• Home
• About
• People
• News
• Events
• Research
• Courses
• Graduate Study
• Undergraduate Study
• Places
• Computing Systems
• Accounts
• Kerberos and LDAP
• Initial Kerberos and LDAP passwords
• After Hours
• Backups
• Copyright
• Disk Space
• Doc
• Education
• Email
• Ergonomics
• FTP
• Get Software
• Hardware
• Help
• Licenses
• Local Access
• Network
• New Users
• Policies
• Remote Access
• Research
• Search
• Snapshots
• Statistics
• Software
• Technical Reports
• Web
• Industrial Relations
• Alumni
• Contacts

Kerberos and LDAP

What are all these passwords for?

Your Kerberos password is for the most secure applications. For example, it's used for logging in to Linux, for changing your LDAP password, and for sshing to machines inside the department.

Your LDAP password is for less secure services. At the moment, this includes the wiki, OpenVPN, webmail, and email.

Kerberos tickets

Kerberos tickets are used to authenticate you with other services. For example, Kerberos tickets allow you to:

• ssh to other department Linux computers
• Set or change your LDAP password

There are a few ways to get a Kerberos ticket:

• Log into a Linux computer with your Kerberos password
• Unlock a screensaver on a Linux computer with your Kerberos password
• Run /usr/bin/kinit on a Linux computer and enter your Kerberos password when prompted.

To see your current Kerberos tickets, run /usr/bin/klist. If you have a ticket, you will see output that looks like this:

Ticket cache: FILE:/tmp/krb5cc_31754
Default principal: aleks@CS.BROWN.EDU

Valid starting     Expires            Service principal
10/14/08 11:24:39  10/14/08 21:24:39  krbtgt/CS.BROWN.EDU@CS.BROWN.EDU
10/14/08 11:39:39  10/14/08 21:24:39  host/adminhost.cs.brown.edu@CS.BROWN.EDU
10/14/08 13:31:44  10/14/08 21:24:39  ldap/whopper.cs.brown.edu@CS.BROWN.EDU
10/14/08 13:31:51  10/14/08 21:24:39  ldap/starburst.cs.brown.edu@CS.BROWN.EDU


Kerberos 4 ticket cache: /tmp/tkt31754
klist: You have no tickets cached

If not, the output will look more like this:

klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_31754)


Kerberos 4 ticket cache: /tmp/tkt31754
klist: You have no tickets cached

Note that Kerberos tickets expire after 8 hours, so if you last logged in (or ran kinit) over 8 hours ago, you'll need to get a new ticket.

Also note that when you ssh to the ssh gateway (ssh.cs.brown.edu), you do not get Kerberos credentials by default. This means you must run kinit before you can ssh to other computers or change your LDAP password.

Setting passwords

You change your Kerberos password, run /usr/bin/kpasswd.

To set, or change, your LDAP password, first run kinit and then run /local/bin/ldappasswd. (Note that kinit will prompt you for your Kerberos password.)

Password requirements

We do our best to follow the CIS password policy. Therefore, we enforce the following requirements on Kerberos and LDAP passwords:

• Passwords must contain at least three character classes. Character classes include lowercase letters, uppercase letters, digits, and punctuation.
• Passwords must not be broken by our password cracker. Simple passwords, such as dictionary words, will fail this test, but most complex passwords should be fine.
• Your password cannot be the same as any of your previous 10 passwords.

Additionally, after changing your password, you must wait a day before changing it again. If this is a issue for any reason, please email problem.

More Information

Stanford's Kerberos user guide has a lot of useful information, though some of it doesn't apply to our setup.