secure pilot access?

Ben Pfaff blp@cs.stanford.edu
25 Dec 2001 21:35:58 -0800


Edward Glowacki <glowack2@msu.edu> writes:

> Quoted from Ben Pfaff on Thu, Dec 13, 2001 at 12:12:29AM -0800:
> > Is there a way to update my Pilot webpage without sending a
> > cleartext password over the Internet?  At one time this didn't
> > bother me, but it does now.  Maybe I need to move it somewhere
> > else.

I gave the responses on this one a while (too long, in fact) to
come along, but I guess there aren't any real options.

> I think the current options for accessing your pilot space are:
> 
[...all unencrypted...]
> 
> Wouldn't it be great to have something like an SSL or SSH tunneled
> file sharing protocol using the same general authentication mechanisms
> SSH offers?

Yeah.  We could call it "scp".

Seriously, I really wish that Pilot supported more secure
protocols.  This is something that Stanford does in something
approximating the Right Way.  They give every Stanford student a
shell account on their "Leland" UNIX systems and encourage them
to use Kerberos (or ssh or SSL) to access everything.  In fact,
I'm not sure that they support plaintext password protocols like
ordinary POP3 anymore.  They provide Kerberos support packages
for Windows and Mac platforms ("PC-Leland" and "MacLeland",
respectively) plus Kerberos kits for many Unix variants and a
customized Red Hat variant called SULinux.  (They do not,
however, support ssh login via RSA or DSA keys, because of
interactions with the Kerberos ticketing system.  This sucks.)

On the other hand, they only support current students on the
Leland systems, not alumni, so they have an easier time of it
with only approx. 13,000 students compared to $DEITY knows many
users on Pilot.[*]  There are other "issues" here, like their
connection to the commodity internet, which apparently has a
single-point-of-failure design that in fact fails pretty often
(like once a month or so), and the student records system
designed by clueless webmonkeys with stunning disregard for web
standards such that it only works under Netscape and recent
Mozilla (apparently IE, too, but I don't ever use that), and the
network policy for the student residences ($9 per connected
machine per month, with use of NAT/masquerading forbidden).

Yow.  I didn't start that out intending to rant.

Did I mention that my advisor is one of the guys who founded
VMware?  Try googling for "Mendel Rosenblum".

[*] This is why I use my @cs address, not my @stanford address:
it is a permanent lifetime account, assuming that I eventually
graduate.  Same reason my webpage is still at MSU.
-- 
<blp@cs.stanford.edu> <pfaffben@msu.edu> <pfaffben@debian.org> <blp@gnu.org>
Stanford PhD Student - MSU Alumnus - Debian Maintainer - GNU Developer
Personal webpage: http://www.msu.edu/~pfaffben