Strong Authentication Presentation: Your responsibilities

Strong Auth Index Page | Presentation Outline

Your Responsibilities

General User On-site

Understand the broad outlines of Fermilab's Strong Authentication policy.

Request a Kerberos principal (an identifier for the realm, akin to a login name) and a Kerberos password.

Use online form at http://computing.fnal.gov/cd/forms/acctreq_form.html.

Principals should match your FNAL email account.

New principals should be chosen to be eight or fewer characters. Please use only lowercase letters (and optionally any numbers 0 through 9). Do not include the characters @ ("at" sign), _ (underscore), / (forward slash) or . (period).

Request a CRYPTOCard if necessary, learn how to use it, and care for it properly.
Use same online form.

Change your initial Kerberos password to an acceptable one of your choosing within 30 days of receipt.
Choice of a trivial password constitues "blatant disregard of computer security"; see Fermilab Policy on Computing. Password guidelines are in manual section 3.1 Your Kerberos Password .
Choose something that's hard to guess but that you can remember, and please make an effort to remember it!!

Learn how to request your Kerberos ticket.

Learn how to use your Kerberos ticket without exposing it to theft.

And last but not least: Treat your Kerberos password as a sacred object!!

Do not tell anyone your Kerberos password.

Do not write it down anywhere that someone could find it.

Do not put it in a file (encrypted or not).

As a usual practice, type it only at the console of a system on which you authenticate.

Only on very rare occasions when you have no other choice may you pass it over an ENCRYPTED network connection. Verify that ALL connections in the chain are encrypted.

Do not use the same character string as your Kerberos password for any other password or any other object. (The one exception: Fermilab W2K domain password; see section 2.3 Kerberos Passwords of the Windows 2000 at Fermilab guide .)

If you mistakenly type your Kerberos password over an unencrypted channel, change it immediately!

System Administrator

General user responsibilities, above

Setup the Kerberos tools on the machine, and configure them properly for the Fermilab strengthened realm. You may use whichever tools you prefer as long as the result complies with Fermilab policy.

Understand your own configuration well enough to ensure compliance.

Developer

Understand the principles of strong authentication, and the Fermilab Computing Policy in detail.

Design systems and software such that they enhance the security of Fermilab's computing systems and improve our ability to withstand the onslaught of attackers who would misuse our resources.

To realize the full security benefits of Kerberos, we are asking users to do their best, and act in good faith to comply with the policies and guidelines for computer use.

Strong Auth Index Page

Last modified by AH on 8/19/05