Search our
entire site
Enter your search
terms below, or visit
our search page

Search case
studies only
Enter your search
terms below:

For the table
of contents and
hyperlinks to
general topics
proceed to toc

Services Affected When
Encryption Software is Installed

1. Services Defined
2. Comparison of Kerberos and SSH Services
   1. Telnet
   2. rlogin
   3. ftp
   4. rcp
   5. rsh
3. POP service for NCSA email accounts
4. Kerberos services command summaries
5. Quick Guide to using Kerberos and SSH at NCSA

Services Defined

In this context, "services" refers to network and communication services that allow remote access. Such services are broken down into six main services: Telnet, remote login (rlogin), file transfer (ftp), remote copy (rcp), remote shell (rsh), and email services (POP in this case).

Using NCSA systems is more convenient using Kerberos or SSH because, in general, you only need to provide your password once each day. If you regularly use more than one NCSA (or in the future, Alliance) machine then your Kerberos or SSH credentials are forwarded to each machine as you connect to them -- no extra password typing. While your credentials are active, you have access to all of the services provided by either Kerberos or SSH, making transactions with NCSA systems more secure and, coincidentally, more convenient.

POP service is included here but only affects NCSA staff.

Comparison of Kerberos and SSH Services

TELNET

Kerberos

The telnet provided with all of the packages available on NCSA's download pages is a complete implementation. On UNIX systems, there are some extra options for forwarding Kerberos credentials (generally the default) and for encrypting entire sessions (generally not the default). If you are using a Mac or PC and have been using NCSA Telnet, BetterTelnet, or any other telnet program you need to make sure the telnet you choose is Kerberos-aware or use the telnet included in the Kerberos package you download.

SSH

Secure Shell provides an interactive connection service that is somewhat like telnet and rlogin (see below). Some users prefer the way SSH works or looks in providing this interactive connection.

RLOGIN

Kerberos

For some time now, NCSA has blocked the use of rlogin to our HPC systems by removing any .rhosts files with a daemon that runs every 15 minutes. Now, with Kerberos, you get the functionality allowed under .rhosts by having a valid Kerberos ticket. For this convenience alone, you may choose to use Kerberos.

SSH

Secure Shell interactive session service is a mix of telnet and rlogin services, though not a true implementation of either.

FTP

Kerberos

FTP is a fully supported service in all of the Kerberos implementations available for download. The PC ftp is a command line utility only -- not a nice graphical interface that you may be used to. NCSA will continue to look for free Kerberos-enabled ftps that are better.

You may want to review the documentation for encrypting your ftp session. This will likely degrade performance somewhat, but if you want to tranfer a file securely it can now be done with ftp.

SSH

There is no ftp support currently using Secure Shell, but the commercial authors developing SSH are working on one. You can transfer files using SSH; refer to the rcp section below.

RCP

Kerberos

Remote copy protocol is a fully supported service in all of the Kerberos implementations available for download.

SSH

Secure Shell has a "file copy" utility called scp that is included and works somewhat like rcp, but is not a command line function you are used to if you've used rcp before. SSH does not have as complete a list of services as Kerberos does, but many users may find it easier to set up and use, or already use it.

RSH

Kerberos

Remote shell is a fully supported service in all of the Kerberos implementations available for download. If you use the X Windows System on your desktop system, make sure you're using the rsh included in your downloaded Kerberos distribution to open sessions with the NCSA HPC and staff public systems.

SSH

Secure Shell does not provide a true version of rsh. You can still use the X Windows System with SSH, as most versions of SSH support "X11 forwarding". If you use this, SSH will support a virtual X server on your home machine. All your the X Windows System network traffic will pass across an encrypted session. This has been tested at NPACI with F-Secure SSH for the PC, as well as with some of the free SSH clients (under Windows95 and Windows NT with Exceed). Alternately, you could first log in to an NCSA machine securely, and then open a raw X11 session back to your home machine.

NCSA E-mail POP Service

NCSA supports only Eudora and Eudora Pro for email applications on Windows systems. You can download a Kerberos "plug-in" off of the Kerberos User's Guide pages and install it into your Eudora applications. It's an easy installation procedure that is prepackaged. Downloading your email requires you to type in your Kerberos password, and your credentials will be good for 25 hours. You'll be prompted for your password the next time you try to download your email after the 25 hour period. Credentials for 25 more hours of downloading will be issued.

TABLE OF CONTENTS

Security
Home
Certificates
Checkpoint
Cybercop
Digital Certs.
ICVerify
ISS
IPSEC
Kerberos
Network Security
PKI
SafeSuite
Securify
Security CCI
Security Primer
Slideshows
Tivoli
Validating Users
VPI and CA
Creating VPI
VeriSign