|
Size: 1595
Comment:
|
Size: 2350
Comment:
|
| Deletions are marked like this. | Additions are marked like this. |
| Line 3: | Line 3: |
| == Single Sign On (Kerberos) == |
|
| Line 4: | Line 6: |
| Currently, all CSG-maintained Linux systems in the Department will accept your College password (actually a [[http://web.mit.edu/Kerberos/|Kerberos]] password stored in the College Active Directory domain), or your DoC linux (Kerberos) password if you have one (people who have been in DoC for 3 years or more were given their own DoC kerberos principal when they joined). DoC Windows machines currently use their own Windows-specific passwords, but will hopefully accept College passwords by Xmas 2009. |
Currently, all CSG-maintained Linux systems in the Department will accept |
| Line 8: | Line 8: |
| Kerberos also enables the ability to use ''ticket-based'' automatic single sign-on across services that have been extended to support it. Departmental services that support ticket-based authentication include: | EITHER: * your College password (actually a [[http://web.mit.edu/Kerberos/|Kerberos]] password stored in the College Active Directory domain), OR * your DoC Kerberos password if you have one - up to 2007, people joining DoC were setup with a DoC kerberos password when they joined. DoC Windows machines currently use their own Windows-specific passwords - printed on new user information sheets - but will hopefully accept College passwords by Xmas 2009. Kerberos also enables the ability to use ''ticket-based'' automatic single sign-on across services that have been extended to support it. When you login to (or unlock a locked session on) a DoC Linux machine, you receive a Kerberos ticket that lasts 8 hours. All the following services will try your current ticket rather than asking you for your password again until your ticket expires after 8 hours: |
| Line 14: | Line 26: |
| When you login to (or unlock a locked session on) a DoC Linux machine, you receive a Kerberos ticket that lasts 8 hours. All the above services should then work without asking you for your password again until your ticket expires after 8 hours, after which you can give yourself another ticket from the College Kerberos/AD servers via |
When your ticket has expired, you can give yourself another ticket from the College Kerberos/AD servers via |
| Line 23: | Line 33: |
Note that "IC.AC.UK" is in upper case, and is not an email address, it's a Kerberos realm. == Changing your College Password == Assuming that you know your current College password, you can change it by several methods: * [[https://www.imperial.ac.uk/spectrum/ict/services/security/passwords/change/external/default.aspx|This ICT webpage]] * from the Linux command line: {{{ kpasswd xyz09@IC.AC.UK }}} If you can't remember your College password, you can either: * come to 225 with your swipe card and ask us to let you change it. * email service.desk@imperial.ac.uk (eg. when abroad) and plead stupidity and desperation. provide sensible info, eg. your username, your CID.. |
Authentication Services
Single Sign On (Kerberos)
We are aiming towards a single College password for each user, that allows you to access all standard university and Departmental services, such as email, remote login and web services. Currently, all CSG-maintained Linux systems in the Department will accept
EITHER:
your College password (actually a Kerberos password stored in the College Active Directory domain),
OR
- your DoC Kerberos password if you have one - up to 2007, people joining DoC were setup with a DoC kerberos password when they joined.
DoC Windows machines currently use their own Windows-specific passwords - printed on new user information sheets - but will hopefully accept College passwords by Xmas 2009.
Kerberos also enables the ability to use ticket-based automatic single sign-on across services that have been extended to support it. When you login to (or unlock a locked session on) a DoC Linux machine, you receive a Kerberos ticket that lasts 8 hours. All the following services will try your current ticket rather than asking you for your password again until your ticket expires after 8 hours:
- Remote login via Secure Shell (SSH);
- Departmental web pages accessed over HTTPS from Kerberos-aware browsers like Firefox;
- Network filesystem access via Windows Networking (SMB/CIFS) - but using your DoC Windows AD/Kerberos ticket.
When your ticket has expired, you can give yourself another ticket from the College Kerberos/AD servers via
kinit xyz09@IC.AC.UK
[if your username is xyz09].
Note that "IC.AC.UK" is in upper case, and is not an email address, it's a Kerberos realm.
Changing your College Password
Assuming that you know your current College password, you can change it by several methods:
- from the Linux command line:
kpasswd xyz09@IC.AC.UK
If you can't remember your College password, you can either:
- come to 225 with your swipe card and ask us to let you change it.
email service.desk@imperial.ac.uk (eg. when abroad) and plead stupidity and desperation. provide sensible info, eg. your username, your CID..