Changes will be taking place in the near future as part of Penn's Critical Host Security Policy and the introduction of Kerberos-based authentication on campus. You should familiarize yourself with the information regarding the PennKey initiative, as the PennKey will replace the PennNET ID used for various types of network access at Penn.

Currently, your PennKey would only be used to authenticate to mail.sas under very special circumstances, and only if you took special steps to begin to use kerberos authentication for terminal emulation, e-mail, or file transfer services. For now, most users will continue to use their mail.sas username and password for all access to mail.sas. In the coming weeks and months, there will be more supported options using your PennKey to access mail.sas services, using the Kerberos-capable e-mail and ftp clients supported at Penn.

Along with enabling the use of kerberos aware applications to access mail.sas services, other changes will be put in place to ensure that passwords used to access systems supported by SAS are not sent in clear (unencrypted) text over the network, to further enhance overall system security. These changes will be taking place during the course of this year and we will be updating this site to make new information available. Most such changes will initially make secure access an option and then proceed to require that all such access be made using a secure method.

Clear-Text Passwords for Telnet to be disabled 11/4/02

One of the first changes in this area will be a transition to disallow telnet sessions where the password is sent in clear (unencrypted) text over the network. Use of telnet (or telnet-like terminal emulation like that provided by ssh) to connect to mail.sas is not being disabled, only the use of clear text (unencrypted) passwords when using such clients is.

We intend to disable the use of clear text passwords for telnet sessions as of Monday 11/4/02. All mail.sas users should confirm that they have or obtain one of the products supported by Penn for making such connections securely, such as dataComet Secure 5.0.5 for the Mac OS or SecureCRT 3.4.6 or HostExporer 7.1 for Windows. The latest versions of these product can be obtained from the Terminal Emulation section of the ISC Supported Product Download Page and are also available on the Penn Connect 2002 CD.

If you access your mail.sas account via use of webmail.sas, or an e-mail client such as Eudora, Netscape, or Outlook, then this change requiring secure terminal emulation access will not directly affect your access to your e-mail, but please see the section below regarding other upcoming changes.

Future Changes to E-mail and File Transfer Access

During the course of the upcoming academic year, similar security changes will be underway affecting how e-mail and ftp clients connect to mail.sas, and how other systems supported by SAS can be accessed. We will send out additional announcements providing detailed information as changes are being introduced. If you are somewhat technically inclined and you'd like some information about the nature of the upcoming changes and some steps you can take now to prepare, please review our page regarding plans for secure e-mail and ftp access to mail.sas.

For now, anyone who uses an e-mail client such as Eudora, Netscape, or Outlook should ensure that their e-mail client is configured to use the recommended server names (hostnames). Use of these will be required as we enable to the use of Secure Sockets Layer (SSL) to encrypt e-mail traffic between client programs and the mail.sas server.

The correct server names to be used for mail.sas users are as follows:

Please ensure that you are using these correct server names. Their use will be required as of 12/1/02. Otherwise, you may have difficulties as we take steps to provide additional security for all of the e-mail protocols.

In addition, please be sure that your e-mail program is configured to show your return address in the following form: username@sas.upenn.edu (substituting your actual username of course).

Please send any comments or questions to help@sas.upenn.edu.