Networking, Login and Authentication

Currently an FDDI-Ring acts as a backbone to connect the main RZG machines and the networks of MPIs at Garching at a speed of 100 Mbits/s. The cabling inside the buildings is Ethernet (nominal 10 Mbits/s). The Crays communicate via a HIPPI switch (800 Mbits/s). A 2 Mbits/s link to the "Deutsches Wissenschaftnetz" (WIN) connects us to the rest of the world. There is also a line to the LRZ for fast communication with other institutions in Munich.
We are using the so called "Internet Protocols" (IP) for networking on all machines. Domain names are used to uniquely specify any host on the Internet worldwide, like

ibmr6.rzg.mpg.de.

"ibmr6" is the name of the host and "rzg.mpg.de" is the domain name. Currently the valid domain names on the campus are

mpa-garching.mpg.de         (MPA)
mpe-garching.mpg.de         (MPE)
aug.ipp-garching.mpg.de     (Asdex Upgrade, including the Berlin branch)
w7.ipp-garching.mpg.de      (Wendelstein)
itereu.de                   (ITER)
rzg.mpg.de                  (RZG)
ipp-garching.mpg.de         (everything else, including MPQ ...)

Fortunately you don't have to type these long names if you want to access a local system: if the supplied name doesn't end with a dot, your own domain is automatically appended. So, if your domain is ipp-garching.mpg.de you may use

ibmr6               for ibmr6.rzg.mpg.de.
ratest.aug          for ratest.aug.ipp-garching.mpg.de.

If you are in the domain aug.ipp-garching.mpg.de you may use

ratest              for ratest.aug.ipp-garching.mpg.de.
ibmr6               for ibmr6.rzg.mpg.de.

The last example works because if a name lookup fails (there is no host ibmr6.aug.ipp-garching.mpg.de) then the first component of the domain (aug) is dropped.
If you supply a fully qualified domain name (FQDN) you should always terminate it with a dot to avoid the appendage of your local domain.

Authentication via Kerberos

We use the Kerberos protocol for authorization on RZG machines. Passwords are stored only on a central Kerberos server. When you log in on any machine, the validity of your password is checked by a sophisticated encryption scheme; your password never appears on the network and the data transmitted are not useful to a potential eavesdropper. Besides enhanced security you have the benefit of the same password on all machines.
For further convenience a "ticket" is stored on the machine you logged into. This ticket is used by some programs to check your identity if a service is required from another machine (for example reading your mail with the pine program). For security reasons these tickets don't live forever, so you shouldn't be surprised when a program asks for your password after your ticket expired. You may refresh your ticket any time using the kinit command.

A word about passwords

Our networks are open to the world. Anyone on the Internet can log in to our systems, provided she knows a valid password. So the only protection against attacks is that you use a "good" password. Sometimes people don't care, because they think they have no secrets and a good backup somewhere else. That's highly irresponsible. Someone with evil intentions may use such an insecure account as a toehold to crack others.
So what is a good password? Of course I cannot make any suggestions here. Bad passwords are:

• Anything that contains your name, ID, phone number, the name of your dog...
• anything easy to type, like "asdfghjk"
• any real or fictional names like "gandalf" or "beeblebrox"
• any word that appears in a dictionary of any language
• all of the above with obvious modifications, like alternating upper/lowercase, replacing "l" by "1", adding a "." at the end or the like.

If you cannot think up a password that doesn't meet the above criteria, take a random sentence and use for instance the second letter of each word for your password.