» Home     » How To…   » Site Map   » Contact Us 
 Computing Facilities    links to the SCS and CMU home pages Carnegie Mellon School of Computer Science Carnegie Mellon University
 
Advanced search tips 
Your location: Home > Security > Using FTP securely in SCS
 Documentation
 » Introduction to Facilities 
 » Accounts & passwords 
 » AFS 
 » Application software 
 » AV help 
 » Backups & restores 
 » E-mail & netnews 
 » Networking 
 » Printing 
 » Purchasing 
 » Security 
 » Software licensing 
 » Support charges 
 » Web publishing 
 » Your health 
 » Macintosh support 
 » Unix/Linux support 
 » Windows PC support 

Using FTP securely in SCS

Because regular FTP sends unencrypted passwords over the network, it is possible for a malicious eavesdropper to discover your password when you use FTP. To help minimize the risk, the FTP servers on Facilitized Unix hosts accept special Kerberos instance passwords instead of your main Kerberos password.

In order to make use of this feature and use our FTP servers, you will need to perform the following steps:

  1. Create a Kerberos ftp instance and associated password for yourself
  2. Add your Kerberos ftp instance to the AFS ACLs of any directories that you wish to access with FTP

Once you have performed those steps, you can use FTP as follows:

  1. Use your FTP client to connect to the host that you wish to transfer files to/from.
  2. Type your SCS Kerberos username when it asks you for your name. For example, "bovik" if your username is bovik (do not use "bovik/ftp" or "bovik.ftp").
  3. Give your ftp instance password when it asks you for your password.

1. Create a Kerberos ftp instance and password

You can use the Jeeves service to create Kerberos instances. To so do, telnet to jeeves.srv.cs.cmu.edu with an encrypting telnet, select "Perform Kerberos related operation" at the menu, and then create a your_username.ftp Kerberos principal. You will be be prompted for a password. Detailed example.

Important: the password you choose should be different from your main SCS Kerberos password.

2. Add your ftp instance to AFS ACLs

Once you have created your ftp instance with Jeeves, you can add it to AFS ACLs using the fs command from any Facilitized Unix machine (such as your UX maildrop host). To minimize the risk of the password being snooped and misused, you should not add this instance to the ACL of your top-level AFS directory.

Your username.ftp instance is added to AFS ACLs just like any other AFS identity. For example, the following command would add the instance "bovik.ftp" to the directory /afs/cs/user/bovik/ftp: 

   fs sa /afs/cs/user/bovik/ftp bovik.ftp rlidwk

and would give bovik.ftp all rights except administration rights (the right to set ACLs) on that directory.

Additional security considerations

Your FTP instance password can only be used for FTP. It cannot be used to login to hosts that you have an account on unless it is the same as your main Kerberos password (which is why it's important that the passwords are different). However, when used for FTP it can be used to read and write files in local directories with the same privileges that you would have on those local directories & files. As a result, there are some security issues with using FTP instance passwords if your home directory is not in AFS.

A more secure alternative to using FTP with FTP instance passwords would be to use SSH and either use scp or use SSH tunneling with FTP.




 This site is maintained by SCS Computing Facilities; send comments to help@cs.cmu.edu.
 Accessibility information  © Carnegie Mellon School of Computer Science