Because of the level of integration of the CDF linux cluster into the
PDSF system we are required to be particularly security conscious.
Lapses on the part of users of our system could have consequences
disruptive to all users of the PDSF system.  This document describes
the official security policy of the CDF linux cluster.


I. Connecting to CDF Linux Cluster Remotely:

Telnet and ftp connections are not accepted by any of the linux
machines with the following exception(s): telnet is allowed from NCDs
physically located in building 50B.  Applications may be made for
limited periods of telnet accessibility if someone is visiting an
institution without ssh.  A user receiving such a dispensation will be 
put on a shortened password aging schedule until his return.

Users with NCDs in their homes must inform the system manager of their 
IP numbers for telnet access to be granted.  Use of ssh capable
terminals is preferable to NCDs in all cases.

The laboratory holds a site license for the Windows and Macintosh
versions of the SSH client.  The terms of this license allow
installation on laboratory employees' home computers.

There is absolutely no need for ftp connections to our machines.  scp
should be used whenever possible, and users can always ftp FROM our
machines TO other machines.


II. Email

Mail is not accepted on the linux cluster, with the single exception
of mail forwarded from kfesg.lbl.gov Users are encouraged to use the
lab EPO for all email.  They may have the EPO forward the mail to
kfesg, and then forward it to cdflx1.lbl.gov, from which it will be
visible to the entire linux cluster. Alternatively they may have the
EPO send it to the lab IMAP server.  The latter is the preferred
route.  Netscape and pine can be used as imap clients, or users can
use fetchmail to pull mail from the IMAP server directly onto the
linux system.


III.  User Accounts and Passwords

Passwords expire every 180 days.  Users should not use the same
passwords they use on other systems, particularly systems that they
regularly contact with telnet, ftp, or other insecure protocols.
Passwords must not be written down or communicated to other people.
Accounts may not be shared, or loaned to friends or visitors.

Violation of these rules may result in reduced system access, or
cancellation of accounts.