home overview research resources outreach & training outreach & training visitors center visitors center search search

Enhanced Security Measures at the CGL

In the interest of our users and the desirability to avoid service interruptions, we are continuing to increase the security of computer platforms in the Computer Graphics Laboratory (CGL). In particular, we are working towards the elimination of reusable plaintext passwords. After December 1, 1998, we will not allow access to socrates from outside of UCSF (i.e. from PCs and workstations not directly connected to the UCSF network) with insecure applications like telnet, rlogin and rsh. On April 9, 2001 this policy will be expanded to include all CGL computers. Our eventual goal is to eliminate telnet, rlogin, and rsh entirely from the CGL computing environment. However, for the time being, we will continue to support these insecure network protocols for PCs and workstations which are directly connected to the UCSF campus network.

Over the past few years, the Internet security environment has, unfortunately, changed for the worse. An increasing number of computer and network security incidents have recently been reported. Would-be intruders probe UCSF computers on a daily basis; most of them are clumsy, but a few are sophisticated. The large majority of successful computer break-ins are due to the transmission of plaintext passwords across the Internet and the UCSF backbone network. Our computer systems and associated software and data must be protected from theft, misuse, or loss. At a minimum, a computer break-in requires that the compromised machine be taken out of service and its operating system software reloaded from CD-ROM -- a potentially time consuming task.

As a result of these considerations, we have decided to institute better security measures for remote access to CGL computers. Specifically, if you are trying to access CGL from outside of UCSF, the secure shell (SSH) protocol will be the only method available for logging into your CGL account. Older remote access protocols (e.g. telnet, rlogin, and rsh) will no longer be supported. If you access CGL computers via a remote network, it will be necessary for you to install a SSH client program on your personal computer in order to log in to CGL computers. Telnet and rlogin from outside of UCSF will no longer work with CGL computers. For additional information on SSH, including links to free versions that you can download via the Internet, see this SSH tutorial.

Elimination of the use of plaintext passwords for access to CGL computers will do much to improve the security infrastructure that is essential to the continued success and robustness of our computing environment. Safeguarding the computing infrastructure and the privacy, software, and data of our users is of critical importance to us. Our new remote access policy is a necessary step in achieving this goal.

Thomas Ferrin
Director, Computer Graphics Laboratory
October 20, 1998
(revised March 15, 2001)

Laboratory Overview | Research | Outreach & Training | Available Resources | Visitors Center | Search