|
|
|
|
NAS User's Frequently Asked Questions (FAQ)
SecurID
What is a SecurID "fob"?
What are all the elements on my SecurID fob?
What is two-factor authentication?
What should I do if my fob is damaged or lost?
How do I take care of my fob?
Passwords
Why are One Time Passwords (OTP) required?
Logging in to NAS Systems
When I try to log in it fails with, "No host key is known for machine.nas.nasa.gov and you have requested strict checking." What's wrong?
Telnet doesn't seem to work at NAS. Neither do rlogin and rcp.
How do I use SSH on a Unix, Mac or PC platform?
How do "public" keys work?
Q. What is a SecurID "fob"?
RSA's fob is an electronic device that generates a time-based pseudo-random number (called the tokencode) every 30 seconds and presents the tokencode via LCD display. When used in conjunction with a personal identifying number (PIN), the pair is used to authenticate account access, such as login. This is known as One Time Password (OTP) technology.
The term "fob" originates from a fashion accessory traditionally used to secure timepieces to a person's attire (traditionally, a man's vest pockets).
Q. What characteristics describe a SecurID fob?
A. The front face of a NAS-provided fob presents an LCD displaying six digits. The digits displayed will change every 30 seconds, typically. (Some earlier models used 60-second cycles.)
The lower right corner displays a battery "heartbeat" (if it ceases to display then the battery has expired).
The left side displays six bars, which act as the countdown timer for the current token code displayed. Each of the six bars disappear at regular intervals until all bars are gone, at which point a new random number will be displayed and six bars re-appear to restart the countdown process.
The back side of a fob has three identifiers:
- Serial Number: This numerical sequence is unique for each fob.
- Expiration Date: The "mm/dd/yy" format identifies the battery's termination date.
- Mfr's Lot Number: The manufacturer's batch identifier.
Q. What is two-factor authentication?
A. Security people say there are three general ways you can prove you
are who you claim to be. Each way is called a "factor." You can
prove you have something. When you get home each evening, you prove
to your front door lock that you have a key for it. You can prove
that you know something, such as a password. You can prove that you
are something, as you would to a retinal scanner or to a guard who
knows you by sight.
You are required to authenticate yourself two different ways before
you can get access to NAS resources from outside or get access to the
"Columbia enclave." You prove you have your assigned SecurID token
(sometimes called a key fob or a fob). You also must prove that you
know your password or that you have your personal private key.
Q. Why are One Time Passwords (OTP) required?
A. In December 2004, NASA's Office of the Chief Information Officer (CIO) directed the NASA Advanced Supercomputing (NAS) Facility to secure supercomputing facilities with the RSA Security Inc.'s SecurID technology.
+ Get information on NAS password policies
Q. How do I take good care of my fob?
A. Fobs are electronic devices, so treat them accordingly. Do not expose the unit to extremes (temperature, pressure, x-ray, magnetic fields). Damages commonly occur when the unit is left exposed to elements such as a hot automobile dashboard, or crushed while being sat upon.
The most fragile part is the LCD display. If the protective cover is broken, it will cause irreversible unit failure. The devices are engineered to be tamper-resistant and will fail-closed/safe.
Q. When do I have to use my fob?
NAS requires SecurID authentication at the bastion gateways (currently, Bruiser, Bouncer, and Columbia's SFE1 & SFE2). The login authentication above and beyond these edges are subject to local administration policy. SecurID is required for authentication to Return to Flight (RTF) hosts, both web-based and interactive login.
Q. What should I do if my fob is damaged or lost?
A. Immediately contact the NAS Help Desk at 650 604-4444 or 1-800 331-8737.
If "lost" the Help Desk analyst will issue you a set of 10 passwords (each usable only once and in combination with your PIN). You may request another set if the initial set is used before you receive your new fob, and are encouraged to declare the fob as non-returnable.
If "damaged" or otherwise non-returnable, then the Help Desk analyst will initiate steps to replace your fob. Expect typical postal delivery delays.
+ Get more information on SecurID fobs.
Q. Telnet doesn't seem to work at NAS. Neither do rlogin and rcp.
A. True. We require you to use SSH to log into NAS machines and
to transfer files into and out of NAS machines.
Q. What version of SSH should I use?
A. You can use any SSH that supports SSH protocol version 2.
OpenSSH version 3.9p1 is available free over the Internet from
http://www.openssh.com, and from many other sources. It comes
with MacOS X, Linux, FreeBSD, OpenBSD, and NetBSD. It is also
available from most vendors of proprietary Unix systems.
SSH Communications Security also sells a commercial version.
See http://www.ssh.com.
Behavior is similar across all versions of SSH, but OpenSSH
examples will appear in this FAQ.
Q. I try to log in but it fails with, "No host key is known for
machine.nas.nasa.gov and you have requested strict checking." What's wrong?
A. First, you did well to configure your SSH client to use what is
called "strict host key checking" by default. Strict host key
checking is always safer than the alternatives. They are
StrictHostKeyChecking=no
and
StrictHostKeyChecking=ask
both of which can appear in your $HOME/.ssh/config file or as the
operand of the "-o" command line option to ssh, scp, or slogin.
With the alternatives, you might inadvertently accept a public key
from a so-called "man in the middle" and lose the security SSH is
meant to give you. With strict host key checking, your workstation
must already have learned the public key of any machine you want
to contact. How you do that depends upon your circumstances. There
are generally three alternatives:
1. You have a NAS supported workstation. Complain to NAS Support
(650-604-4444 or 800-331-8737). The people who provide you with
support should already have defined a file named ssh_known_hosts
on your machine, containing all NAS public keys.
2. You have a user-supported machine at Ames Research Center. You
should set up your machine to refresh your ssh_known_hosts file
periodically from
http://www.nas.nasa.gov/Groups/Security/files/SSH/ssh_known_hosts2
if your machine's address is in the nas.nasa.gov domain, or from
http://www.nas.nasa.gov/Groups/Security/files/SSH/ssh_known_hosts2.fqdn
if your machine's address is not.
3. Your machine is somewhere other than Ames Research Center. You
probably don't need all the information in the ssh_known_hosts
file you could get in 2). Just use the "-o StrictHostKeyChecking=
ask"
option the first time you connect to each NAS machine, and answer
"yes" when SSH asks.
The only problem with this approach comes if some NAS machine's
public key pair is changed. SSH will give you a really ominous
error message and you can only get rid of it by using a text
editor to remove the machine's record in $HOME/.ssh/known_hosts
and then trying again with "-o StrictHostKeyChecking=ask".
Q. How do "public" keys work?
A. No it isn't. Public key cryptography uses key pairs, one public,
one private. The private key can't be derived from the public key.
You widely distribute your public keys, as in the ssh_known_hosts
file and possibly one or more of your own personal public keys.
The corresponding private key must be kept secret.
If you have someone's public key, you can pose them a problem that
can only be solved by someone who has the corresponding private key.
SSH uses that principle to authenticate both machines and users.
|
|
|
|
