For a long while now, remote access to the IMSc network has been through two machines.
-
One machine
access1
allows for (NIS) password based login. The idea is to essentially replicate one of the common-use machines except that connections going out from this machine are restricted. -
Another machine
access2
only public-key based login. The user sends the key to the system administrators who install it into a special restricted shell account calledgateman
. All that users can do from this account is to connect to one of the other machines.
As those who administer such services can imagine, managing
access1
is quite complex. This is accentuated by the
fact that it is outside a NAT firewall. Configuring RPC services
like NIS and NFS across a firewall in a secure way when the NFS
server is a Solaris machine --- luckily this was fully documented
when it was done, or I wouldn't be able to re-create it!
Since we are switching ISP's as well, this seemed like a good time to combine the best features of both services. The older machines are kept on the old link (to be shut down on 1st February) and the new link has the new remote access machine.
- A machine called
access
which allows ssh (version 2) key-based login. Users are given space on this machine to copy their files over for quick access. They can also access mail using IMAPS. In any case they can also login to any other machine on the IMSc network (such as their desktop machine or common-use machine) fromaccess
.
This eliminates NIS passwords, NFS and at the same time gives "full service" to users. Detailed instructions for generating public-keys have also been provided. Unfortunately, some users don't see it that way.
- "You mean I have to copy my files over to this machine?"
- "I love (weak) passwords!"
- "I have to read this two pages of documentation?"
- "How do I make all this work with Windows?"
This is not a sudden decision. Extensive discussions have
taken place prior to this. Re-creating access1
just
to accomodate some lazy and recalcitrant users of proprietary
software is not my cup of tea. However, the latter statement is
seen as a "threat".
For sticks-in-the-mud any change is a threat.