News
PACI Partners Find Security Solutions; Plan to Eliminate Clear Text Passwords
Published June 01, 1998
For more information, contact:
Ann Redelfs, SDSC, 619-534-5032,
redelfs@sdsc.edu
SAN DIEGO, CA -- After nearly a year of collaboration, researchers with the two partnerships that make up the National Science Foundation's Partnerships for Advanced Computational Infrastructure (PACI) program have developed a plan to eliminate clear text passwords for the users of their computer systems and thereby improve network security.
The National Computational Science Alliance (Alliance), led by the National Center for Supercomputing Applications (NCSA) at the University of Illinois at Urbana-Champaign, and the National Partnership for Advanced Computational Infrastructure (NPACI), led by the San Diego Supercomputer Center (SDSC) at the University of California, San Diego, are now making Kerberos, an authentication and privacy package, available to partners and users of data on the NCSA and SDSC computer systems. The Kerberos solutions are available to users whether they access the systems using a Unix or Windows operating system.
Kerberos, originally developed by the Massachusetts Institute of Technology (MIT) project Athena, provides a means of protecting passwords and other user data from third-party sniffing (eavesdropping) on a network between two hosts. Normally, most users connect to a remote host by typing in a password and sending the characters over the network to the host. Unfortunately, it is easy for a third party who has access to the network to intercept these characters and get the user's password. Kerberos eliminates these security problems by providing a means of authenticating the user without sending the user's password over the network.
To use Kerberos to login to a remote site, users simply run a Kerberos Credentials Manager program when they sit down at their computers each morning. The program then issues the user an electronic "ticket," which is sent encrypted over the network. This ticket allows the user access to various hosts and servers throughout the day, without requiring him or her to enter additional passwords for different locations.
"The use of clear text logins and passwords represents the number one security vulnerability on the Internet today," said Larry Smarr, director of the Alliance and NCSA. "Our main motivation for this project is the elimination of that vulnerability. Kerberos is one of the mechanisms we have employed to meet this goal."
NCSA staff also ported several Kerberos clients to Windows that previously were unavailable on that platform. These clients are versions of the Unix ftp, rcp, and rsh commands that allow users to move files over the network and execute commands securely on NCSA's computer systems. In May, these clients were provided to SDSC, which will now make them available to its NPACI partners.
"We appreciate NCSA giving us early access to their enhancements," said Tom Perrine, manager of security technologies at SDSC. "Availability of Kerberos is a key component of both organizations' security plans, and NCSA has saved us several months of time and effort in the phaseout of plain text passwords."
The Alliance and NPACI security teams have a long-standing commitment to coordinate their efforts to eliminate clear text passwords and other computer security weaknesses. Earlier this year, an Alliance security team, led by Randy Butler, technical program manager of the Alliance computational, environmental and security group, and Von Welch, NCSA senior research programmer, met several times with Perrine and NPACI security team members. The teams discussed their general security plans with representatives from the Defense Department and NSF-funded laboratories, and agreed that the various organizations would use interoperable authentication schemes and security architectures.
"One of the strengths of the PACI program is the opportunity it gives us to try out multiple approaches to building components of a national computational infrastructure," said Charlie Catlett, NCSA's senior associate director for science and technology. "Yet, there are issues that we need to work on in a closely coordinated way in order to be most effective for the broad user community. Secure authentication is one of those issues. The technology has been around for some time; what's new here is the coordinated implementation for such a large user community."
The effort to get Kerberos to the thousands of computer system users within the PACI partnerships has been truly collaborative. The package was originally developed at MIT 10 years ago and development has been ongoing since then. About 15 months ago, an effort began to integrate it into the Andrew File System (AFS), a distributed file system with a common name space used at NCSA, SDSC and many other research centers. Ken Hornstein of the Naval Research Laboratory in Washington D. C. developed an AFS-Kerberos migration kit ( ftp://ftp.cmf.nrl.navy.mil/pub/kerberos5/afs-krb5-1.2.tar.Z), which became the basis for integration of Kerberos into NCSA's computer environment. Doug Engert of Argonne National Laboratory also advised the NCSA team on the integration effort.
"What this really means is that Kerberos is not just another layer in our computational environment, but is tightly coupled with the AFS system that already exists," Catlett said. "For example, instead of having to run two programs-one to authenticate to AFS and one to authenticate to Kerberos-users run only one, which authenticates them to both."
Kerberos is now available to NCSA staff and users for download at http://www.ncsa.uiuc.edu/General/CC/ACES/kerberos/download.html. Alliance and NPACI partners can obtain the AFS version of Kerberos by contacting the Kerberos group < kerberos@ncsa.uiuc.edu> at NCSA to request the software. The software will also be folded back into the MIT public domain Kerberos software. In about a month, training materials on using Kerberos will be made available to NCSA users and partners. By August, all remote users logging on to NCSA systems will be expected to use Kerberos or another authentication package such as Secure Shell (SSH).
SSH protects users and their data by encrypting user names, passwords, and interactive login sessions. SSH client software is free for almost all versions of the Unix operating system, and commercial SSH clients are now available for Windows95, Windows NT, and MacOS at about $50 for educational use (even lower-cost versions should be available soon). Information on SSH client software is available from the Secure Shell Web page at http://www.cs.hut.fi/ssh/, or through the Alliance and NPACI security Web pages at http://alliance.ncsa.uiuc.edu/alliance/AllianceSecurity.html and http://www.npaci.edu/Security/.
"The Alliance and NPACI teams have been proceeding towards a common goal with these security packages," Perrine said. "Many of the sites in the two PACI organizations have been using SSH and Kerberos on a voluntary basis on their CRAYs and other platforms for several years. Our teams had a lot of real-world experience when they decided to commit to these authentication mechanisms throughout the PACI initiative."
The National Center for Supercomputing Applications is the leading-edge site for the National Computational Science Alliance. NCSA is a leader in the development and deployment of cutting-edge high-performance computing, networking, and information technologies. The National Science Foundation, the state of Illinois, the University of Illinois, industrial partners, and other federal agencies fund NCSA.
The National Computational Science Alliance is a partnership to prototype an advanced computational infrastructure for the 21st Century and includes more than 50 academic, government and industry research partners from across the United States. The Alliance receives core funding from the National Science Foundation and cost-sharing at partner institutions.
The National Partnership for Advanced Computational Infrastructure is the other half of the NSF's PACI initiative, and incorporates more than three dozen universities and research institutions. SDSC, NPACI's leading-edge site, is a research unit of the University of California, San Diego; it is sponsored by the National Science Foundation through NPACI and by other federal agencies, the State and University of California, and private organizations. For additional information about NPACI and SDSC, see http://www.npaci.edu/.