Original Announcement of SSH-Only Policy
Greetings, Duke Statistics colleague-
I apologize in advance for the length of this note; however, due to
the nature of the changes, I feel it necessary to send along as much
information as possible.
As of 17:00 EDT on Friday July 16, Duke Statistics will no longer be accessible
by telnet, rlogin, rsh, rcp, and authenticated ftp. In order to access
your account and transfer data, you will need to use the secure shell (ssh).
This measure is being taken due to the recent root-level compromise of
an Duke Statistics machine in which the hacker used the identity of a legitimate Duke Statistics
user to carry out the initial attack. The account was compromised since
the userid, password, and Duke Statistics machine name were all intercepted off an
ACPUB machine by a hacker watching and collecting the plain text
authentication from the network. I would also strongly advise people to
change their passwords (see the discussion of passwords below) as a result
of this latest incident as a precaution.
Please do not view this as a punitive measure but rather a prudent
step toward protecting and maintaining the computing environment in
the department in face of certain realities of the current Internet.
The majority of hackers do their bidding using the identity of
legitimate users (you) to exploit known security problems on either
your machine or simply using your account carry attacks against other
sites for fun, spite, or criminal/political purposes. By providing
an encrypted session between the client and server, ssh helps to prevent
the all important first step of identity theft.
I will be putting together some web resources to help ease the
transition. http://www.stat.duke.edu/~sto/security/ssh.html will
be up and running before the deadline listed above.
The following Questions and Answers should help get you started
(and will be on the web page):
Q: Why should I care? I don't have anything of interest.
A: The user is the single most important part in maintaining a
healthy and secure network because you, through your actions,
effectively determine the security of the _entire_ network.
Or as the old saying goes, "a chain is only as strong as its
weakest link".
Your actions help to prevent: data loss, loss or degradation
of departmental computing resources (e.g, machines having to be
re-installed or being held by subpoena), or potentially exposing
Duke Statistics and/or Duke University to legal action by damaged parties or
the FBI (in extreme cases).
Q: If ssh is so great, do I still need a good password?
A: YES! SSH only does so much. UNIX security is predicated on
good passwords and common sense. So please don't share your
passwords and change them every 3 to 6 months. And probably
the most important thing you can do is to have a different
password for each system (Duke Statistics, ACPUB, etc) that you have
access to.
A good password should be: easy to type, easy to remember
for you, hard to guess or crack. It should be 6 to 8 characters
long and contain at least two non-alphabetical characters, unusual
capitalization, misspellings, characters/symbols, etc.
horrible password: hotdog
better password: H0t!daWg
alternatively you can use a phrase to generate a password
I Love To Eat Hotdogs Everyday.
iltehe -> Il2e!E
Q: How do I change my password?
A: Use the yppasswd command on any Duke Statistics Unix machine. Preferably,
run this command only on the console or from a direct ssh connection
(ie, telneting to godzilla.acpub and then ssh'ing to the department
is NOT secure).
Q: Where do I get ssh?
A: Unix
Source code is available for download from numerous sites, see
the canonical site, ftp://ftp.cs.hut.fi/pub/ssh.
SSH is available on all of the Duke Statistics and ACPUB Unix machines
(and all well-administered/supported machines on campus). If
the machine you are using does not have ssh, you should consider
the machine abandoned and not safe to use.
For Win32 machines (Win95, WinNT, Win98),
1) teraterm + ttssh
teraterm> http://hp.vector.co.jp/authors/VA002416/teraterm.html
ttssh> http://www.zip.com.au/~roca/ttssh.html
3) SecureCRT, available for $20.00 through OIT site license
http://www.oit.duke.edu/site/html/body_secure_crt.html
4) F-secure for Windows by Datafellows (commercial)
http://www.datafellows.com/products/cryptography/f-sshtt.htm
Macintosh:
1) NiftyTelnet
http://www.lysator.liu.se/~jonasw/freeware.html
2) F-secure for Macintosh (commercial)
http://www.datafellows.com/products/cryptography/f-sshtt.htm
For a more complete listing:
http://www.employees.org/~satch/ssh/faq/ssh-faq-3.html#ss3.8
Q: Where can I get more information on SSH?
A: I recommend the SSH FAQ page,
http://www.employees.org/~satch/ssh/faq/
and
http://www.ssh.org/
Q: How do I use ssh to transfer files?
A: If you are using Unix, there are two options:
1) use scp
scp myfile isdsmachine: (put myfile in your isds home directory)
scp myfile isdsmachine:dir1 (put myfile into directory dir1)
scp isdsmachine:myfile . (copy myfile from your isds account)
scp -r isdsmachine:mydir . (copy directory from your isds account)
2) Take advantage of the ability of ssh to do port forwarding:
ssh -L 4444:localhost:21 isdsmachine
ftp localhost 4444
If you are using ttsh, there are two options:
1) Setup port forwarding and use your favorite Windows ftp client.
See, the SecureFTP discussion at
http://www.aas.duke.edu/comp/documentation/config/ttssh.html
2) Use the zmodem protocol under the file transfer (untested).
If you are using niftytelnet for Macintosh, it includes the
scp functionality.
Q: How do I connect if my userid is different on the remote system?
A: ssh -l remotename remotehost
scp remotename@remotehost:file .
Q: What if I am off in the "boonies" without ssh?
A: The useful parts of ttssh (for Win32 platforms) will fit on
a 1.44MB floppy.
The clients for Macintosh, Win32 and Unix are freely available for
download all over the planet.