Upcoming Switch to ssh Access to Central Systems

D0 will soon be restricting the use of telnet and rlogin on the central analysis machines and replacing them with ssh. ssh (alias the secure shell) does not relay passwords in clear text as telnet does and thus eliminates one of the major security holes that can be used to invade the D0 systems.

This changeover will occur Oct 1, 2000. Be prepared!

Load your new client, if necessary [ instructions for NT], test it out, and let us know if you have any problems. Many people already use ssh by default when accessing linux machines. The only major change you will see is that you will no longer be able to use xstart in exceed; you will need to launch an ssh client and then launch xterms from it. We have tested various access modes and have had no trouble getting to D0 machines and opening x-windows once an appropriate ssh client was available. This note provides instructions for getting one. If you have trouble with these instructions, or have questions about ssh access, please email helpdesk@fnal.gov.

This is the first step in meeting the requirements for Strong Authentication. With ssh in place, there are no other barriers preventing the installation of Strong Authentication and it will be installed shortly thereafter. At that time telnet and rlogin will be available for authenticated users. An announcement will be made when the installation is completed and users will be encouraged to take this time to familiarize themselves with and work within the Strengthened Realm before Kerberos principles are absolutely required. We encourage those who are not yet aware of or have not seen the documentation for Strong Authentication at Fermilab to read it. It can be found here .

A. Introduction

If you are using unix, your system almost certainly has ssh already installed. We are using ssh1. If it is not installed (it is the default on Fermi RedHat), get your system administrator to install it. If you are using NT, you will need to install an ssh1 client. You will not be able to use xstart to reach the D0 computers. Exceed sends passwords unencrypted which is really not a good thing. One machine (d0chb) will be a temporary gateway where telnet access is allowed and ssh will then be required to access D0mino or other D0 machines. This machine however will not allow users to authenticate and enter the Strengthened Realm. This is only a TEMPORARY solution if your plans do not include the replacement of a x-terminal or you have offsite machines that will not participate in the Fermilab Strong Authentication realm. Requests for Cryptocards [link not yet working - under construction] should be made if you expect to need x terminal or non-authenticated machine access.

B. ssh clients for NT

Several freeware ssh clients for NT are available, but most use RSA encryption, which involves patents and license agreements until Sept 20, 2000, when the patent expires. ( ** EXPIRED EARLY IGNORE ** ) I have tested 3 ssh clients on NT :

ttssh - free and can be installed now
putty - free but only for U.S. Govt. work until Sept. 20 **
fsecure - Fermilab buys it, will be free to universities in Oct.

ttssh is available now but a bit tedious to install/configure. putty is easy to install but has fewer features and RSA issues till 9/20. ** fsecure is really nice and I will install it when the price comes down. I include instructions on installing ttssh and putty Once you have it installed, you can ssh to d0 machines and then pop X windows back to your NT/Windows screen just like an xstart.

WWW Server Account

Last modified: Thu Sep 14 14:00 CDT 2000