Usage rules/Security rules

From MetaCentrum
Jump to navigation Jump to search

Secure and effective utilization of MetaCentrum resources is possible only if there will be some operational rules fulfilled. Study therefore really carefully the security rules for work in MetaCentrum and in the network generally. You will find help also in the articles under Categorized_list_of_topics#Accessing_machines.

MetaCentrum security rules

  • User has to protect his/her account by a non-trivial Kerberos password. The user can not tell this password to anybody and has to protect the password by all available means - that except other things means do not use it in open (non-encrypted) protocols as is e.g. standard unic (non-Kerberized) telnet or ftp.
  • Non-trival password is such that can not be deduced (even after simple mutations) from the data known about account owner and that is not a name of a person, animal or object (even after simple mutations). The administrators are authorized to perform tests to look for non-trivial passwords; in the case of positive results will inform the account owner by secure way. Followingly the account owner have to change the password immediately (the original account can be locked until the time of password change).
  • Users can not borrow accounts among each other. If it is necessary to share the account due to some reasons (e.g. software installation), it has to be done using Kerberos (i.e. through ".k5login" file) and it should be also discussed with specific administrators.
  • The password can not be accessible at non-encrypted form (e.g. saved to disc). If the user writes down the password to a paper, it can not be together with login name and the user has to take care this information properly as other secret information (personal papers, credit cards and so on). If the password is revealed or lost it is necessary to change as soon as possible via My Account - Password change and especially inform MetaCentrum administrators (from the same reasons as during credit card loss -- the user is responsible for his/her account and all activities at the account or realized from the account).
  • Making MetaCentrum accounts accessible through .rhosts is forbidden. We do not recommend usage of this authentication method even at other machines. If this method is used, it is necessary to take into account lower security of specific account. Users should not used this way of authetication for their own good.
  • Usage of non-secured protocols telnet, ftp etc. at other machines is not recommended as well. If this authentication method is used, one has to take into account lower security level of specific accout (and disclosure of the password in open form transferred by the network). It is forbidden use such account to log in to MetaCentrum through Kerberos or SSH protocol due to danger of security breach using weakly secured account followed by usage of fake ssh or fake Kerberos with a trojan horse and consequently danger of breach of MetaCentrum accounts.
  • Strange behaviour of your account, appearance or disapparance of files, unknown processes running under your identity and so on has to be necessarily reported to the administrators of MetaCentrum.