TCM
UoC crest

Security

The need for some sort of security is unfortunately ubiquitous in today's society, whether one is locking one's house, car, bicycle or computer account. Taking care over one's computer accounts is particularly important, as they are accessible from anywhere in the world, and if a compromised account is subsequently used for any crime (e.g. distribution of copyright or obscene material, or participating in a DDOS attack) the whole local network may well be disconnected at considerable inconvenience for everyone. Hence some guidelines on how not to make life easy for hackers.

It is also the case that hacking root's account, and/or another user's account, is very much easier from a user's account than from completely outside a system. The security of your account is, therefore, as important as anyone else's.

Passwords

UNIX (traditionally) stores passwords in a world-readable encrypted file. The encryption is a so-called `trap-door cypher' - that is to say decryption is not possible. When you log in, the password you offer is encypted in the same manner, and if the encrypted string thus generated matches the one stored, the password is accepted.

Obtaining a copy of the encrypted passwords is (relatively) easy. From there, the only way to break the encryption is by trial and error. Two different cyphers are in common use. The older, often called crypt(), is computationally very cheap. A machine containing eight Tesla A100 cards, readily rentable from AWS in 2022, can perform around 2x1010 crypts per second. An eight character lower case password offers 268=2x1011 combinations, so will be found within ten seconds. To make matters worse, crypt ignores any characters after the first eight.

The newer algorithm, SHA512, is about 5,000 times more computational effort, in that eight A100s will achieve just 4x106 encryptions per second. It also supports (very) long passwords. There is no excuse for using a password as simple as eight lower case letters, but using SHA512 with it increases the time for a guaranteed crack from ten seconds to over twelve hours.

The best eight character passwords will be eight random characters from upper and lower case letters, digits and common punctuation giving around 708 possibilities. With SHA512 the half-life is around two years.

Please don't use your TCM (or Cambridge) passwords on random websites. Some websites still use plain MD5 for storing passwords, and that takes ten times less effort to crack than crypt, so if the encrypted form is ever leaked, there is a very significant risk.

Before October 2017 TCM always used crypt. Since then it has used SHA512 whenever a password is changed by the passwd command, but not when it it initially set. Only since April 2022 have new accounts been created with SHA512 passwords.

You can see the encrypted form of you own password by typing (note back ticks, not apostrophes) 

$ ypmatch `whoami` passwd

It is the second of the colon-separated fields. If it contains thirteen characters, it uses crypt. If over a hundred, and it starts with $6$, it uses SHA512.

To change your password, use the passwd command, which will change the database used by all TCM desktops and "s" machines. If you also have accounts on either of the TCM clusters, you will wish to change your password on those too, using their head nodes, as they get synchronised to the main TCM password file at infrequent intervals. If you desynchronise them, they will unexpectedly resynchronise at some random point in the future.

Unattended workstations

It takes less than a minute for a passer-by to booby-trap your account if you leave yourself logged on at an unattended terminal, or to copy TCM's encrypted password file. Screen lock programs are provided on all TCM UNIX machines (with names such as `xlock'). Although TCM during office hours is relatively safe, that foreign lab that you are on a two week visit to may be a bit less trustable.

Network snooping

Nasty people run programs which `snoop' or `sniff' all network traffic that they can see, automatically scanning it for passwords. The ancient UNIX protocols of telnet and rlogin sent passwords unencrypted across the network. Now everywhere supports ssh which encrypts passwords (and, indeed, all traffic), and this must therefore be the preferred means of connection.

Keyboard sniffing

Logging in from conferences `just to check email' is a bad idea from the security point of view - the terminal you are using will have been set up by an underpaid and overstressed undergraduate who will have installed a keypress recorder just to take revenge on those whose demand for the machine to be set up have made his life such a misery. Well, perhaps that view is a little cynical, and the ability to check email when away is very useful, but changing one's password and checking for unexpected additions to those `dot files' (files whose names start with a `.' and are only shown by `ls -a') on one's return to Cambridge is not a bad idea.

X

X was not designed to be used on a public network. If you wish to use it in this fashion, you must therefore take some care to avoid its complete lack of inbuilt security.

Today the answer is simple: use ssh. See also remote access.

Answers involving the use of the commands xhost or xauth are likely to be very bad. How bad? You will have noticed that there are X programs which can intercept your keypresses - xterm and emacs are obvious examples, X programs which can grab snapshots of your screen (xv and gimp), X programs which can lock your screen (xlock), and, less obviously X programs which can move your mouse pointer or type keystrokes for you. This is all very useful if you are controlling these programs, and very useful for hackers if they are.

File permissions

The command `ls -l' lists file permissions: 

pc52:~$ ls -l foo
-rw-r--r--   1 mjr19    tcm        1158 Jul 31  1998 foo
The first character specifies the type of file, the next three the permissions for the owner (read and write), the next three those for the group (read) and finally those for anyone else (read). The owner is quoted as mjr19, and the group as tcm. As (almost) everyone in TCM is in the same group, you do not wish to give group write access to any files.

A directory must have both read and execute permissions for someone to be able to read it effectively, so the recommended permissions for a directory are drwxr-xr-x. To see the permissions of the current directory, rather than the files it contains, `ls -ld .'

Files (and directories) which you wish to be unreadable by others should have all the last six characters of the permissions as -. This is achievable with the command `chmod go= foo'.

I believe that no files should be writable by anyone except the owner, and all files should be readable, except those which have a good reason to be private (e.g. a mail box). Some people may prefer to make vast numbers of files inaccessible, although this makes collaboration difficult.

Note that if a directory has permissions drwx--x--x, other people will be able to read files in it if they know the name of the file they are looking for, but they will not be able to get a listing of the files present (i.e. ls will not work).

Suspicious activity

Please report it, and similarly for security holes in the system which I might not be aware of. (Reporting a suspected hack by sending email to that machine is probably not the best method - try mjr19@cam or the telephone! (x37386))

TCM, December 2012, April 2022
Please send comments/corrections to mjr19.