DoC Computing Support Group

Differences between revisions 1 and 4 (spanning 3 versions)
Revision 1 as of 2008-09-11 09:48:45
Size: 815
Editor: dwm
Comment:
Revision 4 as of 2009-10-08 18:08:55
Size: 1441
Editor: dcw
Comment:
Deletions are marked like this. Additions are marked like this.
Line 3: Line 3:
All CSG-maintained systems in the Department use the [[http://web.mit.edu/Kerberos/|Kerberos]] network authentication infrastructure deployed by the Department and the central College computing services, [[http://www.ict.imperial.ac.uk|ICT]], that allows you to use the same passphrase to access all standard university services, such as email, remote login and web services. We are aiming towards a single College password for each user, that allows you to access all standard university and Departmental services, such as email, remote login and web services.
Currently, all CSG-maintained Linux systems in the Department will accept your College password (actually a [[http://web.mit.edu/Kerberos/|Kerberos]] password stored in the College Active
Directory domain), or your DoC linux (Kerberos) password if you have one. DoC Windows machines currently use their own Windows-specific passwords, but will hopefully accept College passwords
by the end of summer 2009.
Line 8: Line 11:
  * Departmental web pages accessed over HTTPS;
  * Secure mail access via IMAP;
  * Network filesystem access via Windows Networking (SMB/CIFS)		   * Departmental web pages accessed over HTTPS from Kerberos-aware browsers like Firefox;
  * Network filesystem access via Windows Networking (SMB/CIFS) - but using your DoC Windows AD/Kerberos ticket.

When you login to (or unlock a locked session on) a DoC Linux machine, you receive a Kerberos ticket that lasts 8 hours.
All the above services should then work without asking you for your password again until your ticket expires after 8 hours,
you can give yourself another ticket from the College Kerberos/AD servers via kinit $user@IC.AC.UK.

Authentication Services

We are aiming towards a single College password for each user, that allows you to access all standard university and Departmental services, such as email, remote login and web services. Currently, all CSG-maintained Linux systems in the Department will accept your College password (actually a Kerberos password stored in the College Active Directory domain), or your DoC linux (Kerberos) password if you have one. DoC Windows machines currently use their own Windows-specific passwords, but will hopefully accept College passwords by the end of summer 2009.

Kerberos also enables the ability to use ticket-based automatic single sign-on across services that have been extended to support it. Departmental services that support ticket-based authentication include:

  • Remote login via Secure Shell (SSH);
  • Departmental web pages accessed over HTTPS from Kerberos-aware browsers like Firefox;
  • Network filesystem access via Windows Networking (SMB/CIFS) - but using your DoC Windows AD/Kerberos ticket.

When you login to (or unlock a locked session on) a DoC Linux machine, you receive a Kerberos ticket that lasts 8 hours. All the above services should then work without asking you for your password again until your ticket expires after 8 hours, you can give yourself another ticket from the College Kerberos/AD servers via kinit $user@IC.AC.UK.

 
 

services/authentication (last edited 2025-09-04 13:34:58 by ldk)