1Password management 2=================== 3 4Your password is the only way Kerberos has of verifying your identity. 5If someone finds out your password, that person can masquerade as 6you---send email that comes from you, read, edit, or delete your files, 7or log into other hosts as you---and no one will be able to tell the 8difference. For this reason, it is important that you choose a good 9password, and keep it secret. If you need to give access to your 10account to someone else, you can do so through Kerberos (see 11:ref:`grant_access`). You should never tell your password to anyone, 12including your system administrator, for any reason. You should 13change your password frequently, particularly any time you think 14someone may have found out what it is. 15 16 17Changing your password 18---------------------- 19 20To change your Kerberos password, use the :ref:`kpasswd(1)` command. 21It will ask you for your old password (to prevent someone else from 22walking up to your computer when you're not there and changing your 23password), and then prompt you for the new one twice. (The reason you 24have to type it twice is to make sure you have typed it correctly.) 25For example, user ``david`` would do the following:: 26 27 shell% kpasswd 28 Password for david: <- Type your old password. 29 Enter new password: <- Type your new password. 30 Enter it again: <- Type the new password again. 31 Password changed. 32 shell% 33 34If ``david`` typed the incorrect old password, he would get the 35following message:: 36 37 shell% kpasswd 38 Password for david: <- Type the incorrect old password. 39 kpasswd: Password incorrect while getting initial ticket 40 shell% 41 42If you make a mistake and don't type the new password the same way 43twice, kpasswd will ask you to try again:: 44 45 shell% kpasswd 46 Password for david: <- Type the old password. 47 Enter new password: <- Type the new password. 48 Enter it again: <- Type a different new password. 49 kpasswd: Password mismatch while reading password 50 shell% 51 52Once you change your password, it takes some time for the change to 53propagate through the system. Depending on how your system is set up, 54this might be anywhere from a few minutes to an hour or more. If you 55need to get new Kerberos tickets shortly after changing your password, 56try the new password. If the new password doesn't work, try again 57using the old one. 58 59 60.. _grant_access: 61 62Granting access to your account 63------------------------------- 64 65If you need to give someone access to log into your account, you can 66do so through Kerberos, without telling the person your password. 67Simply create a file called :ref:`.k5login(5)` in your home directory. 68This file should contain the Kerberos principal of each person to whom 69you wish to give access. Each principal must be on a separate line. 70Here is a sample .k5login file:: 71 72 jennifer@ATHENA.MIT.EDU 73 david@EXAMPLE.COM 74 75This file would allow the users ``jennifer`` and ``david`` to use your 76user ID, provided that they had Kerberos tickets in their respective 77realms. If you will be logging into other hosts across a network, you 78will want to include your own Kerberos principal in your .k5login file 79on each of these hosts. 80 81Using a .k5login file is much safer than giving out your password, 82because: 83 84* You can take access away any time simply by removing the principal 85 from your .k5login file. 86 87* Although the user has full access to your account on one particular 88 host (or set of hosts if your .k5login file is shared, e.g., over 89 NFS), that user does not inherit your network privileges. 90 91* Kerberos keeps a log of who obtains tickets, so a system 92 administrator could find out, if necessary, who was capable of using 93 your user ID at a particular time. 94 95One common application is to have a .k5login file in root's home 96directory, giving root access to that machine to the Kerberos 97principals listed. This allows system administrators to allow users 98to become root locally, or to log in remotely as root, without their 99having to give out the root password, and without anyone having to 100type the root password over the network. 101 102 103Password quality verification 104----------------------------- 105 106TODO 107