Chronological Task Checklist

Consider the following steps for complying with the Critical Component Security Policy.

  1. Ascertain the approach to compliance that your school or center will take.

  2. Survey the network protocols, services and software that require authentication by preventing clear-text password transmission.

  3. For those services for which you will offer Kerberos, follow these steps:

    1. Acquire a User PennKey for yourself.

    2. Request a KAdmin PennKey which will allow you to create Service PennKeys for the domain name of the host on which you are installing.

    3. Create Service PennKeys for each service. For Unix-flavored servers this means using 'kadmin' and the Service PennKey must have the server DNS name in lowercase. For Windows domains this means creating a Cross Domain PennKey and the Microsoft domain must be in uppercase.

    4. Get Kerberos working. For Unix-flavored servers this means installing kerberos server software. For Windows domains this means configuring the system to authenticate to Penn's MIT KDC.

    5. Kerberize all relevant software requiring authentication, or determine other alternatives to clear-text password transmission, such as ssh or SSL/TLS.

  4. For those services for which you will use alternative methods for authentication, follow these steps:

    1. Confirm that the method does indeed encrypt passwords strongly.

    2. If strong authentication and weak authentication are both available to users, look for how users will know which is being used, and investigate configurations which would require the strong method exclusively, even if the weaker method will be allowed initially.

    3. Install and configure.
  5. Test and troubleshoot the authentication solution(s).