Encryption & password security
Whenever you use the SCS network, you should assume that somebody could be eavesdropping on the packet data that you sending. For that reason, whenever you are sending sensitive data, such as passwords, over the network, you should use some form of encryption to hide the data that is being sent. The following types of connections are usually already encrypted:
- Kerberized telnet connections
- SSH connections
The following types of connections are not encrypted:
- Ordinary (non-Kerberized) telnet connections
- Ordinary (non-Kerberized) POP3 connections
- Ordinary (non-Kerberized) IMAP connections
- Ordinary (non-Kerberized) FTP connections
- X11 traffic
- AFS traffic
It is strongly recommended that people do not use any non-encrypting telnet client. We have replaced all such clients on Facilitized Unix hosts with Kerberized versions. It is also recommended that you do not use ordinary FTP, but instead use scp (which is part of SSH to transfer files.
If you do use ordinary FTP to transfer files, or use a POP3 client to read e-mail, you can take the following steps to reduce the security risks:
- Use Kerberos instance passwords, instead of your main Kerberos password. While doing so will not prevent passwords from being sniffed, it will limit your risk if they are sniffed, since your .ftp and .mail instance passwords cannot be used to login to your account. On Facilitized Unix hosts, the POP3 and FTP servers will only accept the appropriate Kerberos instance passwords, not your main Kerberos password.
- Use Kerberized applications. The POP servers on Facilitized Unix hosts can use Kerberized POP to authenticate, and some clients (MH on Facilitized Unix hosts, for example) support Kerberos.
- Use SSH tunneling to encrypt communications between your machine and the server.