ctrl-char>

Indicates a control character. To enter a control character, hold down the control key (labeled Ctrl, usually) while pressing the key specified by char.

[ ]

In command formats, indicates optional command arguments and options.

%

Prompt for C shell family commands (% is also used throughout this document when a command works for both shell families).

$

Prompt for Bourne shell family commands; also standard UNIX prefix for environment variables (e.g., $VAR means "the value to which VAR is set").

< >

In commands, paths and environment variables, indicates strings for which the user must make context-specific substitutions.

All command examples are followed by an implicit carriage return key. The following symbols are used throughout the text to draw your attention to specific items:

A "bomb"; this is used to indicate a potential pitfall.

This symbol is intended to draw your attention to a particularly important piece of information.

This symbol indicates information for AFS systems.

4. Your Questions and Comments

Questions or comments about the Strong Authentication at Fermilab manual or website should be sent to cdweb@fnal.gov. We encourage all the readers of this document to report back to us:

• errors or inconsistencies that we have overlooked
• any parts of the manual that are confusing or unhelpful -- please offer constructive suggestions!
• other topics to include (keeping in mind the purpose of the manual)
• information that other users might find helpful

View/print PDF file | Back to Strong Auth Index Page | Computing Division | Fermilab at Work | Fermilab Home