security.html

Penn State Intercom......May 23, 2002

Measures designed to boost
security of access accounts

By Karen Hackett
Information Technology Services

In an effort to increase password protection for Penn State Access Account users, Academic Services and Emerging Technologies (ASET), a service unit of Information Technology Services (ITS), will upgrade its File Transfer Protocol (FTP) server ftp.personal.psu.edu on June 1 to provide for "secure-only" file transfers. This means that the University's academic computing users will no longer be able to use popular FTP software such as WS_FTP for Windows and Fetch for Macintosh, to transfer files to their respective Penn State Access Account Storage Space, or PASS; however, a variety of alternatives have been established to help faculty, staff and students make the transition from current file transfer methods to more secure options.

The increase in security measures stems from the tendency for many kinds of FTP software to present passwords "in the clear." This means that passwords are vulnerable to network eavesdropping by unscrupulous individuals in search of "userids" (user IDs) and passwords, giving them the ability to gain unauthorized access to servers and systems. Students, faculty and staff should be aware that it's possible for someone to obtain their Penn State Access Account userid and password and assume their identity.

Alternatives have been created to make file updates to personal, course or departmental Web pages easy and secure:

PASS Explorer

Users of the Penn State Portal (https://portal.psu.edu/) can transfer files to their PASS via the Penn State Portal's new file transfer tool, the PASS Explorer. The PASS Explorer tool lets users transfer files quickly and easily between their PASS and a local directory/folder on their machine. The tool was created to provide a similar look and feel to an FTP client, but it does not present passwords "in the clear."

To access the PASS Explorer, Portal users will need to add the Penn State Access Account Storage Space channel to their selection of Portal channels by clicking on the "Content" link on the Portal header.

A link to instructions for using the PASS Explorer is provided via the Penn State Access Account Storage Space channel, but users also may access instructions at http://www.psu.edu/portalproject/passexplorer/. Comments and inquiries can be directed to portal-feedback@psu.edu.

PASS Gateway

By using the PASS Gateway, users can securely and easily update files located in their PASS and personal Web space as if the files were local to their computers. The PASS Gateway is mounted from a variety of computer platforms and operating systems. More information and instructions for mounting the PASS Gateway are found via the main PASS Gateway interface at https://www.work.psu.edu/pass/.

For those who prefer "native" access, a client for Windows NT can be downloaded from the Web at https://www.work.psu.edu/access/dce/. A client from IBM is available for Windows 2000 users; however, it is not site licensed. For information, e-mail root@cac.psu.edu.

Secure Shell Protocol

The Secure Shell Protocol (SSH) allows users to connect to a remote server or machine from another machine or personal computer via an encrypted connection. Using this protocol, the Access Account userid and password pair are transmitted through an encrypted connection to prevent network snooping or "sniffing" of passwords. Once a login session is established, the network data between a local computer and the remote workstation or server also are encrypted. More information SSH is found at http://cac.psu.edu/internet/ssh/.

Kerberos

The Kerberos network authentication protocol, developed at the Massachusetts Institute of Technology, uses strong cryptography to make it possible for a client to prove its identity to a server (and vice versa) across an insecure network connection. After a client and server have used Kerberos to confirm their identities, they also can encrypt all of their communications. A number of Web-based services that require authentication with a Penn State Access Account userid and password already use Kerberos.

Individuals can obtain a Kerberos plug-in for the Eudora e-mail client via the CACPAC CD, a collection of free software for Penn State faculty, staff and students. More information about the Kerberos plug-in is found at http://ftp.cac.psu.edu/access/cd/.

Secure File Transfer Protocol

The Secure File Transfer Protocol (SFTP), an FTP-like client that is used for transferring files over the Internet, is a secure replacement for FTP. Unlike regular FTP, SFTP uses SSH to encrypt the network traffic between two machines (a local machine and a remote server). This means that both the Access Account userid and password and the information passed between a desktop machine and a remote server are encrypted.

Updates to current FTP software will be available on the CACPAC CD Web site at http://ftp.cac.psu.edu/access/cd/ on June 1.

Karen Hackett can be reached at kmh@psu.edu.