|
Size: 1437
Comment:
|
Size: 1441
Comment:
|
| Deletions are marked like this. | Additions are marked like this. |
| Line 12: | Line 12: |
| * Secure mail access via imap.doc.ic.ac.uk [but not via the new College Email Service] from Kerberos-aware email clients like alpine; | |
| Line 16: | Line 15: |
| All the above services should then work without asking you for your password again. | All the above services should then work without asking you for your password again until your ticket expires after 8 hours, you can give yourself another ticket from the College Kerberos/AD servers via kinit $user@IC.AC.UK. |
Authentication Services
We are aiming towards a single College password for each user, that allows you to access all standard university and Departmental services, such as email, remote login and web services. Currently, all CSG-maintained Linux systems in the Department will accept your College password (actually a Kerberos password stored in the College Active Directory domain), or your DoC linux (Kerberos) password if you have one. DoC Windows machines currently use their own Windows-specific passwords, but will hopefully accept College passwords by the end of summer 2009.
Kerberos also enables the ability to use ticket-based automatic single sign-on across services that have been extended to support it. Departmental services that support ticket-based authentication include:
- Remote login via Secure Shell (SSH);
- Departmental web pages accessed over HTTPS from Kerberos-aware browsers like Firefox;
- Network filesystem access via Windows Networking (SMB/CIFS) - but using your DoC Windows AD/Kerberos ticket.
When you login to (or unlock a locked session on) a DoC Linux machine, you receive a Kerberos ticket that lasts 8 hours. All the above services should then work without asking you for your password again until your ticket expires after 8 hours, you can give yourself another ticket from the College Kerberos/AD servers via kinit $user@IC.AC.UK.