|
To enhance network security, interactive logins to the Central Research
Computers, Northstar workstations, and general-purpose systems (e.g., Nimbus)
are not permitted from off campus.
A computer, gateway.dartmouth.edu, has been set up to provide a
safe mechanism for off-campus users to log in to the Research Computers and the
Northstar workstations. Accounts on gateway may be used for access to
any of these restricted systems. Note that dial-in access to Kiewit does
not count as off-campus access. All access from elsewhere on
the Internet, whether local or international, is off campus.
Guidelines for Gateway Accounts
Students, faculty, and staff of the College may obtain accounts on
gateway for purposes of off-campus access to restricted computers. A
necessary and sufficient condition for such an account is a current listing in
the Dartmouth Name Directory (DND). If a person terminates his or her formal
association with the College, Computing Services will close their account after
approximately three months. Computing Services may close any account that has
not been logged into for one year.
The Dartmouth
College Information Technology Policy governs all accounts. Computing
Services reserves the right to disable or close any account whose use is found
to violate the Information Technology Policy or to pose an immediate
threat to system operation.
Under special circumstances, Computing Services may grant accounts on
gateway to people not currently listed in the DND. Like all
gateway accounts, these non-Dartmouth accounts must be for
non-commercial, College-related business. Each non-Dartmouth account must have
a sponsor who is a Dartmouth faculty or staff member and is currently listed in
the DND. The sponsor accepts all responsibility for the account. A sponsor may
obtain a non-Dartmouth account on gateway by applying in person to the
Computing Services Computing Help Desk in 172 Carson Hall. If the sponsor
terminates his or her formal association with the College, Computing Services
will close the account after approximately three months.
All access to gateway is via encrypted protocols only.
These guidelines are subject to periodic review by Computing Services.
Getting a Gateway Account
Connect to gateway.dartmouth.edu using any
SSH client and log in as newuser (no
password).
You will be prompted for your DND (BlitzMail)
username and password, as well as your
Dartmouth ID number. After confirming your identity, you will be asked to
select a username. It is recommended you use the same username you use on the
Northstar/Research computers. Your account should be created within a couple of
working days. You will receive e-mail when the account has been created.
You should log in to the account as soon as possible to check that
everything works and change the password to one of your choosing. Do
not use the same password you use for any other computer on
campus.
Using Your Gateway Account
The most common way to use a gateway account is to connect from off
campus using SSH (or slogin) using your gateway
username and password, then run SSH (or telnet if you absolutely must)
again to connect to the computer you wish to use. For more details of
recommended terminal emulation software, see Connecting to UNIX From the Macintosh and
Windows. The gateway connection then becomes completely
transparent and you have effectively a direct connection between the client
machine (which you are sitting at) and the Dartmouth computer you have logged
in to. You should not configure your account on any machine to accept
rsh or SSH from gateway without a password, since
this bypasses most of the additional security provided by using
gateway.
Other Dartmouth departments may also choose to disallow off-campus access;
gateway can also be used in the same way to log in to those computers.
No files may be kept on gateway, and no programs other than the remote
login utilities are available. username@gateway should
not be used as an e-mail address.
Example:
From a remote UNIX system:
%ssh -l myname
gateway.dartmouth.edu
myname@gateway.dartmouth.edu's password:
gateway.dartmouth.edu
Messages from gateway system administrators may appear here, then a
command prompt. Assuming the username on "cascade" is the same, we
will use slogin to connect to it.
gateway:~> slogin cascade
myname@cascade's password:
Last login: Tue Aug 15 17:03:32 2000 from remotehost
Greeting messages and notices from "cascade" system administrators
appear here, then we get a command prompt from "cascade" and can
begin work. Graphical (X-windows) software should run as normal provided you
are using appropriate X-server software on your local computer, such as eXodus
for the Macintosh or Reflection-X for Windows. Remote displays of complex
graphics may be slow.
myname-cascade:~>
Gateway accounts may (in the future) be configured to present a
limited set of login options through a menu system.
Security Issues
The main reason for using gateway is to remove most casual probing
of our computers from the Internet at large. Direct access allows anyone to
look for non-passworded accounts or to attempt to guess passwords. With
gateway, an intruder would have to discover at least the
gateway password for an account, and then the password to the
restricted machine, which is why you should not use the same password for both,
or configure things in such a way that the second password is not
needed.
Since Gateway allows no plain text connections, it should be immune
to network snooping, either on the remote client or at Dartmouth. However, even
using SSH does not ensure a secure connection if you can
not trust the computer you are sitting at. Many times, off-campus connections
are made from borrowed computers, public-access computers such as in Berry
Library, or completely public computers such as in a CyberCafe. It is possible
on any system to install a "keystroke logging"
program to surreptitiously record all keyboard activity. It is wise to consider
all off-campus access as insecure, unless you are using your own computer or
one that you fully trust and are using an encrypted network protocol.
If security is very important to you, please consult with one of the System
Administrators before leaving campus. Highly secure access can be arranged, but
there is always a trade-off between security and convenience.
Mail Access
For a discussion of off-campus access to BlitzMail, see BlitzMail or UNIX Mail?.
You might also consider planning ahead for trips off campus by setting up an
alternate e-mail account with a commercial provider such as hotmail or yahoo, and temporarily forwarding all mail
there so your Dartmouth passwords need never be exposed for common actions such
as checking mail.
File Transfer
The safest and most efficient file transfer is when both remote and
Dartmouth computers have AFS client software already installed, in which case
you can just authenticate (with klog), then copy to and from your home
directory (e.g.,
/afs/northstar.dartmouth.edu/ufac/username).
File transfer between restricted machines on and off campus can be performed
with sftp by staging the files on gateway. A
directory with staging space is available in /xfer. Files and directories
placed in /xfer will be removed after 30 days.
For less secure, but often adequate protection, you can use HTTP (download
only) or anonymous FTP (upload and download). With these methods, the file name
itself becomes the password for retrieval.
For downloading files from our AFS servers, an easy way is to move or link
the files into your public_html directory, then retrieve them by name
with a Web browser using
http://northstar-www.dartmouth.edu/~username/
filename. For more information, see Web Options for UNIX and AFS
Users. You do not need to write any HTML to use this method. The files
should be named something that will not confuse normal Web browser actions.
For another method of transferring files onto restricted Dartmouth computers
from off campus using public drop boxes and anonymous FTP, see Anonymous FTP File Transfer.
Problems
For help with using a Gateway account, or to request password
resets etc., please send e-mail to manager@northstar.dartmouth.edu.
Gateway does not accept any mail.
|
