Back to Strong Auth Index Page | Computing Division| Fermilab at Work | Fermilab Home View/print PDF file
	Strong Authentication at Fermilab

Chapter Contents

About this Manual
  1. Purpose and Intended Audiences
  2. Availability of Manual
  3. Other Resources
  4. Updates
  5. Notational Conventions
  6. Your Questions and Comments

About this Manual

---

This chapter provides an introduction to the Strong Authentication at Fermilab manual. In particular you will find:

• the purpose and intended audience
• where to find this manual
• additional information resources
• how updates to the manual are handled
• the typeface conventions and symbols used throughout the manual
• where to send comments and questions

1. Purpose and Intended Audiences

Fermilab must demonstrate to the DOE that it is implementing a computer security system that exercises tight control over who uses the lab's computers and network (which are owned by the government). An analysis of the major computer security incidents at Fermilab over the past couple of years, as well as the general sense of security incidents prior to that, shows that a common root cause of these incidents is the compromise of user passwords by their transmission in clear text over the network. Once intercepted, passwords can be re-used to gain unauthorized access to the destination system. Further, with user access to a compromised system, hackers have a foothold for much easier attacks to gain privileged root access. In order to protect against unauthorized access to Fermilab computers, the Computing Division is implementing the Kerberos Network Authentication Service V5 to provide what is known as strong authentication over the network.

The manual is targeted to both administrative and end users of UNIX (all supported operating systems: SunOS, IRIX, RedHat Linux, OSF1) and Windows and Macintosh systems.

2. Availability of Manual

Copies of Strong Authentication at Fermilab (document number GG0019) can be obtained from the following sources:

On-line

http://www.fnal.gov/docs/strongauth/

Under Documentation Search on the Computing Division home page (http://www.fnal.gov/cd/), search using any of the following keywords: strong, authentication, computer, security, kerberos, network, connect(ion), wrq, reflection, ssh, gg0019

Paper Copies

Wilson Hall, 8th floor, NE

Or print your own copy from the on-line PostScript file under http://www.fnal.gov/docs/strongauth/ps/

PDF files of the individual chapters are provided via links on the html pages.

3. Other Resources

• The Fermilab kerberos-users@fnal.gov mailing list archive (compiled since March 2001) is available for anyone to view at http://listserv.fnal.gov/archives/kerberos-users.html. Many of the issues raised on the list have been documented in this manual, but some unusual problems are discussed only there.

  Subscribe to the kerberos-users@fnal.gov mailing list to report problems or errors that occur as you use machines that run strong authentication, and to benefit from the experience of other users. For instructions on subscribing, see http://listserv.fnal.gov/users.asp#subscribe to list.

• There are several useful links available on http://computing.fnal.gov/security/StrongAuth/, in particular the MIT Kerberos site: http://web.mit.edu/kerberos/www/.
• The Moron's Guide to Kerberos, offers some explanations in layman's terms, and is fairly short. No offense intended! It can be found at http://www.isi.edu/gost/brian/security/kerberos.html.
• Kerberos A Network Authentication System by Brian Tung, Addison-Wesley Networking Basics Series

4. Updates

Pending subsequent releases of this manual, updates will be maintained on the Web at http://www.fnal.gov/docs/strongauth/misc/updates.html. Subscribe to the kerberos-announce@fnal.gov mailing list to receive announcements regarding updates to the Fermi kerberos product.

5. Notational Conventions

The following notational conventions are used in this document:

bold

Used for product and program names (e.g., telnet).

italic

Used to emphasize a word or concept in the text. Also used to indicate logon ids and node names.

typewriter

Used for filenames, pathnames, contents of files, output of commands.

<ctrl-char>

Indicates a control character. To enter a control character, hold down the control key (labeled Ctrl, usually) while pressing the key specified by char.

[ ]

In command formats, indicates optional command arguments and options.

%

Prompt for C shell family commands (% is also used throughout this document when a command works for both shell families).

$

Prompt for Bourne shell family commands; also standard UNIX prefix for environment variables (e.g., $VAR means "the value to which VAR is set").

< >

In commands, paths and environment variables, indicates strings for which the user must make context-specific substitutions.

All command examples are followed by an implicit carriage return key. The following symbols are used throughout the text to draw your attention to specific items:

A "bomb"; this is used to indicate a potential pitfall.

This symbol is intended to draw your attention to a particularly important piece of information.

This symbol indicates information for AFS systems.

6. Your Questions and Comments

Questions or comments about the Strong Authentication at Fermilab manual or website should be sent to cdlibrary@fnal.gov. We encourage all the readers of this document to report back to us:

• errors or inconsistencies that we have overlooked
• any parts of the manual that are confusing or unhelpful -- please offer constructive suggestions!
• other topics to include (keeping in mind the purpose of the manual)
• information that other users might find helpful

View/print PDF file

Back to Strong Auth Index Page | Computing Division| Fermilab at Work | Fermilab Home