Search Stanford:

Pages about Kerberos

• User Guide
• Sysadmin Guide
• UNIX Install Guide
• Developer Information

Related Pages

• WebAuth
• AFS at Stanford
• MIT Kerberos
• Heimdal
• Kerberos Consortium

• QUICK LINKS
  • answers.stanford.edu
  • apple.stanford.edu
  • computing.stanford.edu
  • courses.stanford.edu
  • datarates.stanford.edu
  • dell.stanford.edu
  • departmentphone.stanford.edu
  • email.stanford.edu
  • ess.stanford.edu
  • helpsu.stanford.edu
  • ithelp.stanford.edu
  • myitserviceshelp.stanford.edu
  • orderithelp.stanford.edu
  • software.stanford.edu
  • studentphone.stanford.edu
  • techtraining.stanford.edu
  • tools.stanford.edu
  • unixcomputing.stanford.edu
  • vpn.stanford.edu
  • web.stanford.edu
  • windows.stanford.edu
• SERVICES
  • IT Services Only
  • All Campus Providers
    → computing.stanford.edu
• GETTING HELP
  • Self-Help Web Site
  • HelpSU: IT Help Desk
  • Training
• PROJECTS
• ABOUT US
  • What We Do
  • Organization Chart
  • Strategic Plan
  • Jobs
  • Contact info
  • Service & System Metrics
• INTERNAL
• SEARCH

  • Search IT Services:
     

• IT Services
• Kerberos
• User Guide
• FAQ

Kerberos User FAQ

How do I change my password?

The easiest way to change your password, which works from any computer, is to go to Stanford.You. Stanford.You lets you manage your account settings and change your password.

You can also use a native Kerberos password change client. Kerberos for Windows systems can change your password, as can Kerberos for Mac OS X. On a UNIX system, you can use kpasswd. You cannot, however, use the native password change interface in Windows (the one reached via Ctrl+Alt+Delete) to change your Kerberos password.

If you have forgotten your password, you can go to the SUNet ID page to reset your password by providing other identifying information.

Stanford's Kerberos servers enforce strong passwords by testing your chosen password against the techniques that identity thieves try to use to break into accounts. If you have a hard time picking a strong enough password, remember to use a lot of different letters, numbers, and punctuation, and try to make your password longer. A couple of fairly reliable techniques for constructing secure passwords are to take the initial letters of the titles of books on a shelf near you, or to put one word in the middle of another word. In either case, adding numbers and punctuation somewhere in the password will make it more secure.

Why should I change my password?

If someone else has your password, they have your Stanford identity. They can get access to your e-mail, your files, even your pay stub or grades. They may be able to use that access to get personal financial information. And, most commonly, they use that access to do embarassing or illegal things in your name.

Obviously, you should immediately change your password if you have any reason to believe that someone else had access to it or broke into your account. If you accidentally enter your SUNet ID password into a non-Stanford web site, if you entered it into a Stanford site that felt suspicious, or if you felt like someone was watching you type it, change it. If you see signs of strange activity in your account, change your password and report it to the Information Security Office. It's better to take the precaution.

You should also change your password periodically. We recommend every six months. There are several reasons for this. First, passwords are often stolen without the knowledge of the victim, and stolen passwords often aren't used immediately. They're collected, sold to organized crime, rebundled and resold, and left unused for some time. Even if you're not aware your password was stolen, if you change it periodically you may change it before a thief has an opportunity to use it. Second, while we are constantly working to strengthen the underlying security of Kerberos tickets, computers are also always getting faster. It's possible to guess your password through sheer persistant computer effort. Right now, with current technology, this takes months if you have a strong password. If you change your password every six months, any brute force attack that takes longer is ineffective.

If you work in certain areas of Stanford, such as with medical patient health information or with credit card processing, government security regulations may require that you change your password periodically. For other Stanford users, periodic password changes are not required, but we do strongly recommend them.

How do I keep my account safe?

The best ways to keep your account safe is to be aware of how to use Kerberos properly, be very careful about where you enter your password, and change your password periodically. Do not use your SUNet ID password for anything else; don't use it for your bank, for web site accounts, or for accounts on other systems. Do not give it out to anyone else. Your password protects your Stanford identity and must be treated with care.

Some people have a lot of difficulty memorizing a sufficiently strong password, particularly when changing it periodically. Many people will recommend never writing down your password, and of course it's best if you can memorize it. However, it's better to have a strong password changed periodically that you write down than a weak password you never change but have memorized. Nearly everyone trying to break into your account is not physically at Stanford and won't have access to a physical piece of paper.

If you do need to write down your password, treat the piece of paper on which it's written like a credit card. Carry it in your wallet or purse. Don't give it to other people. Don't let it out of your sight. Don't leave it lying on or taped to your desk. Most people know how to keep credit cards safe, and if they treat a piece of paper with a password written on it with equal care, they'll do a good job of keeping that password safe.

Finally, keep your computer safe. If an attacker can break into your computer, they have access to everything you type into that computer, including your password. The best way to keep your Windows or Mac OS X computer safe is to install Stanford Desktop Tools from Essential Stanford Software, use a virus scanner, and regularly apply any operating system updates or security fixes.

Why doesn't Kerberos work?

The most common reason why Kerberos doesn't work on a computer is the computer time setting. Kerberos puts expiration times on everything and requires that your computer's clock is accurate. It must be within five minutes of the clock on the Kerberos servers.

Most operating systems now support some way to set the system clock automatically from a central time server. If your system is on the Stanford campus network, you can use time.stanford.edu as the time server.

For other problems with Kerberos on your system, submit a HelpSU request.

Why don't I get AFS tokens when using a Kerberos-aware ssh?

If your ssh client understands Kerberos, it can allow you to log on to other systems without having to re-enter your password. However, by default, for security, a Kerberos-aware ssh client doesn't forward your Kerberos tickets to the remote system. This means that while the remote system knows who you are, you don't have any tickets there to authenticate to other services, including AFS.

The solution is to enable ticket forwarding (ssh calls this delegation) for only those hosts that you trust. On UNIX and Mac OS X systems, for the command-line ssh client, you can do this by creating a file named config in a directory named .ssh in your home directory with the following contents:

    Host cardinal cardinal.stanford.edu
        GSSAPIDelegateCredentials yes

Replace the hostname with whatever trusted host you log on to. This enables credential delegation only to that host and not to any other (protecting you if, for example, you make a mistake in typing the name). Other Kerberos-aware ssh clients will hopefully have similar means for doing the same thing; check the documentation.

Was there a Stanford version of Kerberos for UNIX?

Stanford used to provide a modified version of Kerberos for UNIX systems. Compared to a normal Kerberos installation on UNIX, it had:

• modifications to kinit so that it would automatically obtain both Kerberos v4 and Kerberos v5 tickets and AFS tokens,

• additional support for parallel Kerberos v4 and Kerberos v5 realms with different names,

• an additional client program, kftgt, which would forward Kerberos v4 tickets to another host, and klogin and krsh wrappers around Kerberos rlogin and rsh that would call kftgt first,

• modifications to the Kerberos rlogin, rsh, and telnet servers to require .klogin or .k5login files in users' home directories before allowing Kerberos logins,

as well as some other local changes. These modifications were non-standard, aren't present in the Kerberos programs that come with current operating systems, and are mostly obsolete given the retirement of Kerberos v4. Stanford is therefore moving away from maintaining local modifications to Kerberos and towards using stock Kerberos software. The instructions found on these pages will work for unmodified Kerberos software.

What are Stanford's Kerberos servers?

Most people can install Stanford Desktop Tools, which takes care of configuring Kerberos on your system. UNIX system administrators should see the sysadmin guide. But if you can't install Stanford Desktop Tools or are configuring a system that won't run it, you may need to manually configure Kerberos.

Stanford's Kerberos realm is stanford.edu (all lowercase). Most Kerberos realms are uppercase, but ours is not.

Stanford's Kerberos servers (also called KDCs) are:

    krb5auth1.stanford.edu
    krb5auth2.stanford.edu
    krb5auth3.stanford.edu

The master KDC and admin server is krb5-admin.stanford.edu (used for password changes and other modifications).