New access to USM computers

The new security policy requires connections under secure socket conditions: i.e. any connection to one of our computers which needs a exchange of passwords (direct sessions, email postoffice, web interactions) is allowed only when secure conditions are set. This means:

for direct connections allowed: ssh, scp, sftp, kerberized telnet

for email: IMAP on SSL (port 993)

https (port 443) for Web interactions


All unsecure network services are removed. This means:

No telnet, ftp (besides anonymous to our central ftp-server)

POP is migrated to IMAPS


En detail...

What has changed for UNIX users:

NIS passwords have been removed now Kerberos system for password authorization

4 new commands (pleas visit the man pages): kinit, klist, kdestroy, kpasswd

kinit : creates the right to use network services (login to another computer) by getting a kerberos ticket.

klist : lists the tickets created, i.e:

Ticket cache: FILE:/tmp/krb5cc_0
Default principal: root@USM.UNI-MUENCHEN.DE

Valid starting Expires Service principal
08/09/02 13:35:14 08/09/02 23:35:14 krbtgt/USM.UNI-MUENCHEN.DE@USM.UNI-MUENCHEN.DE


Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached

Here the user root got a ticket to connect to other computers.

kdestroy : destroys tickets.

kpasswd : changes the user Password.

Hint: If you create a forwardable ticket by kinit -f username, your ssh connections to USM compuers will be without requiring a password. Another possibility is to use the kerberized telnet without a password.

Examples:

# kdestroy
# kinit -f
Password for root@USM.UNI-MUENCHEN.DE:
# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: root@USM.UNI-MUENCHEN.DE

Valid starting Expires Service principal
08/12/02 14:02:46 08/13/02 00:02:46 krbtgt/USM.UNI-MUENCHEN.DE@USM.UNI-MUENCHEN.DE


Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
# ssh virgo
Last login: Mon Aug 12 13:58:31 MEST 2002 from eridani.usm.uni-muenchen.de

# logout
Connection to virgo closed.
# telnet -l root virgo
Trying 129.187.204.9...
Connected to virgo.usm.uni-muenchen.de (129.187.204.9).
Escape character is '^]'.
[ Kerberos V5 accepts you as ``root@USM.UNI-MUENCHEN.DE'' ]
Last login: Mon Aug 12 14:02:58 from eridani.usm.uni-muenchen.de

#

What has changed for Windows users:

access to UNIX servers by use of the Windows ssh-client

This client is accessible through our ftp-server: ftp://ftp.usm.uni-muenchen.de/pub/ssh. There is the install Executable and a license file to be read in during the run of the program (through the help menu).

access to postoffice mail:

All people must contact first the admins in order to create a seperate (ldap) email account.

Then configure the windows mail clients to use IMAP on SSL or POP3 on SSL. (Outlook Express, Outlook and Netscape mail and PC-Pine can be configured in such a manner). To accept permanent the certificates please proceed as is explained in http://www.usm.uni-muenchen.de/people/rug/kerberos/certi.htm

an alternative access to the email is to use the web interface on https://www.usm.uni-muenchen.de/imp/

The required account information is the seperate email account.

Example: INBOX through WEB interface