Strong Auth Index Page | Presentation Outline

Your Responsibilities

---

General User On-site

Understand the broad outlines of Fermilab's Strong Authentication policy.

Request a Kerberos principal (an identifier for the realm, akin to a login name) and a Kerberos password. Principal name will be used for both UNIX and W2K realms. Use online form at http://computing.fnal.gov/cd/forms/acctreq_form.html. Principal name should match your FNAL email account. New principals should be chosen to be eight or fewer characters. Please use only lowercase letters (and optionally any numbers 0 through 9). Do not include the characters @ ("at" sign), _ (underscore), / (forward slash) or . (period).

Request a CRYPTOCard if necessary, learn how to use it, and care for it properly. Use http://computing.fnal.gov/cd/forms/acctreq_form.html.

Change your initial Kerberos password to an acceptable one of your choosing within 30 days of receipt. Instructions on choosing and changing your password are in the manual, section 3.1 Your Kerberos Password.

Learn how to request your Kerberos ticket.

Learn how to use your Kerberos ticket without exposing it to theft.

And last but not least: Treat your Kerberos password as a sacred object!! Do not tell anyone your Kerberos password. Do not write it down anywhere that someone could find it. Do not put it in a file (encrypted or not). As a usual practice, type it only at the console of a system on which you authenticate; do not pass it over the network, even encrypted, on a regular basis. On the rare occasions when you need to authenticate remotely, verify that all connections in the chain are encrypted. Do not use the same character string as your Kerberos password for any other password or any other object. (Exception: W2K domain password) If you mistakenly type it over an unencrypted channel, change it immediately!

System Administrator

• General user responsibilities, above
• Setup the Kerberos tools on the machine, and configure them properly for the Fermilab strengthened realm. You may use whichever tools you prefer as long as the result complies with Fermilab policy.
• Understand your own configuration well enough to ensure compliance.
• NT4 domain and workgroup administrators have additional responsibilities in order to prepare for the change in infrastructure in migrating from NT4 to W2K and to migrate their users. Tasks are detailed in pc-manager@fnal.gov mailings.

Developer

• Understand the principles of strong authentication, and the Fermilab Computing Policy in detail.
• Design systems and software that enhance the security of Fermilab's computing systems and to improve our ability to withstand the onslaught of attackers who would misuse our resources.

To realize the full security benefits of Kerberos, we are asking users to do their best, and act in good faith to comply with the new policies and guidelines for computer use.

Strong Auth Index Page| Presentation Outline

Last modified by AH on 8/19/05