|
Computer Science Technical Database |
|
|
Computer Science Technical Database |
By placing lists of remote hosts and remote users in a file called .rhosts in your home directory, you can avoid having to type in your password when connecting from that account on the remote machine. For example, the following entry
somehwere.foobar.com joewould allow someone logged in as joe on the machine somewhere.foobar.com to log into your account without entering a password using the rlogin or rsh protocols.
UNIX machines in York CS are configured to allow rsh and rlogin access from other machines in the their respective network. You do not need to add them to your .rhosts file.
Think very carefully before you add a machine outside the department
to your .rhosts file. It is possible to spoof a remote machine's IP
address under some circumstances and thus gain access.
Never put a wildcard ("+") in your .rhosts file as either the
host or the user. The "+ +" entry means that anybody from
anywhere can access your account without entering a password.
Even only putting a wildcard in one of the fields makes your account
extremely vulnerable.
System security need not be about protecting valuable data.
Attempts are made on a regular basis to gain unauthorized access to
Computer Science machines or to probe for vulnerabilities on our
servers. In our case, the lure is not something on our system, but
our resources which can then be used to attack other systems.
For Computer Science, the goal of system security is not so much to
prevent the acquisition of data, but to ensure the availability of
services for people to use and to do their work. Unauthorized use
can cause system outages due to destructive behaviour or the potential
for damage. We also need to ensure that the resources are available to
those who are meant to make use of them. We also need to protect the
privacy of users on the system.
Any computer network is inherently a shared environment. Being a
user of this environment means that you are given a certain amount
of trust. Although a goal of such an environment is to protect
against unauthorized use as much as possible, it is almost always
the case that an intruder can do more harm with access to an account
on the system than without. The Computer Science networks are no
exception to this case.
Even if you are willing to take the security risks associated with
some uses of your account, it is not necessarily acceptable to do so.
When you make your own account vulnerable, you the accounts and data
of others vulnerable as well. Because of this, you may be asked to
change your account setup if it poses a threat to the security of the
system, or even a threat to just your own account.
Every effort will be made to accomodate the needs of users and ensure
that they can do their work in a safe environment.
The preferred protocol for connecting to the department from your home
ISP or from another remote computer is SSH or Secure Shell.
This protocol provides for the encryption of traffic in transit making it
very difficult (and in most cases, nigh impossible) for a third party
to snoop or listen in.
We operate ssh servers on our time-sharing servers.
SSH clients must be used to access the Computer Science time-sharing servers
from outside the department. Telnet and rlogin protocols may not be
used when connecting to departmental machines from outside the department.
Local users (i.e. computers within the department) can still use
telnet, rlogin, rsh, and similar protocols.
There are freely available ssh clients for Unix, Windows and Macintosh.
An online list of these clients is available at
http://www.freessh.org. The clients we
recommend are:
The Java SSH Applet is provided as a convenience when accessing the
department's computers from remote machines which do not have
readily available SSH support, but do have a Java-enabled web browser.
You can get a copy of the applet (including the source code) on
the Java Telnet App Site.
Account Security Basics
Some basic tips for account security:
Security - Why?
SSH Support
Java SSH Applet Notes