The MSRI Computing HandbookOff-Site Access to the MSRI Network
MSRI is protected from outside access by a firewall. There are no
direct connections between the MSRI network and the Internet. All
traffic passes through a single, well-secured machine - our `bastion'
or `gateway'. The traffic is filtered and monitored for suspicious
activity. Network applications operate through `proxies' on the
firewall.
The exponential growth of the Internet has been accompanied by a
similar surge in attacks on MSRI by malignant crackers. During the
summer of 1994, crackers wiped out all the data of a UC Berkeley CS
research group. In January 1995, our network was attacked by the
infamous Kevin Mitnick and we were forced to devote several hundred
person hours to eradicating the network monitors that he and his
accomplices (who are still at large) installed. Many California
campuses are currently the unwilling hosts to crackers who steal
passwords and tauntingly resend legitimate email back to the originators
to demonstrate some juvenile notion of prowess.
While the firewall will mean some inconvenience as you get used to the
new system, we judge this to be inconsequential in comparison to the
inconvenience of having your files stolen or deleted, not necessarily
out of malice, by what is more likely, out of the carelessness of a
cracker. We have made outgoing network connections as transparent as
possible. Incoming connections are authenticated to guarantee that the
originator is a legitimate MSRI user.
The most visible aspect of the firewall is the authentication of
external connections using S/KEY. S/KEY is a challenge-and-response
one-time password system. It provides an easy, secure method for
authenticating users in an environment where eavesdroppers may be
monitoring network traffic. S/KEY is used for all connections to MSRI
originating from an outside source. This section describes how to use
S/KEY at MSRI.
In preparation for using the authentication software to get through
the MSRI firewall you must first take two initial steps:
- You must install the S/KEY software on your local machine. This
software is available from the MSRI web site.
Several architectures are supported. See a member of the computing
staff for more information.
- See any member of the computing staff to set up an S/KEY account.
You will be asked to select a password distinct from your UNIX login
password. While an 8 character password is not especially secure, the
authenticator will disable your S/KEY account after five consecutive
failures in a three minute period, rendering a dictionary attack
unfeasible.
Once you have completed the steps outlined above, you can access the
MSRI network from outside after being authenticated, as exemplified by
the rlogin session below.
Imagine that I am on a machine somewhere else on the Internet, and I
want to login to my account at MSRI.
- First,
rlogin to the
MSRI firewall, msri.org:
Once this connection is established you will see the Username:
prompt.
- After you enter your username, the system will issue
you the S/KEY challenge. The challenge consists of three parts:
- The declaration of the protocol,
s/key.
- An authorization counter. This variable is decremented after
each successful login. It reflects the number of authorizations
remaining.
- The seed,
hi1202004, which will differ from user
to user, but not from one authorization to the next.
- To respond, cut the challenge from the window with which you
are logging in, and paste it as input to the S/KEY client software on
your local machine.
- Under Windows95, the client presents a dialog box:
- on a Mac, the client presents a dialog box:
- on a UNIX machine, the invocation of
S/KEY looks as follows:
It is critical that you run the client software
locally - the security of your secret password and hence
S/KEY would be compromised if it were typed across a network where
your keystrokes could be captured.
Once started, the client S/KEY software will ask for your secret S/KEY
password. From your secret password and the firewall's challenge,
S/KEY will generate, on the local machine, your one-time authorization
code, which consists of six short English words.
- Finally, cut the response and paste it into the
remote window on
msri.org at the prompt:
The one-time authorization code may not appear on your screen. Type
RETURN and you are in. You are then presented with the
MSRI> prompt, to which you should respond by telling it
which machine you would like to connect to, e.g. the one on your
desktop. With rlogin you are done:
Connecting with telnet follows the same steps, except you
will have to login to the msri machine using your UNIX password at the
final stage, since telnet has no concept of who you are.
Accessing your files with ftp is similar, and is covered
in the File Transfer section.
If you anticipate having to connect from dumb terminals while
traveling, you can always generate a list of one time passwords ahead
of time by using the client software here at MSRI with the -n
flag and your current authentication number and challenge:
MSRI tries to make the information that it generates accessible over the
Internet as easily as possible.
We maintain a World Wide Web server,
which you may (and in fact are, if you are reading this) access using
a WWW client such as Netscape or Internet
Explorer. We post announcements and schedules of programs,
workshops, and seminars on these servers, as well as application
materials, an interface to our library, local information, etc.
We also maintain a local preprint archive for the electronic versions
of the MSRI preprint
series (beginning with the 1994-95 year). These preprints are
available via the World Wide Web. For more information on electronic
preprints, send e-mail to Silvio Levy, in the library.
Along with David Morrison of Duke, we have been working closely with
Paul Ginsparg of Los Alamos to foster the use of topical Eprint servers in
Mathematics.
Due to the large cost, both in hardware and support personnel, MSRI
can not offer a modem bank to members. The San Francisco Bay Area
does, however, support a very vigorous and competitive market for
Internet Service Providers (ISP's). A full listing of ISP's serving
just the 510 area-code, when printed, runs to over 75 pages! A condensed
form of this list is maintained by Internet.com, which aspires to
be the definitive ISP buyer's
guide. An unlimited access account via Plain Old Telephone Service
(POTS), should be less than $20/month; ISDN or wireless access will be
more. The setup fee should be between $0 and $30, depending on the
amount of support that you require for comfort. We solicit your
experiences in order to offer useful, up to date recommendations. At
the moment, we can recommend several ISP's of which we have had good
reports. For more information, see Joe Christy, room 229.