Strong Authentication Project

What's New

Strong Authentication Plan Resources

• 10/23/2001: FNALU moves to "weak mode" Kerberization.

• 10/16/2001: Pilot Realm phaseout begins. Ticket lifetimes gradually being reduced.;

• Added basic UNIX user documentation from MIT distribution;

Plan Documents
Presentations
Kerberos Resources
User Documentation (Pilot Users Only)

Email Computer Security Team

"Experience shows that a major source of computer security incidents is the compromise of re-usable passwords by clear text transmission over the network, or by weakly protected storage on disk on individual systems. The strong authentication project proposes to greatly reduce the risk of such compromise by implementing an authentication system based on the Kerberos v5 protocol developed at MIT. This protocol avoids transmission or storage of passwords. A secure portal with non-reusable passwords will provide access between those systems where only Kerberos access is permitted (the "strengthened realm") and those systems where other forms of access are permitted (the "untrusted realm"). A phased implementation is proposed, beginning with the Run II systems now under development."

Plan Documents

• Synopsis of Plan (Start here: prepared for 7/7/1999 User's Meeting)

• Draft of full Plan (Under revision)

Presentations

• 8/19/1999 Beams Division Critical Systems Review presentation

• 7/27/1999 Computing Techniques Seminar

• Technical system design

• Issues raised by user & developer feedback groups

• Run II pilot project & limited production proposal

Kerberos Resources

• RFC 1510: The Kerberos Network Authentication Service (V5)

• Kerberos Frequently Asked Questions (Naval Research Laboratory)

• Kerberos: The Network Authentication Protocol (MIT)

• RFC 1964: The Kerberos Version 5 GSS-API Mechanism

User Documentation

• Strong Authentication at Fermilab GG0019

• MIT Kerberos V5 UNIX User's Guide

• Instructions for installing Kerberos (Pilot Phase)

• Release Note for Fermi Kerberos v0_2 (Pilot Phase)