FAQ:

How can I access the NATS cluster from the internet? I want to TELNET to a NATS computer and don't know how. Hey, FTP used to work but not any longer!

Answer:

This answer covers three aspects of how to access the NATS cluster from outside.

• Remote shell: Working interactively on NATS computers from a remote location connected via the internet.
• File transfer: Copying files from or to a NATS computer to or from a remote computer.
• Mail: Accessing your NATS mails from a remote location.

Before answering each of these questions, I want to give some general background.

The main problem of accessing computer accounts from a remote location via the internet is that the transmitted data is easily readable by the so-called men-in-the-middle. For instance, when you use telnet to connect to a host over the internet the password that you use is transmitted in plain text. Things are similar when you authenticate yourself for mail access or file transfer. The Bad Guy can then use your password to log into your account, access and/or destroy your data and abuse your account (and name) to attack even other hosts.

Remote Shell

Remote shell means that you sit at a remote computer but run programs interactively on a different local host. Your input is transmitted to the local host and the output the transmitted back to the remote host.

Ssh

This protocol (secure shell) uses encrypted connections between the remote and the local host. It was designed with security in mind and is the preferred way to remotely access the NATS cluster. However, SSH clients are not available everywhere. Check out http://www.ssh.com, http://www.freessh.org and [[http://www.informatik.uni-hamburg.de/RZ/netz/ssh-win.html][SSH-WIN Installation].

Telnet

The telnet protocol is very simple. All data is sent unencrypted over the net. However, there exist client programs for all operating systems and they are usually installed on every networked computer. The only NATS computer that is reachable by telnet is nats17.informatik.uni-hamburg.de (IP 134.100.10.117). However, we do not allow you to use your regular UNIX password for remote logins because a person who grabs the transmitted data would then have unlimited access to your account. When you want to use telnet from a remote host you must use S/Key one-time passwords. These one-time passwords are only valid once so that they're useless for a hacker who recorded the password because at that time it already expired. The drawback is that you have take enough one-time passwords with you and you probably have to write them down in order not to forget them (which is a bad idea for regular passwords). Therefore, you should only use them in rare exceptional cases. Be extra careful with these written passwords. Make them invalid as soon as possible (after a conference or even sooner if you're unsure whether somebody has seen them) using the keyinit -d command. Note that the connection between the remote host and the NATS cluster is still NOT encrypted. Here is how it works (there are also man pages!):

1. First you have to initialize the system. You must do that while being logged in locally into nats17 and in advance! You have to choose a password which you should keep stricly secret. You must NOT use your regular UNIX password! he password should be a multi-word sentence that is very difficult to guess (cf. CreatingNewPassword). Use the keyinit command:

      nats17$ keyinit
      Adding ingo:
      Reminder - Only use this method if you are directly connected.
      If you are using telnet or rlogin exit with no password and use keyinit -s.
      Enter secret password: Pferde turnen besser als Elefanten!
      Again secret password: Pferde turnen besser als Elefanten!
    
      ID ingo s/key is 99 na12246 
      SOWN RUSE FED BAD OTT EGO 
      nats17$
    

   Here "Pferde turnen besser als Elefanten!" is your secret password. Remember it! Your S/Key id is "na12246" (which is valid for at most one hundred logins) and the one-time password for sequence number 99 is "SOWN RUSE FED BAD OTT EGO". You don't have remember it now.
2. The keyinfo command always tells you (on nats17) what your current S/Key id is and what the next sequence number is.

      nats17$ keyinfo
      98 na12246
      nats17$ 
   

3. Next you have to compute one-time passwords. Note that everybody who knows the S/Key id and your secret password can re-compute them at all times. Use the key command:

      nats17$ key 98 na12246
      Enter secret password: Pferde turnen besser als Elefanten!
      KEYS JAM LYNN SALT DISH DAYS
      nats17$
   

   "na12246" is your S/Key id, "98" a sequence number and "KEYS JAM LYNN SALT DISH DAYS" your S/Key one-time password. You have to write down (or remember) it together with the sequence number. Keep this information strictly confidential and don't put your UNIX user name or the host nats17 next to that information! Combining the previous command keyinfo and the option -n num makes is easy to compute the next num valid one-time passwords in advance (e.g. for conference journeys). The key command cannot check whether your secret password is correct. It just uses it to compute one-time passwords. Therefore, it is generally a good idea to test one of the generated one-time passwords while your still at NATS. This helps to detect whether you for example mistyped your password.

      nats17$ keyinfo
      98 na12246
      nats17$ key -n 5 98 na12246
      Enter secret password: Pferde turnen besser als Elefanten!
      94: ULAN RUDE TUFT HEED DIRT KANT 
      95: BIB GOLD FOGY MULL SHAY NICE 
      96: FOLD SEC CURD REND NICE DEBT 
      97: TAD GAIL LISA GWYN HAAS ILL 
      98: KEYS JAM LYNN SALT DISH DAYS 
      nats17$
   

4. Finally you're sitting at the remote host called insecure.

      insecure$ telnet nats17.informatik.uni-hamburg.de
      Trying 134.100.10.113... 
      Connected to nats17.informatik.uni-hamburg.de. 
      Escape character is '^]'. 
    
      SunOS 5.6 
    
      login: your UNIX name 
      s/key 95 na12246
      (s/key required)
      Password: BIB GOLD FOGY MULL SHAY NICE
      Last login: Wed Mar 8 11:45:15 from somewhere.com
      nats17$
   

   Note that the sequence number "95" must match the sequence number you got with the password! Same is true for the S/Key id.
5. In case you have forgotten your secret password or lost your one-time passwords you can (and should) always re-initialize the S/Key database using the keyinit command as described above. Whenever you exhaust your sequence numbers, i.e., your next sequence number is near to zero, you have to re-initialize, too. You should never re-initialize from a remote site! When in doubt, disable all your S/Key one-time passwords using the keyinit -d command (which is safe from a remote site) and contact the system administration.

Rlogin

This protocol is insecure because passwords are transmitted in plain text and access control is limited. You cannot use rlogin to access the NATS cluster.

File transfer

The prefered way to transfer files between remote sites and the NATS cluster is based on the SSH protocol (cf. above and the scp command). The FTP protocol is for file transfer what telnet (cf. above) is for remote shells. In order to use FTP from a remote location you have to use S/Key one-time passwords like for telnet. The information given there applies analogously. Here is how a typical FTP session from a remote site may look like.

   insecure$ ftp nats17.informatik.uni-hamburg.de
   Connected to nats17.informatik.uni-hamburg.de.
   220 nats17.informatik.uni-hamburg.de FTP server (Version wu-2.6.0(1) Tue Mar 7 15:19:25 MET 2000) ready.
   Name (nats17:ingo): your UNIX name
   331 s/key 77 wz173501 required for ingo.
   Password: YANG RUNG CRAG TAD UP SWAT
   230 User ingo logged in.
   ftp> quit
   insecure$

Mail access

Of course, you can use one of the method described above to log into a NATS machine and run a mail program (e.g. pine or mutt) locally.

However, for regular service and more convenient mail handling it's better to move the mails to the remote host and work with them there. There are two cases to distinguish:

• New or temporarily different mail address: If you have a new or temporarily different mail address, e.g. while visiting a research institute, you automatically forward your email to the new address. Just create a file .forward in your home directory and put the new address into it. Please take extra care not to setup mail loops, i.e., forwarding mail from A to B and from B to A. Not only would you loose your mail but also create considerable traffic between the sites. There is no security problem with forwarding mails.
• Occasional mail access through dial-up connection: If you cannot forward your mail to the new address, e.g. because you're only occasionally online (through a dial-up connection), you can nevertheless suck your mails from the NATS cluster to your remote computer. The most widely used protocol for this is POP3. However, POP3 is similar to telnet in that it transmits password in plain text. Even worse, mail is usually checked for at regular intervals making it easier to actually grab the password from the wire. Therefore, we disabled POP3 access from the outside. There're however a few alternatives which are more secure.

See PopThreeProtocol for more information.

(by Ingo Schröder)

Back to: SecurityFAQ

-- MichaelDaum -- 09 Sep 2003