Kerberos Principals and Passwords
This article provides instructions on how to choose and obtain a Kerberos principal and a Kerberos password.
As a user, you need to obtain a Kerberos Principal (actually one for each realm, FNAL.GOV and FERMI.WIN.FNAL.GOV), to access machines and resources at Fermilab. A principal is essentially a username for the strengthened realm. Your principals will have the same username, and be of the form principal_name@REALM (e.g., joe@FNAL.GOV and joe@FERMI.WIN.FNAL.GOV). You must have a valid Fermilab ID.
In addition to a principal, you must have an account on each machine that you plan to use in the realm. There are significant conveniences if your principal and your account name are the same, as we discuss in the section below, Choosing a Principal Name.
The system administrator of a strengthened machine may require that authorized users obtain a <username>/root instance of their Kerberos principal to access sensitive accounts on the system. The root instance has tighter restrictions placed on it (see section Ticket Management). If your system administrator tells you it's required, use the form Access to Kerberized Machines in the Service Catalog of ServiceNow.
The Service Desk assigns principal names based on the following scheme - first letter of the first name followed by the last name - with the result truncated to 8 characters.
Use the online form Computing Username and Primary Accounts in the ServiceNew Service Catalog: Computing Username and Primary Accounts.
About Kerberos Passwords
Once your request for a principal has been approved, you must stop by Wilson Hall, ground floor, North (the Service Desk) to receive your initial Kerberos password. An exception is granted for off-site visitors: you can get it over the telephone (630-840-2345); you will be asked a question to verify your identity.
You are required to change the initial password within 30 days of receipt, and once a year (actually every 400 days) thereafter.
Important! Please Read!
Please treat your Kerberos password as an inviolable object. Never give your password to anybody for any reason. Doing so constitutes a policy violation. If you really need to give someone access to your account (this practice is discouraged, by the way), add the person's principal to your .k5login or .k5users file as described in section Account Access by Multiple Users.
Typing in your Kerberos password should ideally be done infrequently (i.e., no more than once each day). Do not type it in carelessly. Please authenticate locally and forward your credentials to remote systems whenever possible.
Windows domain-only users: type your password only at the Windows login prompt.
In contrast to the principal (which ideally should match your login name on each machine and your email address), your Kerberos password must be unique. That is, in order to avoid exposing your Kerberos password, it must be different from the passwords you use for any other purpose (with the single exception that you may use the same one for both strengthened realms at Fermilab, namely FNAL.GOV and FERMI.WIN.FNAL.GOV).
|While using the same password for the Kerberos Realm and for the FERMI Windows Domain is allowed, do NOT use this same password for your SERVICES Domain. The reason for this restriction is that some of the uses of the SERVICES Domain authentication have a greater propensity for causing your password to be exposed which can result in your account being disabled pending a password reset.|
The Fermilab Computer Security Team has imposed some restrictions on passwords in accordance with DOE guidelines. Currently, a password for the FNAL.GOV strengthened realm is required to contain a minimum of ten characters from at least two of the following five classes: lowercase letters, uppercase letters, numbers, punctuation, and all other characters. Passwords for /root principals must contain a minimum of 11 characters including at least three of the five classes. Passwords the system considers "bad" will be rejected. (Passwords are checked against the "cracklib" dictionary, which will often surprise you by its thoroughness.) See How to change your Kerberos password for a summary of the requirements on passwords.
Choose something that's hard to guess but that you can remember, and please make an effort to remember it!!
A few notes before moving to the platform-specific instructions:
- If you forget your initial password before you get around to changing it, open a Service Desk ticket requesting a password reset.
- Change your password on a machine that is sitting in front of you and that has Kerberos or other Kerberos-aware program installed. Do not send your password over a network connection to a remote host except over an encrypted connection!
- The Computing Sector has set up a terminal at which people can change their Kerberos passwords. It is in the CD Service Desk/Email Center in Wilson Hall, ground floor, North end. Signage is mounted on the wall above the screen with instructions.
- If you don't have an appropriate machine on which to change your password, find someone who does, and borrow his or her command prompt. (Yes, you can change it from someone else's account; just give your principal name as an argument.)
- If your only option is to change it on a remote host via a network connection, then before changing your password, verify that you are using an encrypted connection! How do you know if your connection is encrypted? See Encrypted vs. Unencrypted Connections for some help.
See the KnowledgeBase article How to change your Kerberos password for detailed instructions on changing your Kerberos password.