Keeping your NU password secure

It is not generally appreciated that when you check e-mail with Eudora or use telnet and ftp, your password is transmitted across the network in plain text. This means that someone illegally monitoring network traffic can pick up your password. If this happens it is potentially a disaster, since someone with your username and password can gain access to your accounts and all files on your personal machine. There are several things you can do to protect your password. Note that this information is for Windows; I am not familiar with the Mac.

IMPORTANT DISCLAIMER: this is information I have ferretted out and it seems to be working for me. If you trash your machine, expose your password, and find your basement full of toxic waste, I disclaim any responsibility. In my opinion NU should have a page like this, but they don't. If you find that in fact they do have such a page, please let me know.

Kerberos

Kerberos is software which encrypts your password when you check e-mail. It has been supported at NU for several years on the main e-mail servers. The TSS internet installer automatically installs it, but if you are not using the installer, the existence of Kerberos is a secret as far as I can tell. At any rate, here are instructions for installing Kerberos for use with Eudora. You apparently cannot protect yourself in the same way if you use Microsoft's LookOut.

The following instructions are based on information from Julian Koh of NU's Network Services group. Thanks Julian!

  1. Kerberos may already be installed on your system. To find out, type "krb5" at a command prompt. If you see a dialog box titled "Kerberos", the Kerberos software is installed. (This does not mean that Eudora is using it --- be sure to continue with these instructions.) If Kerberos is not installed, you need to obtain and run the file krbsetup.exe from NU's NUNS ftp server.
  2. In Eudora, you need to make the following modifications (this is for Eudora 4.2, your mileage may vary with other versions)
    1. Under "incoming mail" set authentication to "kerberos".
    2. Under "Kerberos", set the following items:
      • Kerberos POP3 port: 2110
      • Realm: UCC.NWU.EDU (yes, this should be all caps)
      • Service name: kpop
      • Service format: %1/%2@%3
      If Eudora is already set up like this, and Kerberos was already installed in step 1, then there should be no need for you to do anything else; Kerberos should be working.
  3. Exit and restart Eudora. If Kerberos is working, when the first time you check your mail you will be asked whether it is okay to synchronize your clock. Say yes and you're in business. (You will not be asked this question in the future.)
  4. One way to check if Kerberos is working is to change your system time by more than 5 minutes. If Kerberos pops up and complains when you try to check e-mail, it is installed. (Warning: doing this may crash your machine and force you to reboot.)
You will find that Kerberos takes over password-checking, remembering your password for a set amount of time. Even if you have Eudora set to remember your password, a Kerberos dialog will still pop up from time to time asking for your password. You can affect the password timeout by typing "krb5" at the command line and selecting File|Options.

If you are curious, this page has lots of information and links about Kerberos.

Secure Telnet (SSH)

Plain vanilla telnet has the same problem as pop mail with clear text passwords, but there is a secure version of Telnet called Secure Shell, or SSH. It is officially unsupported by NU, but Merle accepts SSH connections (on port 26, not the "official" port, 22), as does Skew3.

If you want to know more, here is an SSH FAQ.

Commercial Secure Telnet

A commercial version of secure telnet recommended by others at NU, and which seems to work well, is SecureCRT by Vandyke Software. A 30-day evaluation copy is available and there are educational and quantity discounts.

Free Secure Telnet

A commercial SSH Telnet client which is free for educational use is available here. NU has already received an institutional site license for this client and is planning to roll it out in the near future. The problem, if you are an emacs user, is that this client does not have an obvious way to map <meta> to <alt>. If that makes no sense to you, this client should work fine for you.

The free version that I have been using is the SSH version of TeraTerm Pro. The problem is that it is unusably slow if you are using Emacs as an editor. SecureCRT and SSH don't seem to have this problem. You can try it and see if it works for you. Here is how to install it:

  1. Get TeraTerm Pro from here. Unzip the file and run setup.
  2. Further down on the same page as above, you can get TTSSH. You just unzip and copy these files into the same directory as TeraTerm Pro. Then you start telnet by invoking ttssh.exe.
© Copyright 2000, Robert McDonald. You can send me mail at r-mcdonald@northwestern.edu.

Last modified: Wed Dec 13 11:50:15 Central Standard Time 2000