1*7f2fe78bSCy SchubertPassword management 2*7f2fe78bSCy Schubert=================== 3*7f2fe78bSCy Schubert 4*7f2fe78bSCy SchubertYour password is the only way Kerberos has of verifying your identity. 5*7f2fe78bSCy SchubertIf someone finds out your password, that person can masquerade as 6*7f2fe78bSCy Schubertyou---send email that comes from you, read, edit, or delete your files, 7*7f2fe78bSCy Schubertor log into other hosts as you---and no one will be able to tell the 8*7f2fe78bSCy Schubertdifference. For this reason, it is important that you choose a good 9*7f2fe78bSCy Schubertpassword, and keep it secret. If you need to give access to your 10*7f2fe78bSCy Schubertaccount to someone else, you can do so through Kerberos (see 11*7f2fe78bSCy Schubert:ref:`grant_access`). You should never tell your password to anyone, 12*7f2fe78bSCy Schubertincluding your system administrator, for any reason. You should 13*7f2fe78bSCy Schubertchange your password frequently, particularly any time you think 14*7f2fe78bSCy Schubertsomeone may have found out what it is. 15*7f2fe78bSCy Schubert 16*7f2fe78bSCy Schubert 17*7f2fe78bSCy SchubertChanging your password 18*7f2fe78bSCy Schubert---------------------- 19*7f2fe78bSCy Schubert 20*7f2fe78bSCy SchubertTo change your Kerberos password, use the :ref:`kpasswd(1)` command. 21*7f2fe78bSCy SchubertIt will ask you for your old password (to prevent someone else from 22*7f2fe78bSCy Schubertwalking up to your computer when you're not there and changing your 23*7f2fe78bSCy Schubertpassword), and then prompt you for the new one twice. (The reason you 24*7f2fe78bSCy Schuberthave to type it twice is to make sure you have typed it correctly.) 25*7f2fe78bSCy SchubertFor example, user ``david`` would do the following:: 26*7f2fe78bSCy Schubert 27*7f2fe78bSCy Schubert shell% kpasswd 28*7f2fe78bSCy Schubert Password for david: <- Type your old password. 29*7f2fe78bSCy Schubert Enter new password: <- Type your new password. 30*7f2fe78bSCy Schubert Enter it again: <- Type the new password again. 31*7f2fe78bSCy Schubert Password changed. 32*7f2fe78bSCy Schubert shell% 33*7f2fe78bSCy Schubert 34*7f2fe78bSCy SchubertIf ``david`` typed the incorrect old password, he would get the 35*7f2fe78bSCy Schubertfollowing message:: 36*7f2fe78bSCy Schubert 37*7f2fe78bSCy Schubert shell% kpasswd 38*7f2fe78bSCy Schubert Password for david: <- Type the incorrect old password. 39*7f2fe78bSCy Schubert kpasswd: Password incorrect while getting initial ticket 40*7f2fe78bSCy Schubert shell% 41*7f2fe78bSCy Schubert 42*7f2fe78bSCy SchubertIf you make a mistake and don't type the new password the same way 43*7f2fe78bSCy Schuberttwice, kpasswd will ask you to try again:: 44*7f2fe78bSCy Schubert 45*7f2fe78bSCy Schubert shell% kpasswd 46*7f2fe78bSCy Schubert Password for david: <- Type the old password. 47*7f2fe78bSCy Schubert Enter new password: <- Type the new password. 48*7f2fe78bSCy Schubert Enter it again: <- Type a different new password. 49*7f2fe78bSCy Schubert kpasswd: Password mismatch while reading password 50*7f2fe78bSCy Schubert shell% 51*7f2fe78bSCy Schubert 52*7f2fe78bSCy SchubertOnce you change your password, it takes some time for the change to 53*7f2fe78bSCy Schubertpropagate through the system. Depending on how your system is set up, 54*7f2fe78bSCy Schubertthis might be anywhere from a few minutes to an hour or more. If you 55*7f2fe78bSCy Schubertneed to get new Kerberos tickets shortly after changing your password, 56*7f2fe78bSCy Schuberttry the new password. If the new password doesn't work, try again 57*7f2fe78bSCy Schubertusing the old one. 58*7f2fe78bSCy Schubert 59*7f2fe78bSCy Schubert 60*7f2fe78bSCy Schubert.. _grant_access: 61*7f2fe78bSCy Schubert 62*7f2fe78bSCy SchubertGranting access to your account 63*7f2fe78bSCy Schubert------------------------------- 64*7f2fe78bSCy Schubert 65*7f2fe78bSCy SchubertIf you need to give someone access to log into your account, you can 66*7f2fe78bSCy Schubertdo so through Kerberos, without telling the person your password. 67*7f2fe78bSCy SchubertSimply create a file called :ref:`.k5login(5)` in your home directory. 68*7f2fe78bSCy SchubertThis file should contain the Kerberos principal of each person to whom 69*7f2fe78bSCy Schubertyou wish to give access. Each principal must be on a separate line. 70*7f2fe78bSCy SchubertHere is a sample .k5login file:: 71*7f2fe78bSCy Schubert 72*7f2fe78bSCy Schubert jennifer@ATHENA.MIT.EDU 73*7f2fe78bSCy Schubert david@EXAMPLE.COM 74*7f2fe78bSCy Schubert 75*7f2fe78bSCy SchubertThis file would allow the users ``jennifer`` and ``david`` to use your 76*7f2fe78bSCy Schubertuser ID, provided that they had Kerberos tickets in their respective 77*7f2fe78bSCy Schubertrealms. If you will be logging into other hosts across a network, you 78*7f2fe78bSCy Schubertwill want to include your own Kerberos principal in your .k5login file 79*7f2fe78bSCy Schuberton each of these hosts. 80*7f2fe78bSCy Schubert 81*7f2fe78bSCy SchubertUsing a .k5login file is much safer than giving out your password, 82*7f2fe78bSCy Schubertbecause: 83*7f2fe78bSCy Schubert 84*7f2fe78bSCy Schubert* You can take access away any time simply by removing the principal 85*7f2fe78bSCy Schubert from your .k5login file. 86*7f2fe78bSCy Schubert 87*7f2fe78bSCy Schubert* Although the user has full access to your account on one particular 88*7f2fe78bSCy Schubert host (or set of hosts if your .k5login file is shared, e.g., over 89*7f2fe78bSCy Schubert NFS), that user does not inherit your network privileges. 90*7f2fe78bSCy Schubert 91*7f2fe78bSCy Schubert* Kerberos keeps a log of who obtains tickets, so a system 92*7f2fe78bSCy Schubert administrator could find out, if necessary, who was capable of using 93*7f2fe78bSCy Schubert your user ID at a particular time. 94*7f2fe78bSCy Schubert 95*7f2fe78bSCy SchubertOne common application is to have a .k5login file in root's home 96*7f2fe78bSCy Schubertdirectory, giving root access to that machine to the Kerberos 97*7f2fe78bSCy Schubertprincipals listed. This allows system administrators to allow users 98*7f2fe78bSCy Schubertto become root locally, or to log in remotely as root, without their 99*7f2fe78bSCy Schuberthaving to give out the root password, and without anyone having to 100*7f2fe78bSCy Schuberttype the root password over the network. 101*7f2fe78bSCy Schubert 102*7f2fe78bSCy Schubert 103*7f2fe78bSCy SchubertPassword quality verification 104*7f2fe78bSCy Schubert----------------------------- 105*7f2fe78bSCy Schubert 106*7f2fe78bSCy SchubertTODO 107