Kerberos

How do I reset my SUNet ID password online?

You can check the status of your SUNet ID or reset your password at the Accounts page.

If you know your current SUNet ID password and wish to change it, click on the Manage button, then Change password.

Is Stanford affected by Heartbleed?

The Internet is abuzz with news of the "Heartbleed" bug that affected the security of the majority of web servers in the world, as well as other computer systems that rely on OpenSSL code.

Can I use SSH public-key authentication to log into Stanford UNIX hosts?

Kerberos authentication is supported for single sign-on, but it is not possible to use SSH public-key authentication when connecting to Stanford hosts as a matter of policy. Public-key authentication does not integrate well with key elements of Stanford's UNIX infrastructure.

How do I keep my Stanford account safe?

The best ways to keep your account safe is to be aware of how to use Kerberos properly, be very careful about where you enter your password, and change your password periodically. Do not use your SUNet ID password for anything else; don't use it for your bank, for web site accounts, or for accounts on other systems. Do not give it out to anyone else. Your password protects your Stanford identity and must be treated with care.

How to: Uninstall Kerberos for Windows

In Windows, Kerberos is called MIT Kerberos.

In the Control Panel, use the Add/Remove Programs tool to uninstall MIT Kerberos. After uninstalling, restart your computer if prompted.

To remove MIT Kerberos for Windows:

What are Stanford's Kerberos servers?

Stanford Desktop Tools for Mac or Windows will configure Kerberos on your system. UNIX system administrators should see the sysadmin guide.

Why don't I get AFS tokens when using a Kerberos-aware ssh?

For security reasons, a Kerberos-aware ssh client doesn't forward your Kerberos tickets to the remote system. This means that while the remote system knows who you are, you don't have any tickets there to authenticate to other services, including AFS.

The solution is to enable ticket forwarding (ssh calls this delegation) for only those hosts that you trust.

Was there a Stanford version of Kerberos for UNIX?

Stanford used to provide a modified version of Kerberos for UNIX systems. These modifications were non-standard, aren't present in the Kerberos programs that come with current operating systems, and are mostly obsolete given the retirement of Kerberos v4.

How do I log out of Kerberos for Windows?

Open the Network Identity Manager menu and destroy the credential labeled yourSUNetID@stanford.edu.

To log out and destroy your Kerberos tickets:

1) Right-click the NIM icon to open the Network Identity Manager menu.
The NIM icon looks like a cube. You'll find it in your System Tray in the lower right part of your screen .

About Kerberos

Kerberos is an authentication service between machines on an open network, and is the heart of Stanford's campus-wide security infrastructure.

How is Mailman different from Majordomo for list owners?

Now you can perform most list management functions through your list web site. Go to the Mailman web site at http://www.stanford.edu/services/mailman/ and click the Manage the lists I own link to configure each of your mailing lists.

What are the Kerberos servers in Stanford's Kerberos realms?

Stanford's Kerberos 4 realm is IR.STANFORD.EDU (all uppercase). Stanford's Kerberos 5 realm is stanford.edu (all lowercase)The IT Services authentication servers for Stanford's Kerberos 4 realm are:

  • auth1.stanford.edu
  • auth2.stanford.edu
  • auth3.stanford.edu

Any of these servers can be the admin server.

 

I'm using Linux. Why can't I view my files in AFS?

The most common reason you would be unable to view your files in AFS is that your Kerberos credentials have expired.

To see whether you have valid Kerberos credentials:

1) Run tokens.
2) If there are no tokens listed, your old tokens have expired. Obtain new credentials.

To obtain new credentials for AFS and Kerberos:

I'm using UNIX. Why am I getting timeout errors when I run kinit?

The most common reason for getting timeout errors when running kinit is that the clock on the local UNIX machine is out of sync with the campus clock. Kerberos relies on a fairly consistent time across the network.

To update your clock, run: /usr/pubsw/sbin/ntpdate time.stanford.edu

Why don't I have enough privileges to work with my own AFS files?

While working with AFS directories, you may get a message saying that you don't have enough privileges to make the change you are trying to make. Sometimes this is true; you might not have access to someone else's home directory to remove files, for example.