|
Size: 1437
Comment:
|
← Revision 39 as of 2025-09-04 13:34:58 ⇥
Size: 3988
Comment:
|
| Deletions are marked like this. | Additions are marked like this. |
| Line 1: | Line 1: |
| = Authentication Services = | = Authentication: Passwords = == Single Sign On (Kerberos) == |
| Line 4: | Line 6: |
| Currently, all CSG-maintained Linux systems in the Department will accept your College password (actually a [[http://web.mit.edu/Kerberos/|Kerberos]] password stored in the College Active Directory domain), or your DoC linux (Kerberos) password if you have one. DoC Windows machines currently use their own Windows-specific passwords, but will hopefully accept College passwords by the end of summer 2009. |
Currently, all CSG-maintained Linux systems in the Department will accept |
| Line 8: | Line 8: |
| Kerberos also enables the ability to use ''ticket-based'' automatic single sign-on across services that have been extended to support it. Departmental services that support ticket-based authentication include: | EITHER: * your College password (actually a [[http://web.mit.edu/Kerberos/|Kerberos]] password stored in the College Active Directory domain), OR * your DoC Kerberos password (if you've been at DoC for at least 5 years, and if your doc password was not been deactivated (for instance, in Feb 2011). DoC Windows machines currently use their own separately-stored passwords - however changing your College password via [[https://www.imperial.ac.uk/ict/passwords/|ICT's password change webpage]] attempts to '''also set''' your DoC Windows password. So usually, your College and DoC Windows passwords will be the same. Sometimes the synchronization fails (we're working on this), and you may need to manually change your DoC Windows password to the same as your College password. Kerberos also provides the ability to use ''ticket-based'' automatic single sign-on across services that have been extended to support it. When you login to (or unlock a locked session on) a DoC Linux machine, you receive a Kerberos ticket that lasts 8 hours. All the following services will try your current ticket rather than asking you for your password again until your ticket expires after 8 hours: |
| Line 12: | Line 31: |
| * Secure mail access via imap.doc.ic.ac.uk [but not via the new College Email Service] from Kerberos-aware email clients like alpine; * Network filesystem access via Windows Networking (SMB/CIFS) - but using your DoC Windows AD/Kerberos ticket. |
* Network filesystem access via Windows Networking (SMB/CIFS) - but this uses your DoC Windows AD/Kerberos ticket. |
| Line 15: | Line 33: |
| When you login to (or unlock a locked session on) a DoC Linux machine, you receive a Kerberos ticket that lasts 8 hours. All the above services should then work without asking you for your password again. |
When your ticket has expired, you can give yourself another ticket from the College Kerberos/AD servers either by screen locking and unlocking your Linux session, or via the Linux command: {{{ kinit xyz13@IC.AC.UK }}} [if your username is xyz13]. Note that "IC.AC.UK" must be written in upper case as shown, it's not an email address, it's a Kerberos realm. If you're having trouble logging in to any service, this is a really good test command to run, as it provides specific error messages in the event that something unusual has happened, such as your account being locked. == Changing your College Password == Assuming that you know your current College password, you can change your College password either by: * [[https://www.imperial.ac.uk/ict/passwords|This ICT webpage]] * from the Linux command line: {{{ kpasswd xyz13@IC.AC.UK }}} == Changing your DoC Kerberos password == If you still have a vestigial DoC Kerberos password set, you can change it from the Linux command line: {{{ kpasswd abc02@DOC.IC.AC.UK }}} == Changing your DoC super-user password == If you have been granted super-user access to a machine, you will have a 'root principal' with a different password to your main accounts. You can change it from the Linux command line: {{{ kpasswd xyz13/root@DOC.IC.AC.UK }}} == Changing your DoC Windows password == Assuming that you know your current password, either: * Log in, press CTRL-ALT-DELETE, and select 'Change password'. * from the Linux command line: {{{ kpasswd xyz13@WIN.DOC.IC.AC.UK }}} == If you can't remember your password == If you can't remember your College password, choose from these options: * come to CSG (Huxley 305 / 306) with your swipe card and ask us to let you change it. * go to the ICT service desk (Level 1, Abdus Salam Library) and ask the same. * contact the ICT service desk on x49000 (i.e. 0207 594 9000) and provide sensible info, eg. your username, your CID and they'll usually take pity on you. If you can't remember one of your DoC passwords, come to CSG (Huxley 305 / 306) with your swipe card and ask to let you change it. |
Authentication: Passwords
Single Sign On (Kerberos)
We are aiming towards a single College password for each user, that allows you to access all standard university and Departmental services, such as email, remote login and web services. Currently, all CSG-maintained Linux systems in the Department will accept
EITHER:
your College password (actually a Kerberos password stored in the College Active Directory domain),
OR
- your DoC Kerberos password (if you've been at DoC for at least 5 years, and if your doc password was not been deactivated (for instance, in Feb 2011).
DoC Windows machines currently use their own separately-stored passwords - however changing your College password via ICT's password change webpage attempts to also set your DoC Windows password.
So usually, your College and DoC Windows passwords will be the same. Sometimes the synchronization fails (we're working on this), and you may need to manually change your DoC Windows password to the same as your College password.
Kerberos also provides the ability to use ticket-based automatic single sign-on across services that have been extended to support it. When you login to (or unlock a locked session on) a DoC Linux machine, you receive a Kerberos ticket that lasts 8 hours. All the following services will try your current ticket rather than asking you for your password again until your ticket expires after 8 hours:
- Remote login via Secure Shell (SSH);
- Departmental web pages accessed over HTTPS from Kerberos-aware browsers like Firefox;
- Network filesystem access via Windows Networking (SMB/CIFS) - but this uses your DoC Windows AD/Kerberos ticket.
When your ticket has expired, you can give yourself another ticket from the College Kerberos/AD servers either by screen locking and unlocking your Linux session, or via the Linux command:
kinit xyz13@IC.AC.UK
[if your username is xyz13].
Note that "IC.AC.UK" must be written in upper case as shown, it's not an email address, it's a Kerberos realm. If you're having trouble logging in to any service, this is a really good test command to run, as it provides specific error messages in the event that something unusual has happened, such as your account being locked.
Changing your College Password
Assuming that you know your current College password, you can change your College password either by:
- from the Linux command line:
kpasswd xyz13@IC.AC.UK
Changing your DoC Kerberos password
If you still have a vestigial DoC Kerberos password set, you can change it from the Linux command line:
kpasswd abc02@DOC.IC.AC.UK
Changing your DoC super-user password
If you have been granted super-user access to a machine, you will have a 'root principal' with a different password to your main accounts. You can change it from the Linux command line:
kpasswd xyz13/root@DOC.IC.AC.UK
Changing your DoC Windows password
Assuming that you know your current password, either:
- Log in, press CTRL-ALT-DELETE, and select 'Change password'.
- from the Linux command line:
kpasswd xyz13@WIN.DOC.IC.AC.UK
If you can't remember your password
If you can't remember your College password, choose from these options:
- come to CSG (Huxley 305 / 306) with your swipe card and ask us to let you change it.
- go to the ICT service desk (Level 1, Abdus Salam Library) and ask the same.
- contact the ICT service desk on x49000 (i.e. 0207 594 9000) and provide sensible info, eg. your username, your CID and they'll usually take pity on you.
If you can't remember one of your DoC passwords, come to CSG (Huxley 305 / 306) with your swipe card and ask to let you change it.