|
Size: 1646
Comment:
|
Size: 3137
Comment:
|
| Deletions are marked like this. | Additions are marked like this. |
| Line 1: | Line 1: |
| = Authentication Services = | = Authentication: Passwords = == Single Sign On (Kerberos) == |
| Line 4: | Line 6: |
| Currently, all CSG-maintained Linux systems in the Department will accept EITHER: | Currently, all CSG-maintained Linux systems in the Department will accept |
| Line 6: | Line 8: |
| * your College password (actually a [[http://web.mit.edu/Kerberos/|Kerberos]] password stored in the College Active Directory domain), OR * (existing DoC users) your previous DoC Kerberos password. Up to 2007, people joining DoC were setup with a DoC kerberos password. |
EITHER: |
| Line 9: | Line 10: |
| DoC Windows machines currently use their own Windows-specific passwords, but will hopefully accept College passwords by Xmas 2009. | * your College password (actually a [[http://web.mit.edu/Kerberos/|Kerberos]] password stored in the College Active Directory domain), |
| Line 11: | Line 12: |
| Kerberos also enables the ability to use ''ticket-based'' automatic single sign-on across services that have been extended to support it. When | OR * your DoC Kerberos password if you have one - until 2007, people were setup with a DoC kerberos password when they joined DoC. Since 2007, we don't create a separate DoC kerberos password for DoC users unless there is a special reason. DoC Windows machines currently use their own Windows-specific passwords - printed on new user information sheets, stored separately and changed separately - but will hopefully accept College passwords by Xmas 2009. Kerberos also provides the ability to use ''ticket-based'' automatic single sign-on across services that have been extended to support it. When |
| Line 17: | Line 24: |
| * Network filesystem access via Windows Networking (SMB/CIFS) - but using your DoC Windows AD/Kerberos ticket. | * Network filesystem access via Windows Networking (SMB/CIFS) - but this uses your DoC Windows AD/Kerberos ticket. |
| Line 19: | Line 26: |
| When your ticket has expired, you can give yourself another ticket from the College Kerberos/AD servers via | When your ticket has expired, you can give yourself another ticket from the College Kerberos/AD servers either by screen locking and unlocking your Linux session, or via the Linux command: |
| Line 27: | Line 35: |
| Note that "IC.AC.UK" is in upper case, and is not an email address, it's a Kerberos realm. | Note that "IC.AC.UK" must be written in upper case as shown, it's not an email address, it's a Kerberos realm. == Changing your College Password == Assuming that you know your current College password, either: * [[https://www.imperial.ac.uk/spectrum/ict/services/security/passwords/change/external/default.aspx|This ICT webpage]] * from the Linux command line: {{{ kpasswd xyz09@IC.AC.UK }}} If you can't remember your College password, choose from these options: * come to CSG (room 225 Huxley) with your swipe card and ask us to let you change your College password. * go to the ICT service desk (level 4, Sherfield) and ask the same. * email service.desk@imperial.ac.uk (eg. when abroad) and plead insanity. provide sensible info, eg. your username, your CID and they'll usually take pity on you.. * contact the ICT service desk on x49000 (i.e. 0207 594 9000) and plead insanity again. Please note that College passwords must be changed at least once a year, if you receive an email saying you need to change your College password in the next few days, take it seriously and do so. Do not ignore it or your account will get locked out and you will need to visit the ICT Service Desk in person to get it unlocked. |
Authentication: Passwords
Single Sign On (Kerberos)
We are aiming towards a single College password for each user, that allows you to access all standard university and Departmental services, such as email, remote login and web services. Currently, all CSG-maintained Linux systems in the Department will accept
EITHER:
your College password (actually a Kerberos password stored in the College Active Directory domain),
OR
- your DoC Kerberos password if you have one - until 2007, people were setup with a DoC kerberos password when they joined DoC. Since 2007, we don't create a separate DoC kerberos password for DoC users unless there is a special reason.
DoC Windows machines currently use their own Windows-specific passwords - printed on new user information sheets, stored separately and changed separately - but will hopefully accept College passwords by Xmas 2009.
Kerberos also provides the ability to use ticket-based automatic single sign-on across services that have been extended to support it. When you login to (or unlock a locked session on) a DoC Linux machine, you receive a Kerberos ticket that lasts 8 hours. All the following services will try your current ticket rather than asking you for your password again until your ticket expires after 8 hours:
- Remote login via Secure Shell (SSH);
- Departmental web pages accessed over HTTPS from Kerberos-aware browsers like Firefox;
- Network filesystem access via Windows Networking (SMB/CIFS) - but this uses your DoC Windows AD/Kerberos ticket.
When your ticket has expired, you can give yourself another ticket from the College Kerberos/AD servers either by screen locking and unlocking your Linux session, or via the Linux command:
kinit xyz09@IC.AC.UK
[if your username is xyz09].
Note that "IC.AC.UK" must be written in upper case as shown, it's not an email address, it's a Kerberos realm.
Changing your College Password
Assuming that you know your current College password, either:
- from the Linux command line:
kpasswd xyz09@IC.AC.UK
If you can't remember your College password, choose from these options:
- come to CSG (room 225 Huxley) with your swipe card and ask us to let you change your College password.
- go to the ICT service desk (level 4, Sherfield) and ask the same.
email service.desk@imperial.ac.uk (eg. when abroad) and plead insanity. provide sensible info, eg. your username, your CID and they'll usually take pity on you..
- contact the ICT service desk on x49000 (i.e. 0207 594 9000) and plead insanity again.
Please note that College passwords must be changed at least once a year, if you receive an email saying you need to change your College password in the next few days, take it seriously and do so. Do not ignore it or your account will get locked out and you will need to visit the ICT Service Desk in person to get it unlocked.