Penn Computing
Computing Menu Computing A-Z
Computing Home Information Systems & Computing Penn

Chronological Task Checklist

Consider the following steps for complying with the Critical Host Security Policy as it is in effect 14 Oct 2002, whether by installing and configuring Kerberos or other security authentication options on your server.

  1. Ascertain the approach to compliance that your school or center will take. Examples of approaches could include: complete cutover to Kerberos; gradual transition to kerberos while supporting alternatives such as SSL and ssh; use of secure alternatives to Kerberos entirely.

  2. Survey the network protocols, services and software that require authentication. Identify which to Kerberize and which to use other methods to prevent clear-text password transmission, such as ssh or SSL/TLS.

  3. For those services for which you will offer Kerberos, follow these steps:

    1. Acquire a User PennKey for yourself. As of Sept. 3, 2002, a web application allows you to use your PennNet ID and password for this step.

    2. Request a KAdmin PennKey which will allow you to create Service PennKeys for the domain name of the host on which you are installing.

    3. Create Service PennKeys for each service.

      For Unix-flavored servers this means using 'kadmin' and the Service PennKey must have the server DNS name in lowercase.

      For Windows 2000 domains this means creating a Cross Domain PennKey and the Microsoft domain must be in uppercase.

    4. Get Kerberos working.

      For Unix-flavored servers this means installing kerberos server software.

      For Windows 2000 domains this means configuring the system to authenticate to Penn's MIT KDC.

    5. Kerberize all relevant software requiring authentication, or determine other alternatives to clear-text password transmission, such as ssh or SSL/TLS.

  4. For those services for which you will use alternative methods for authentication, follow these steps:

    1. Confirm that the method does indeed encrypt passwords strongly.

    2. If strong authentication and weak authentication are both available to users, look for how users will know which is being used, and investigate configurations which would require the strong method exclusively, even if the weaker method will be allowed initially.

    3. Install and configure.

  5. Test and troubleshoot the authentication solution(s).


Information Systems and Computing
University of Pennsylvania
Comments & Questions

University of Pennsylvania Penn Computing University of Pennsylvania Information Systems & Computing (ISC)
Information Systems and Computing, University of Pennsylvania