|
|
|
During the Employment Office Orientation, and before you get your
Fermilab ID, you are required to read and sign the Fermilab Policy on
Computing. Understanding the policy and agreeing to abide by it are
prerequisite to using any Fermilab computers. Here we'd like to clarify the
points of the policy pertaining to computer security. We also provide a
link to the
policy document, in case you care to review it.
Fermilab has implemented a site-wide computer security system. You
may hear it referred to as "Strong Authentication" and/or
"Kerberos". The system exercises tight control over who uses the
lab's computers and network, but as with any security system, it requires those
with legitimate access to "lock the doors behind themselves" and
"keep the key in a safe place". In our computing environment this
translates into the following list of responsibilities for all of us:
- Obtain a Kerberos principal and associated password (you can think
of these two items together as your "key" to get in)
- Change your initial password to something that is hard to guess,
but that you can remember
- Learn how to log in such that Kerberos recognizes and admits you
(this involves obtaining an electronic "Kerberos ticket")
- Learn how to use your ticket without exposing it to theft
- Treat your Kerberos password as a sacred object:
- Your Kerberos password must be known only to you.
- Remember it!
- Make sure that you do not write it down anywhere that someone
could find it.
- Do not put it in a file (encrypted or not).
- As a usual practice, type it only at the console of a system on
which you authenticate.
- Only on very rare occasions, when you have no other choice, may
you pass it over a network connection. The connection MUST BE ENCRYPTED. Verify
that ALL connections in the chain are encrypted.
- Choose a character string different from your Kerberos password
for all other passwords and other objects. (The one exception: your passwords
for the FNAL.GOV and FERMI.WIN.FNAL.GOV realms may be the same.)
- If you mistakenly type your Kerberos password over an unencrypted
channel, please change it immediately!
To learn how to do these things, see the
Strong Authentication
documentation. In particular, see the Quick Guide for
UNIX or
Windows.
previous |
next
Orientation Home | General Computing |
Windows | UNIX |
Kerberos (technical)
|
