NCSA Home
Contact Us | Intranet | Search

ncsa

Using APOP at NCSA

  • What is APOP?
  • How do I set it up?

    • What is APOP?

    APOP is a challenge-response authentication scheme built on top of the standard POP protocol. It's designed in a way that protects your password from ever being sent across the network.

    To keep your password safe, the server actually stores your password in a file on local disk. Whenever your mail client connects to the APOP server a magic string is sent back. That string contains a unique identifier for this session based upon the process id (PID) and current time. Here's a sample string (the special part is enclosed within angle brackets): 

    +OK QPOP (version 2.53) at mx1.ncsa.uiuc.edu starting.  <14156.916910505@mx1.ncsa.uiuc.edu>

    Your email program uses the text within those angle brackets to perform a mathematical calculation upon your password. The server also performs the same calculation on the password that it has stored locally. When your email program is finished with its calculations it sends a 128-bit "fingerprint" to the APOP server, which then compares that value with the one that was calculated locally. If both fingerprints match, then it knows that the same password was used to perform the calculation in both places.

    Since the string that the server sends is based on the current time and PID it's impossible for anyone to reuse it; each connection to the server results in a new challenge/response and calculation.

    How do I set it up?

    It's easy! The first thing that you have to do is assign yourself an APOP password. On one of the public systems (i.e. pecos, osage) log in and type 

      echo "password" > ~/apop_passwd
    So, for example, it you want your password to be A1b2C3d4, you'd type: 
      echo "A1b2C3d4" > ~/apop_passwd
    Do not use your Kerberos password!¹ Choose a unique password and follow the onscreen instructions.

    Then send an email to help@ncsa.uiuc.edu requesting them to "Setup an APOP account with the APOP password in your home directory".

    Once you receive confirmation back from the Help Desk that your APOP has been created, you'll need to configure your email client (e.g. Eudora) to send out APOP information too.

    Eudora

    • Launch Eudora
    • Under the Tools menu select Options. When the options menu comes up, under the Category menu on the left, select Checking Mail and make sure the following are set.

    • Your POP account should be <your username>@pop.ncsa.uiuc.edu
    • Change Authentication Style to APOP

    Check your mail, type in the password that you selected when you requested your APOP account, and you're all set!



    ¹ Remember that this password is stored on the email servers in an unencrypted state. That means that it is not as secure as your Kerberos password, so if you use the same one you could be opening all Kerberos-based services up to a security breach. Hopefully your APOP password will always be secure, but there are no guarantees. APOP is nowhere near Kerberos in terms of security.

    University of Illinois home page NCSA Home | About NCSA | NCSA Projects | NCSA News | NCSA User Info
    Contact NCSA | NCSA Intranet | Site Map
    Contact webmaster with questions regarding this page. Last updated March 1, 2006.
    All rights reserved. ©2008 Board of Trustees of the University of Illinois.