CERN Computer Security Information

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> <link rel="stylesheet" href="/style.css" type="text/css" /> <script type="text/javascript" src="/jquery.min.js"></script> <title>CERN Computer Security Information</title> <script type="text/javascript"> $(document).ready(function(){ // Menu highlight var path = location.pathname.split("/"); if ( path ) { $('#main_menu a[href*="' + path[1] + '"][class!="noselect"]').addClass('selected'); // path[3] = /security/<xxxxx>/ $('#sidebar ul.sidemenu li[class!="noselect"]:has(a[href$="' + path.reverse()[0] + '"])').addClass('selected'); } // Add icon to external links $('a[id!=logo-img]').filter(function() { return this.hostname && this.hostname !== location.hostname; }).after(' <img src="/images/external_link.png" alt="external link" title="external link"/>'); }); </script> </head> <body> <div id="wrap"> <div id="top-bg"></div>  <div id="header"> <div id="logo-text"> <a id="logo-img" href="https://home.cern/"><img src="/images/CERNLogo2.png" width="59" height="59" style="margin: 10px" alt="CERN Logo"/></a><div id="logo-text-big"><a href="/home/en/index.shtml" title="">CERN Computer Security</a></div> </div> <div id="header-logo"><a href="/services/en/emergency.shtml"><img width=335 src="/images/emergency.png" alt="Computer Emergencies"/></a></div> </div>  <div id="header-photo"></div>  <div id="nav"> <ul id="main_menu"> <li><a class="noselect" href="/home/fr/index.shtml"><img src="/images/fr.png" alt="FR"/></a></li> <li><a href="/home/en/index.shtml">Home</a></li> <li><a href="/rules/en/index.shtml">Computing Rules</a></li> <li><a href="/recommendations/en/index.shtml">Recommendations</a></li> <li><a href="/training/en/index.shtml">Training</a></li> <li><a href="/services/en/index.shtml">Services</a></li> <li><a class="secured" href="/reports/en/index.shtml">Reports & Presentations</a></li> </ul> </div>   <div id="content-wrap"> <div id="main"> <h2>SSH (Secure SHell) at CERN</h2> <p>Applications such as <tt>telnet</tt>, <tt>ftp</tt>, and <tt>X windows</tt>, expose all session data, including passwords, in clear on the network. Indeed, attackers routinely watch ("sniff") network traffic in order to gather clear-text passwords from legitimate users, e.g. connecting to or from a CERN computer. Once a password has been sniffed, the attacker might misuse it for any malicious activity, e.g. misusing the user's account to attack other computers, both inside and outside CERN.</p> <p>In order to prevent attackers from obtaining such clear-text passwords, encryption must be used. Applications, such as <a href="http://www.openssh.com/"><i>SSH</i></a>, allow for such an encryption. SSH is a network protocol and tool suite to transparently encrypt network traffic. It is designed to replace <tt>telnet</tt>, <tt>ftp</tt> and the BSD r-commands (<tt>rsh</tt>, <tt>rlogin</tt>, <tt>rexec</tt>, <tt>rcp</tt>), all of which transmit passwords as clear text and are vulnerable to connection hijacking. It offers secure port forwarding and can therefore be used to encrypt other network traffic (e.g. X11) as well. General information on SSH at CERN can be found here...</p> <ul> <li><a href="https://twiki.cern.ch/twiki/bin/view/LinuxSupport/SSHatCERNFAQ">...for Linux/UNIX</a></li> <li><a href="https://winservices.web.cern.ch/winservices/Help/?kbid=060510">...for Windows</a></li> </ul> <h4>Using SSH securely</h4> <ul> <li><b>SSH is only secure when used end to end,</b> i.e. <i>directly</i> from one trusted computer to a trusted server. You are advised to install and use SSH on your local system. (Note that using <tt>telnet </tt>or <tt>X11</tt> to connect to a remote SSH client computer will still expose passwords in clear-text, as these applications do not encrypt.)</li><br/> <li><b>Passwords must still be regularly changed</b>: An already-stolen password will continue to work over SSH, and although the encryption mechanism is generally assumed to be secure, passwords may still be discovered. Password advice is available <a href="/recommendations/en/passwords.shtml">here</a>.</li> </ul> <h4>More Information on...</h4> <ul> <li><a href="/recommendations/en/ssh_browsing.shtml">...accessing internal CERN services from the outside via your browser ("proxying");</a></li> <li><a href="/recommendations/en/ssh_tunneling.shtml">...advanced SSH tunneling;</a></li> <li><a href="/recommendations/en/ssh_tunneling_x11.shtml">...tunneling X11 connections with SSH</a>.</li> </ul> </div>    <div id="sidebar"> <h3>For All Users<br/> (Experts or Not)</h3> <ul class="sidemenu"> <li><a href="/recommendations/en/good_practises.shtml">Seven easy good practises</a></li> <li><a href="/recommendations/en/how_to_secure_your_pc.shtml">How to secure your PC or Mac</a></li> <li><a href="/recommendations/en/passwords.shtml">Passwords & toothbrushes</a></li> <li><a href="/recommendations/en/2FA.shtml">Starting with multi-factor authentication</a></li> <li><a href="/recommendations/en/bad_mails.shtml">Bad mails for you:<br/>"Phishing", "SPAM" & fraud</a></li> <li><a href="/recommendations/en/malicious_email.shtml">How to identify malicious e-mails and attachments</a></li> <li><a href="/recommendations/en/how_to_remove_malicious_browser_notifications.shtml">How to remove malicious browser notifications</a></li> <li><a href="/recommendations/en/working_remotely.shtml">Working remotely</a></li> <li><a href="/recommendations/en/connecting_to_cern.shtml">Connecting to CERN</a></li> <li><a href="/recommendations/en/ssh.shtml">Connecting using SSH</a></li> </ul> <h3>For Software Developers</h3> <ul class="sidemenu"> <li>Good programming in <a href="/recommendations/en/program_c.shtml">C/C++</a>, <a href="/recommendations/en/program_java.shtml">Java</a>, <a href="/recommendations/en/program_perl.shtml">Perl</a>, <a href="/recommendations/en/program_php.shtml">PHP</a>, and <a href="/recommendations/en/program_python.shtml">Python</a></li> <li><a href="/recommendations/en/password_alternatives.shtml">How to keep secrets secret<br/> (alternatives to passwords)</a></li> <li><a href="/recommendations/en/checklist_for_coders.shtml">Security checklist</a></li> <li><a href="https://gitlab.docs.cern.ch/docs/Secure%20your%20application/">GitLab CI Security Tools</a></li> <li><a href="/recommendations/en/web_applications.shtml">Securing Web applications</a></li> <li><a href="/recommendations/en/code_tools.shtml">Static code analysis tools</a></li> <li><a href="/recommendations/en/more_on_software.shtml">Further reading</a></li> </ul> <h3>For System Owners</h3> <ul class="sidemenu"> <li><a href="/recommendations/en/rootkits.shtml">Checking for rootkits</a></li> <li><a href="https://twiki.cern.ch/twiki/bin/viewauth/CNIC/WebHome">Securing Control Systems (CNIC)</a></li> <li><a href="/recommendations/en/containers.shtml">Securing Containers & Pods</a></li> <li><a href="/rules/en/baselines.shtml">Security baselines</a></li> <li><a href="http://linux.web.cern.ch/linux/docs/linux_exploit_faq.shtml"> The CERN Linux vulnerability FAQ</a></li> </ul> </div>   </div>  <div id="footer-wrap"> <div id="footer-bottom"> © Copyright 2024<strong> <a href="https://cern.ch/security">CERN Computer Security Office</a></strong> <table> <tr> <td id="footer-info-left"> e-mail: <a href="mailto:Computer.Security@cern.ch">Computer.Security@cern.ch</a><br/> Please use the following PGP key to encrypt your messages:<br/> ID: 0x954CE234B4C6ED84<br/> <a href="https://keys.openpgp.org/vks/v1/by-fingerprint/429D60460EBE8006B04CDF02954CE234B4C6ED84">429D 6046 0EBE 8006 B04C DF02 954C E234 B4C6 ED84</a> </td> <td id="footer-info-right"> Phone: +41 22 767 0500<br/> Please listen to the recorded instructions. </td> </tr> </table> </div> </div>  </div>   </body> </html>

CINXE.COM

CERN Computer Security Information