Secure connections for command line tools

Background

For many years the SAF ran on VMS machines. VMS machines were very secure but unfortunately, due to some very poor management decisions by Digital and Compaq, are no longer a viable option for molecular biology work, primarily because of the dearth of native software. Our current machine runs a version of the Unix operating system. Now we have the opposite problem: we have access to lots of software but also an abundance of security holes. In order to reduce the risk of intrusion we must utilize security precautions on the Unix machine which were not required on the VMS one.

Byebye Telnet and FTP, Hello SSH, SFTP, and SCP

The Telnet and FTP protocols are not secure since they send all data over the network unencrypted. Initially we had thought that within Caltech's new switched network Telnet and FTP access would be safe since packets would be less easily intercepted by other machines on the net. While that much is true, and does provide protection from regular network "sniffers", it turned out that there are security problems with several of the fundamental internet network functions. See for instance ref1 and ref2. All is not lost though, as fully encrypted connections should be secure, and the SSH ,SFTPand SCP protocols provide essentially the same functionality as do Telnet and FTP. There are a variety of free SSH clients for both PCs and Macs. Additionally, ITS has a site license for the DataFellows Secure Shell ssh clients for Windows and Macintosh. If at all possible you want to use an SSH2 client instead of an SSH1 client. ITS has installation instructions for the DataFellows products.

Here are quick step by step instructions for setting up ssh clients on Windows and Macintosh. If you have a linux system the ssh, scp, and sftp commands are probably already set up for you, but if not, you will need to install OpenSSH and OpenSSL.

Keeping the front door locked and the kitchen window closed.

We used to allow Telnet and FTP connections from machines off campus as a convenience for Caltech personnel who were traveling. Even with SSH that represents too great a risk and these connections are blocked. Connections from the main ITS machines (its.caltech.edu, corresponding to blinky, inky, etc.) are also blocked. There is no reason for anybody to ever connect from their PC or Mac through the ITS machines instead of directly to the SAF server. Dial in addresses are not blocked. We strongly suggest that you only ever connect from single user Unix machines, PCs, or Macs. In a multiuser environment your keystrokes may be monitored, or if the machine is compromised, your access keys may be stolen.

But, but, but, how do I get my DNA files without FETCH?

Anonymous FTP access to the SAF server is still allowed. Use Fetch or your FTP client of choice to download DNA data as you always have. This is safe because the username is always "Anonymous", there is no password, and these connections are locked into a tiny section of the file system where they can do no damage. Uploads through this connection are disabled.

Updated 06/16/2001