esaw01, esaw02, and esaw03 Security

Back to E155 Home Page

There are a number of requirements that the online analysis has to satisfy:
  1. Its running environment must be stable. Hence, we use the same account each time we run this program, and we attempt to keep this account's environment stable.

  2. It has to run all the time. The account used for the online analysis must therefore be accessible to everyone on shift, i.e. its password must be known to many people.
These requirements are incompatible with the your personal account at SLAC. (See Computer Account Responsibilities form for a reminder of the rules governing the use of your personal account.) We have been given a special group account beamtest that can be shared. Its password will be known to many people, perhaps everyone, within the E155 collaboration.

You should use the group account to run the online monitor program on these computers. The group account should not be used for any other purpose. Since the password is rather widely known, some measures have been taken to improve security to other SLAC computers:

  1. Account password is changed at least once a week.
  2. This account is invalid on all other SLAC computers, e.g.

  3. esaw01, esaw02, and esaw03 are located in the so-called internet-free zone.
  4. esaw01, esaw02, and esaw03 have no direct network connections to outside of SLAC. In particular, you cannot ping non-SLAC nodes and vice versa. Nor can you telnet offsite.

The next section is for those people who need to access these computers from anywhere outside of the SLAC domain.

It is not possible to telnet directly from anywhere outside of SLAC to these computers. You must first telnet to some other SLAC computer, e.g. vesta01, using your own account, and telnet again from vesta01 to esaw01 using the group account. Sending displays, such as histograms from Paw, directly outside of SLAC is also impossible. You have to invoke a display proxy.

Charlie Young