New Ways to Update Your Web Files

Hundreds of users are beginning to realize that you don't need a File Transfer Protocol (popularly known as FTP) client to update personal Web pages, course Web space, or departmental Web space. What? How is this possible?

To understand the "what," you first need to understand a little more about why an alternative to FTP is actually a very good consideration. Many FTP clients present passwords "in the clear." This means that passwords are vulnerable to network eavesdropping by unscrupulous individuals in search of userids and passwords, giving them the ability to gain unauthorized access to servers and systems. Someone could snag your Penn State Access Account userid and password and assume your identity. So, how can you update Web pages and files without the compromise? Since the Center for Academic Computing plans to shut off regular FTP for a secure version of this protocol by the end of the spring 2002 semester, it is important for you to know the secure alternatives to "clear-text" methods early on. There are a few options:

• use the Penn State Access Account Storage Space (PASS) Gateway
• use the Secure Shell Protocol (SSH)
• use an FTP client that supports a secure connection (in progress)

Using PASS and the PASS Gateway

What is PASS and how do I get it?

Penn State Access Account Storage Space, or PASS, is the name given to represent your file space at Penn State. PASS is given to all users when they receive their Access Account and are joined to Penn State e-mail services. For those who do not have e-mail and therefore PASS, they can obtain it by visiting an automatic signature station (locations are listed at http://cac.psu.edu/labs/sigstations.html). Other account services (for example, departmental Web space) also require users to be joined to e-mail. The default allocation for your PASS is 50MB. Additional space is allocated to your PASS when other services have been obtained, such as personal Web space (http://www.personal.psu.edu/) or when you choose to purchase additional space. Other services such as the Penn State Portal (https://portal.psu.edu/) and Penn State WebMail (https://webmail.psu.edu/) use your PASS to store your Portal preferences and e-mail mailboxes respectively. We advise that you keep an eye on your available space by checking your quota information via the Secure Server at https://www.work.psu.edu/.

Using the PASS Gateway

By using the PASS Gateway, you can seamlessly, securely, and easily update files located in your PASS and therefore your personal Web space as if the files were local to your computer. Because there isn't one universal file service client to suit all computer platforms and operating systems, the PASS Gateway was developed by Advanced Information Technologies (AIT) of the Center for Academic Computing (CAC) to meet the needs of a diverse audience of users.

The beauty of the PASS Gateway is that it provides a means by which you can access your PASS without having to install and use a client "native" to your platform and operating system. The PASS Gateway is easily mounted from a variety of platforms and o
ting systems. More information and instructions for mounting the PASS Gateway are found via the main PASS Gateway interface at https://www.work.psu.edu/pass/. For those of you who prefer "native" access, a client for Windows NT can be downloaded via https://www.work.psu.edu/access/dce/. More information about PASS is found at http://cac.psu.edu/ait/storagespace.html.

Using the Secure Shell Protocol (SSH)

The Secure Shell Protocol (SSH) provides another alternative to using FTP. SSH allows a user to connect to a remote server or machine from another machine or personal computer via an encrypted connection. Using this protocol, your Access Account userid and password pair are transmitted via an encrypted connection to prevent network snooping (or "sniffing") of passwords via traditional, non-secure network connections. Once a login session has been established, the network packets between the local PC or UNIX workstation and the remote workstation or server are also encrypted. The scp program accompanies SSH and allows for a file to be copied securely from a remote machine to a local machine (or vice versa).

SSH prevents network eavesdropping by unscrupulous individuals in search of userids and passwords to gain unauthorized access to systems. Because certain protocols such as telnet and FTP present passwords "in the clear" over a non-secure network, they are vulnerable to this form of eavesdropping. SSH encrypts (via public key encryption) userid and password interchange between two machines and then encrypts (via faster, symmetric encryption algorithms) the network traffic between the two machines. Both the password exchange and the data passing between the two machines are encrypted with strong encryption.

How can I obtain more information?

Information about and instructions for using SSH clients are found at http://cac.psu.edu/internet/ssh/.

Using Kerberized FTP and SFTP

The Kerberos network authentication protocol, developed at the Massachusetts Institute of Technology (MIT), uses strong cryptography to make it possible for a client to prove its identity to a server (and vice versa) across an insecure network connection. After a client and server have used Kerberos to confirm their identities, they can also encrypt all of their communications to ensure privacy and security. A number of Web-based services that require authentication with a Penn State Access Account userid and password already currently use Kerberos, such as Penn State WebMail (https://webmail.psu.edu/), the Penn State Portal (https://portal.psu.edu/), and the Secure Server (https://www.work.psu.edu/).

On a related note, individuals can obtain a Kerberos plug-in for Eudora e-mail via the CACPAC CD, a collection of free software for Penn State faculty, staff, and students. If you use the Eudora e-mail client on either a Windows or Macintosh platform, the Center for Academic Computing (CAC) strongly recommends using Kerberos to safeguard your Penn State Access Account userid and password. More information about the Kerberos plug-in is found at http://ftp.cac.psu.edu/access/cd/.

What is SFTP?

SFTP stands for Secure File Transfer Protocol. SFTP is an FTP-like client that can be used for transferring files over the Internet. It is a secure replacement for FTP. Unlike regular FTP, SFTP uses SSH to encrypt the network traffic between two machines (your machine and a remote server). This means that both your Access Account userid and password and the information passed between your machine and a remote server are encrypted. Future Plans

The Center for Academic Computing currently is in the process of researching SFTP and Kerberized FTP clients to replace current clear-text FTP clients such as Fetch and WS_FTP. Updates will be posted via the CACPAC CD Web site at http://ftp.cac.psu.edu/access/cd/. Information about this topic is also available in the previously published article, "CAC Initiates Security Measures for Password Protection" at http://cac.psu.edu/news/securitymeasure.html