9. Security Issues

Previous	Computing Guide Contents	Next

In light of the increasing number of security incidents at Stanford, we at the Department have established a new set of guidelines to minimize such intrusions in the future.

Many have asked me what normal activities of a typical user might make our system vulnerable. The answer is quite simple. Any program that asks for your password is a potential vulnerability. However, those that do so, without employing encryption at either ends of the connection, are egregiously so. Currently, the programs that are big risks are: ftp, rlogin and telnet. All these programs send passwords out in the clear and can be ``sniffed'' by a hacker.

After our first breakin in summer 1998, we implemented some measures: security software was installed on our machines, there is a sunset period for visitor accounts, all accounts have to be sponsored etc. The accounts are cleaned up every quarter. The first round of cleanups occurred at the end of Summer 1998.

Starting Wednesday December 16, 1998, we will take the next steps:

Disable remote telnet and rlogin

Please note the word remote. This only applies to logins over the network---it does not affect how you work in your office or our terminal rooms unless you use telnet and rlogin in your office. (Most people are directly hooked into our department server.)

Remote access will only be allowed via Kerberos or SSH. The former is the recommended Stanford solution. This means that people who log in remotely, either from home or other places, will have to do things a bit differently.

PC and Mac users anywhere should install PC-Leland and Mac-Leland software respectively on their home computers and laptops. If you want to telnet into our department machines, you must also install a kerberized version of telnet called PC-Samson, or Mac-Samson. Installing these programs on your home computers is simple and they are available from the PC-Stanford and MacStanford pages. Please also take a look at the Kerberos page mentioned above.

Unix machines on campus or campus residences should install Kerberos kits. If you live in one of the dorms, the computer guru there should be able to help you get it set up.

Please note that all the software kits mentioned above are meant for the use of the Stanford Community. Installing them indiscriminately on machines that you don't control will compromise security. Besides, due to export restrictions, you might actually be violating the law if the machine on which you installed the software leaves the United States. So please watch out.

I discuss the procedures for doing remote operations in detail in below.

Disable ftp

We will disable all ftp access into department machines. Please note that you should be able to ftp to machines outside if the machines permit. However, I strictly discourage even that, unless the connection is made anonymously. Again, I provide solutions that make ftp completely unnecessary in the section Security Issues.

The Leland machines will begin disallowing FTP accesses after December 31, 1998! To aid in file transfers, they have created a dedicated machine for transferring files called transfer.stanford.edu. It is hoped that by restricting ftp traffic to one machine, intrusions can be easily detected and plugged. Please read the latest information on changes to the Leland system at Computing Changes News.

A plain paper copy is posted on the department bulletin board.

You can expect further changes as we continue to improve our security including a move to Stanford SRP Authentication Project system.

For an overview on Kerberos see Tim Torgenrud's page or the Distributed Computing Consulting page.

9.1 Your First Preparatory Step

You must have a SUNet (a.k.a "Leland") account. Once you do, you need to do the following preparatory steps once and only once. If you are not sure that you have done this before, go ahead and do it anyway---it is harmless. In the example below, I will assume that your userid on our system is joe and your SUNet userid is gijoe. This assumption will help since a number of our users have a department userid different from their SUNet userid. For example, trevor@stat versus hastie@leland.

1. Make sure your home directory is accessible to everybody.

   rgmiller %1 cd ~ rgmiller %2 ls -ld . drwxr-xr-x 91 joe joe 4608 Dec 10 15:13 ./
   The important thing is the permissions: drwxr-xr-x. It should be as shown unless the user changed it in some way. If it is anything else change it via chmod 755 ~.
2. Create a file named .klogin in your home directory with your SUNet userid as follows:
   rgmiller %3 echo "gijoe@IR.STANFORD.EDU" > ~/.klogin

Note caps as shown and that you need to use your SUNet userid.

You are now ready to take advantage of the Kerberos infrastructure at Stanford.

Kerberos works using time-constrained tickets to grants you privileges to log into kerberized machines. There are several advantages to using Kerberos.

Convenience

By constraining the tickets to certain time intervals, you get privileges that last abouot 10 hours typically. During the time period when you possess a valid ticket, you need not type in your password to gain access to the system. The system will automatically check your credentials and let you in if they are acceptable.

Security

All kerberos transactions are encrypted, so that sniffers on a network cannot get at your password. Furthermore, since you don't have to type your password to login while you hold a valid ticket, you will have be challenged for your password fewer number of times, which means that the likelihood of your password being intercepted is lower.

Access to AFS

Kerberos credentials will allow you to access your Leland Systems directories and files transparently, without having to log into the Leland machines. See section Accessing your Leland files for more information.

Obtaining Kerberos tickets
There are several ways to obtain kerberos tickets which, as mentioned before, are valid for 10 hours.

1. If you logged into a Leland Systems machine, you will already possess a ticket.
2. If you used PC-Leland or Mac-Leland from anywhere, you will already possess a ticket.
3. If you are one of those fortunate to have your SUNet userid the same as the departmental userid, then if you logged into rgmiller with your userid and SUNet password, you will already possess a ticket. I am working on solutions to handle the other cases as well.
4. You can obtain a ticket on unix machines via
   rgmiller %1> kinit gijoe
   which will demand your SUNet password. Please note the use of your SUNet userid; it may be omitted if your SUNet userid is the same as the userid on rgmiller.

Checking your Kerberos tickets

The command klist will list your kerberos tickets.

rgmiller %2> klist
Ticket file:    /tmp/tkt500
Principal:      naras@IR.STANFORD.EDU

Issued           Expires          Principal
Dec 14 16:29:46  Dec 15 17:56:07  
                         krbtgt.IR.STANFORD.EDU@IR.STANFORD.EDU
Dec 14 16:29:49  Dec 15 17:56:10  rcmd.rgmiller@IR.STANFORD.EDU 

This means you should obtain a fresh set of credentials via kinit as shown above to avail yourself of Kerberos.

All sections below assume that you have a valid ticket; see section Checking your Kerberos tickets and that you have executed the preparatory step in section Your First Preparatory Step.

9.2 Logging in using Kerberos
Remote logins are accomplished via the klogin command. The general form of the command is:

Several examples follow.

Logging into RGMiller from another Unix machine
SUNet user gijoe wants to login into rgmiller where his userid is joe.

The host rgmiller will not ask for a password since gijoe has a valid set of credentials. Repeated logins are possible as long your tickets are valid.

Logging into Leland machines from RGMiller
Department user joe wants to into Leland machines (actually, any machine on the Stanford network that is kerberized) where his userid is gijoe.

Again there will not be a challenge for the password, and repeated logins are possible as long as tickets are valid.

9.3 Logging out of a Kerberos session
Logging out is accomplished by the usual means: using the exit command or the logout command. However, if you think that you are done for the day and you will not be logging into other machines anymore, please destroy any tickets you possess. This is done via

9.4 Accessing your Leland files transparently
With valid kerberos tickets, you can access your files on Leland systems without having to log into those machines.

1. Use the klog command. If your userid is the same on SUNet, you can just type klog at the shell prompt. Otherwise, use klog <your-sunet-id>. You will be prompted for your password.
2. Change to the appropriate directory which is typically something like /afs/ir.stanford.edu/users/g/i/gijoe for SUNet user gijoe. The naming scheme on Leland, currently at least, seems to use the first two letters of the SUNet userid after the word users.

Now you can do all the normal things in the directory like delete files, create files, copy files from one directory to another without switching systems.

9.5 PC-Leland and PC-Samson
This section is for those who use Windows machines to connect to SUNet, either from home or at work.

PC-Leland is the equivalent of kinit discussed in the section on Obtaining Kerberos Tickets. It is used for obtaining kerberos tickets.

PC-Samson is the equivalent of a telnet client except that it uses encryption at either ends of the connection. It is used for logging into machines.

Both programs may be obtained from the PC-Stanford Home Page. The installation of these programs is very straightforward. I'd recommend that you install PC-Leland first, then followed by PC-Samson. Pay careful attention to the question that asks you whether you are always connected to the network; answer no if you have a laptop or you dial-in from home. These programs are essential if you want to connect to our department machines. Indeed, they are becoming necessary to connect to many Stanford University services.

Using PC-Samson
To use PC-Samson correctly to log into our department machines, you must have executed the preparatory step mentioned in section Your First Preparatory Step.

You also need to make sure you have Samson 1.1 or later.

1. Make sure PC-Leland was started when you restarted the machine by looking for the Stanford Icon in the status bar usually located at the bottom right.
2. On Windows 95/98 or NT, invoke Samson for Windows via Start -> Programs -> Samson.
3. From the file menu, open a new telnet session and type in rgmiller.stanford.edu for the host.
4. If you had installed everything correctly, you should now get a dialog box asking you for your SUNet userid and password. Enter the information requested and make sure that the PC-Leland icon now shows a doubly directed arrow like <---->.
5. At this point, those lucky users who have SUNet userid same as that on our systems will be in operation. However, do continue to reading these instructions because you might want to set some additional preferences like the terminal. The default setup uses a terminal called Samson that rgmiller doesn't know about. Something like vt100 is better. Others, whose SUNet userid is different from our department userid, will be unsuccessful in their login session. Not to worry; a preparatory step has to be done exactly once. Don't login yet because if you do so, you will have an unencrypted session. Go to Options menu and choose Sessions. Enter your user name on rgmiller.stanford.edu in the appropriate box. Also choose your terminal emulation to be vt100. Then use the File menu to save the session, say as rgmiller.ini.
6. Close the session that you have already open, and now use the File menu to Open session. Choose rgmiller and you should be business.

From this point onwards, you can always fire up Samson, use the File menu to choose Open Session and select rgmiller.ini to log into rgmiller.

One important thing to remember that you always specify your SUNet userid and password to PC-Leland.

More on PC-Leland

1. You can check the status of your tickets by double clicking on the PC-Leland icon.
2. Using your right mouse button on the PC-Leland icon will give you many options, including one that you can use to destroy tickets. This is a good idea if you are using a computer in a public cluster or lab.
3. Note that you can log into Leland machines directly without having to create a saved session. This is because, after all, your SUNet userid is the same as your Leland Systems userid.

9.6 Mac-Leland and Mac-Samson
What can I say, except to add that the Mac-Samson, Mac-Leland combination is far easier to configure than the PC-version.

Mac-Leland is the equivalent of kinit discussed in the section on Obtaining Kerberos Tickets. It is used for obtaining kerberos tickets.

Mac-Samson is the equivalent of a telnet client except that it uses encryption at either ends of the connection. It is used for logging into machines.

Both programs may be obtained from the Mac-Stanford Home Page. The installation of these programs is very straightforward. I'd recommend that you install Mac-Leland first, then followed by Mac-Samson. I don't remember if Mac-Leland asks you whether you are always connected to the network; if it does be sure to answer no if you have a laptop or dial-in from home.

Using Mac-Samson
To use Mac-Samson correctly to log into our department machines, you must have executed the preparatory step mentioned in section Your First Preparatory Step.

You also need to make sure you have Samson 1.1 or later.

1. Make sure Mac-Leland was started when you restarted the machine by looking for the Stanford Icon in the status bar usually located at the top right.
2. Invoke Mac-Samson.
3. From the file menu, open a new telnet session and type in rgmiller.stanford.edu for the host. You should also type in your rgmiller userid in the appropriate space especially if it is different from your SUNet userid. At this point, click on the Options menu, check your settings and save it (rgmiller is an appropriate name) so that you don't have to repeat this process.
4. If you had installed everything correctly, you should now get a dialog box asking you for your SUNet userid and password. Enter the information requested and make sure that the Mac-Leland icon now shows a doubly directed arrow like <---->. Then you will find yourself logged in directly into rgmiller.

From this point onwards, you can always open the rgmiller session to get in once you have a kerberos ticket from Mac-Leland.

More on Mac-Leland

1. You can check the status of your tickets by clicking on the Mac-Leland icon.
2. Please destroy your tickets once you have no need for them. This is a good idea if you are using a computer in a public cluster or lab.
3. Mac-Leland will let you mount your Leland Systems home directory on your desktop making ftp superfluous! To do this click on the Mac-Leland icon and choose Mount Home Folder.
4. Note that you can log into Leland machines directly without having to create a saved session. This is because, after all, your SUNet userid is the same as your Leland Systems userid.

9.7 Running a Secure X emulator on a PC
The only current way I know off is to use SSH. See the section Running X securely using TTSSH. A less optimal solution is presented in the next section.

9.8 Running Exceed with PC-Leland and PC-Samson
Exceed is an X server that makes your PC work like an X terminal. It is possible to run a somewhat secure X session with Exceed in combination with PC-Leland and PC-Samson. The solution described here will only prevent password capture, but is still full of pitfalls. For example, if you throw up an xterm, anything you type in that xterm can be captured. So it is unwise to try to log into other machines from such an xterm. So be sure to understand that the best solution is really what is described in section Running X securely using TTSSH.

I will assume throughout that you know how to use PC-Leland and PC-Samson as outlined in section Using PC-Samson.

Preparatory Step
I will assume that your pc is named yourpc.stanford.edu just for the examples below.

1. Configure your Exceed X server to use the xauth (aka MIT-MAGIC-COOKIE-1) authorization. To do this, you will have to use the Xconfig program that comes with Exceed. This is typically accessed via Start -> Programs -> Exceed -> Xconfig. Click on Security and make sure that the host access control list is Enabled (no host access). Also select Enable User Access Control List. The File name corresponding the latter can be changed or left as xauth, which is the default. However, it must be in a directory where you can write to, especially on Windows NT. I will assume that to be case. Click Ok and close the dialog.

2. Use PC-Samson to log into your host, say rgmiller.stanford.edu and execute the following command.

   rgmiller %1 xauth extract - yourpc.stanford.edu:0 > xauth

   Note how the display number :0 has to be specified. Make sure that the file xauth is not empty, it should contain some binary data. If the file is nonempty, skip the next step.

3. You should execute this step only if the xauth file above is empty. In other words, you have to generate a cookie yourself. Execute the following command.

   rgmiller %2 generate-xauth yourpc.stanford.edu:0
   rgmiller %3 xauth add extract - yourpc.stanford.edu:0 > xauth
   The command generate-xauth is a simple script that generates a cookie. A simple script like
   #/bin/sh
   RANDOMKEY=`perl -e 'for (1..4) { srand(time+$$+$seed); printf(?%4.5x?, ($seed = int(rand(65536)))); } print ?\n?;'`
   xauth add $1 . $RANDOMKEY
   is sufficient.
4. Now transfer the file created above, xauth, to your pc in any convenient way and save it in the location you specified for Exceed; see Preparatory Step

Running X clients
You are now ready for business.

1. Fire up your Exceed X server on your PC. This step can be automated every time you log into your PC as I show below.
2. Use PC-Samson to login into your target machine, say, rgmiller.stanford.edu, execute your command (could be xterm or emacs or netscape).
   rgmiller %3 xterm -display yourpc.stanford.edu:0 &
   rgmiller %y emacs -display yourpc.stanford.edu:0 -bg white -fg black &

Below I also show how, with some additional work, shortcuts can be created so that only a double click is needed to do this.

Making your Exceed X server start automatically
You can make your Exceed X server start up automatically when you start your machine, or in Windows NT, when you log in. Choose Start -> Settings -> Taskbar to invoke the taskbar. Choose the Start Menu Programs tab. Click on Add. When it asks you for the name of a command, use the browse button to choose the Exceed X server. Mine is in the directory Program Files/exceed.nt with a prominent X icon in front of it. Click the Next button and choose the Startup folder. Finish up and dismiss the whole dialog.

From now on when you log in (Windows NT) or restart windows, the Exceed X server will be automatically started. This assumes that you did not muck around with the X settings to listen to XDMCP broadcasts or any such thing. (It should be in the ``passive mode'' which seems to be the default for Exceed).

Creating shortcuts for xterm, Emacs, etc.
By creating PC-Samson scripts, one can create icons on which you can double click to launch your favorite X application. Here is my xterm script for example.

As you can imagine you can create a number of such scripts, one for Emacs, one for netscape, and so on. For your convenience, I include a link to this file so that you can hack it to your convenience.

• The xterm script. You should save this file as something with the extension .sam, say xterm.sam. Script files in Samson usually reside in Program Files/Samson/scripts/. You can then make a shortcut to your desktop with this script.
• The initialization file. This file is only necessary if you have a SUNet userid different from the userid on the machine you are logging into. Basically, it is the original file that comes with the PC-Samson distribution, except that I have added my terminal preferences and a UserName line for the benefit of others. The line has my userid naras which you should edit to your userid on rgmiller.stanford.edu. The location for this file on my machine is Program Files/Samson/sessions.

9.9 Secure Shell
Secure Shell Software (SSH) allows you to obtain encrypted sessions over insecure communication channels. Using SSH, one can get a secure encrypted channel for logging in, file transfers, etc. There is a program called scp that can completely replace ftp. Even better, there is a program called rsync that can 1) transfer only file differences, 2) transfer multiple files/directories with include and exclude options resembling those of GNU tar, 3) do compression on the fly, 4) support encrypted transfers using SSH or Kerberos.

Please remember that we have SSH software installed only for convenience. Besides, unless some Stanford distribution channel becomes available, one would have to assume that the SSH software available is trustworthy. It is a bad idea to blindly install any software that claims to be SSH compatible without having some assurance that it is so. Also remember that there are export restrictions on encryption that might make it illegal for you to carry such software outside USA. If you are abroad, it is best to ask the system administrator of the remote system for help.

To use SSH, you only need to install client software which is available from SSH Download Page. Unix versions are readily available. Stanford has some local pointers at Xenon Security Alert Page for Windows and Mac software. Macintosh and Windows versions are also available from F-Secure site. The F-Secure site requires registration.

Help on SSH
In order to use SSH, you must generate your public and private keys. This can be a bit time consuming but it is done only once. In addition, your public key must be made known to the machine you want to log into. This and other help is available from the following documents.

• Getting Started With SSH. This page has all the information you need to get you started on SSH.
• SSH Frequently Asked Questions
• Xenon Security Alert Page at Stanford has pointers to Mac and Windows software.

9.10 How to use TTSSH, a free SSH client for Windows
TTSSH is a free SSH client for Windows written by Robert O'Callahan. It works on top of Tetraterm which is a decent terminal emulation program. It is attractive because it is free, allows forwarding of connections through the secure channel, and has facilities for secure file transfer. In that sense, it is a far more complete solution than PC-Samson. I personally find Tetraterm to be better than PC-Samson but one has to bear with the installation and setup.

Below I reproduce verbatim Robert O'Callahan's instructions for installation from the documentation for TTSSH with some elaboration. The installation part is quite easy.

Installing TTSSH
If you are using ordinary password authentication (as opposed to public/private key pair), the following four steps suffice.

1. Download and install Teraterm 2.3 if you haven't already. On my Windows NT machine, it installs by default into Program Files/Ttermpro. Please be aware where the software lands.
2. Download TTSSH.
3. Unzip it into the directory where you've already installed Teraterm 2.3. This will overwrite some files LIBEAY32.DLL, TTXSSH.DLL and TTSSH.EXE. In my experience, this step seemed necessary; efforts to use TTSSH without executing this step were unsuccessful.
4. You can now create a shortcut to the file Program Files/Ttermpro/ttssh.exe.

If you want to use a public/private key pair for authentication (RSA is an example of this), in addition to the above steps, your public and private keys have to be generated before you can use the program. Follow the instructions in the following section.

Setting up TTSSH for public/private key authentication
Since TTSSH lacks key management utilities, you must generate your public and private keys on another machine. For most novice users, this is where the confusion might begin. But I hope the instructions below will help.

1. On your server, say rgmiller, run the program ssh-keygen to generate your public and private keys. However, when the program asks you where to save the key, usually /home/you/.ssh/identity, use a different location so that you don't clobber your already generated keys. If you choose newidentity as the file name, it will create two new files newidentity and newidentity.pub. The latter is public, while the former is private like your password. You will be asked for a pass-phrase that you should choose wisely: spaces are allowed and it can be long. Remember it. Once the keys are generated, you'll notice that newidentity which contains your private key is only readable by you; don't change that.
2. This step is optional but is strongly recommended only for completeness. Edit the file newidentity.pub and fix the end of the line so that it reflects your address on the pc. If you used the server rgmiller to generate the key a string like you@rgmiller is usually tagged on the end of the long string of digits. Change it to you@your-pc so that you know what machine this public key is for.
3. For every machine that you want to log into from your PC, merge the contents of the file newidentity.pub to your list of authorized keys on that machine. These keys are usually kept under /home/you/.ssh/authorized_keys. Remember the long string of digits must be on one line with no line breaks!
4. Now comes the big task. You need to transfer these two files securely to your PC. Using ftp will defeat all our careful efforts. Perhaps you can transfer the file to a floppy disk and move it to your PC. I'll leave that to you. These files are expected by default to be placed in the TetraTerm directory Program Files/TTermpro/, but they can in general be placed anywhere. In fact, if more than one person is expected to use the PC, you might want to place the files in a separate folder created for your own use. Rename newidentity as identity and newidentity.pub as identity.pub.
5. The file identity must be protected from prying eyes. Arrange it so that only you, the administrator and system have full control of the file identity since it is your private key. This is usually done by clicking on the file with the right mouse button and asking for the Properties menu.
6. Once you have transferred the file to your PC, be sure to destroy both files newidentity and newidentity.pub on the server where you generated the keys.

We are not done with the setup yet! On your PC, fire up TTSSH. Cancel the initial dialog.

1. Choose the Setup -> TCPIP menu. Add rgmiller.stanford.edu and stat.stanford.edu to the list of hosts and make sure the port shows 22. Add other machines you want as well.

   

2. Choose the Setup -> SSH Authentication menu. Enter your username on the machine rgmiller in this case. Check the RSA key and make sure that the private key file points to where you saved it in the steps above. Click OK to quit the dialog.

   

3. Choose the Setup -> SSH Authentication menu. Make sure that you check the X forwarding button so that you can use secure X connections. If you want to use Eudora via POP on your PC, see section Running Eudora securely using TTSSH. If you use an X emulator see section Running X securely using TTSSH.

   

4. Make any other changes in the Setup menu you might want such as background color, font, etc

You are now finished with the setup procedure and you may proceed to use TTSSH.

To open a connection, choose File -> New connection. Make sure you have the host you want and that SSH is chosen and that the port is 22. And you will just be challenged for your pass-phrase.

The first time you connect with a machine via SSH, you might get a warning that the machine is not a known host. This is normal. However, to prevent such future warnings, you should check the box that appears in the dialog to add the machine to the list of known hosts.

Your connection created this way will be immune to eavesdroppers and sniffers.

Transferring files securely using TTSSH
Transferring files between the host you are logged into, say rgmiller and your pc is very simple.

To transfer file foo.dat from rgmiller to your pc:

Now move to your TTSSH window and choose File -> Transfer -> ZMODEM -> Receive. Your file will be transferred to your pc. You can also use kermit but I had little luck with it.

To transfer file foo.dat from your pc to rgmiller: Choose File -> Transfer -> ZMODEM -> Send. Select the file and it will be transferred.

TTSSH will also paste the contents of a file that you have on your PC into your application on rgmiller. This is done via the File -> Send menu.

Running Eudora securely via POP
TTSSH can forward connections from any port on your machine to any port on any other remote machine. Thus, if you have an SSH connection from your PC to machine X, then you can talk to machine Y via the secure connection to X. However, you only truly reap the benefits of a secure connection if Y is the same as X. Otherwise, the part between X and Y will be insecure.

One can exploit this to do insecure things like read non-kerberized POP mail. For example, here is how one would do it for stat.stanford.edu.

1. Configure your Eudora via the menu Tools -> Checking Mail. Change the Mail Server entry to read localhost.stanford.edu.

   

2. Configure TTSSH to forward your popmail connections through the secure channel. Choose Setup -> SSH Forwarding and Click on the Add button. Select Forward local port. Choose POP3 from the drop-down list. Type in stat.stanford.edu as the name of the remote machine and choose POP3 again from the drop-down list. Exit and save your setup.

Now every time you want to read e-mail, make a TTSSH connection to stat.stanford.edu. Then whenever you read mail with Eudora, you will have a secure connection.

Running X securely using TTSSH
First set up the PC X software so that it will only allow connections from localhost.stanford.edu. With Exceed, this is done by running the Xconfig program and choosing the host access control list to be xhost.txt. Edit this file to contain exactly only one hostname, localhost.stanford.edu. Other X window clients like XWin-32 and Reflect will have similar controls to restrict access to only one host.

Once you have done this, you may just log into the host you want using TTSSH and throw an xterm. There is no need setting a display variable, mucking around with xhost whatever.

9.11 Stanford Security Team Guidelines
If you have a Linux or any other box at your dorm that is directly on the network and you administer it yourself, you should read the Securing a Windows NT 4.0 Server that was created by the Stanford Security Team for help on setting up a secure machine.

9.12 Alternatives to ftp
There are some alternatives to ftp that one can use.

1. The command rcp is a useful one for copying files from one kerberized machine to another. Again, this assumes you have a valid ticket. For example, here is the command I use to copy files from my home machine to rgmiller.

   naras-home > rcp comp-guide.sgml naras@rgmiller.stanford.edu:sysadmin/guide
   This copies the file comp-guide.sgml from my home machine to rgmiller and puts it in the directory /home/naras/syadmin/guide. Notice how your userid can be different on each machine---you just specify it in the command. One frequent gotcha in using rcp is that many vendors provide their versions of rcp that will not work. When you install kerberos kits on your home machine, make sure that the Leland rcp command is first in your path. Also make sure you use the fully qualified domain name such as rgmiller.stanford.edu if you are in a different domain.
2. If you use SSH, you can use the command scp. It works exactly like rcp and even allows file transfers of the form
   naras-home > scp naras@timbuctoo.com:comp-guide.sgml naras@rgmiller:sysadmin/guide
   provided proper exchange of identities has been set up.
3. Finally, if you accept only the best, use rsync. This is a tool powerful enough to synchronise a web directory with its mirrors. For example, after obtaining a Kerberos ticket,
   rsync -avz guide/comp-guide.sgml hktang@rgmiller:CA/guide/
   will copy the file guide/comp-guide.sgml on the local machine to the CA/guide directory on rgmiller, while
   rsync -avz guide hktang@rgmiller:CA/guide
   will copy all the files in the directory guide on the local machine to the CA/guide directory on rgmiller.

   One advantage of rsync is that it transfers only file differences, whereas the previous solutions transfer the entire file, even if the source and destination files differ by (literally) only one bit. By supplying various options to rsync, you can do, among other things, on-the-fly compression (-z) or use SSH encryption (-e ssh, but at present, the ssh option appears not to work on rgmiller). For more information, see the man page or read http://samba.anu.edu.au/ftp/rsync/rsync.html.

   A Windows version of rsync is also available; use your favorite search engine to locate it.

The case of Windows
On a PC, you should use the method provided in section Transferring files securely using TTSSH.

Otherwise, you are either limited to the ways discussed in the section Transferring files using FTP or you need to use a Windows version of SSH or rsync software that will give you scp or rsync.

The case of Macintosh
On the Mac, you can directly mount your Leland Systems home directory as discussed in the section More on Mac-Leland. Thus, there is really very little need for ftp since your Leland home directory is visible on rgmiller (see section Accessing AFS).

Another alternative is to again use the Mac version of SSH software discussed above which will give you something like scp.

9.13 If alternatives to ftp don't work
If the above solutions don't work, please use the steps outlined in the section Important Update on FTP.

9.14 Frequently Asked Questions
I don't have any private files and I don't care if other peopleread my e-mail or delete my files. Why should I still be concerned aboutmy password security?
If an intruder gets hold of your password, he/she can use your account to mount further attacks on other parts of the system. He/she can also pose as you to send (possibly obnoxious) e-mail to other people.

Thus, security is everyone's business.

If your Leland account has been compromised, the Leland people might lock it and you will have to go to Sweet Hall with your ID to re-activate it.

On my home PC, I installed PC-Leland and my machine will notboot.
Either the installation got screwed up or you made a mistake in telling PC-Leland that you were always connected to the network. In both cases the solution is the same. There seems to be a bug in the PC-Leland installation process which, even when you insist that you are not connected to the network, continues to install PC-Leland as your screen-saver. This means that it expects to be connected to the network when it boots. When the machine boots, it finds it is not connected to the network and hangs.

The only way to get around this is to hit Control-Alt-Delete to bring up the task manager and kill the tasks that hang the machine. Then continue to boot. Once in, make sure that the screen saver is not set to PC-Leland via My Computer -> Control Panel -> Display.

I cannot klogin to rgmiller
Several possible reasons.

• You did not perform the preparatory step; see section Your First Preparatory Step.
• You don't have a valid ticket; see sections Obtaining Kerberos tickets and Checking your Kerberos tickets.
• Your SUNet userid is different from your rgmiller userid and you forgot to use the -l option. See section Logging in using Kerberos.
• The machine you are logging in from has the wrong time. Time is crucial to Kerberos and your system clock must be synchronized with International Standard Network time.

I cannot use PC-Samson or PC-Leland to log into rgmiller
Several possible reasons.

• You did not perform the preparatory step; see section Your First Preparatory Step.
• You don't have a valid ticket; see sections More on PC-Leland and More on Mac-Leland.
• Your SUNet userid is different from your rgmiller userid and you forgot to create a PC-Samson saved session for logging into rgmiller. See section Using PC-Samson. For Mac-Samson, see Using Mac-Samson.
• The machine you are logging in from has the wrong time. Time is crucial to Kerberos and your system clock must be synchronized with International Standard Network time. On a pc, click your right mouse button on the PC-Leland icon and choose settings to check the time. On a Mac, just click on the Mac-Leland icon for settings.

I cannot kinit!
Please make sure you haven't mucked around with your terminal settings. Some people change the kill character to an ordinary character inadvertently. You can look at your settings via:

Here's a quick hack that usually lets you know if your terminal setting is the culprit. Do an

If it works, then you have a screwy stty setting somewhere in your initialization files like .cshrc, .login or .profile. You'll have to fix it.

Help! I am using a dialup ISP (Internet Service Provider) to connect to Stanford and I cannot get a Kerberos ticket.
Go through the following checklist.

• Is your machine listed correctly in the world-wide nameservers by your Internet Service Provider? The kerberos programs check the identity of your machines before letting you in. They do this as follows. When you ask for a ticket, the kerberos ticket dispenser gets your machine's name and IP address. Then, it asks the Stanford namservers for the name of the machine with that IP address. If this name matches what was given, only then does it proceed with the transaction.

  One way you can check if your machine is listed correctly in nameservers is to use the nslookup program. On any Stanford Unix machine that is properly set up on the network, you can execute this command. Once in, type in the IP address to see if it is known to the world. If you get Non-existent host/domain, Stanford does not know about the machine and therefore you'll be unable to use kerberos.

• Make sure your Internet Service Provider has not turned off traffic connections using certain port numbers, specifically port 750. This is the standard port that is used by Kerberos.

Previous	Computing Guide Contents	Next