use syntax like "krbroot ssh linerva" when you want to use your
root instance for a command. You can also "krbroot shell".
- * quentin has [kdo](http://web.mit.edu/quentin/Public/mac-bashrc),
+ * quentin and broder wrote [kdo](http://web.mit.edu/snippets/kerberos/kdo),
which is similar in spirit to krbroot, but designed for Mac OS
X. It takes advantage of the fact that OS X's Kerberos
implementation is better at handling multiple tickets.
## Getting them
-You need to show up in person to IS&T User Accounts in N42 with a
+You need to show up in person to [IS&T User
+Accounts](http://ist.mit.edu/support/accounts) in
+[E17](http://whereis.mit.edu/?go=E17) during business hours with a
photo ID to obtain new Kerberos identities. For the reasons described
above, being in control of your null instance and sending a zephyr or
authenticated e-mail with it does not mean that you can go ahead and
make changes to your root or extra instance too. While you're there,
be sure to ask for a pts id, if you want to use your tickets with AFS.
+
+## Upgrading cryptographic strength
+
+You should change your root instance’s password with a command like this, to upgrade your key from critically weak DES encryption algorithm to strong AES encryption:
+
+ kadmin -p andersk/root -q 'cpw -e aes256-cts:normal andersk/root'
+
+(Note: This might make your password incompatible with a [handful of services](http://debathena.mit.edu/trac/ticket/529) that you should not have been using with your root instance in the first place.) You can confirm the change with
+
+ kadmin -p andersk/root -q 'getprinc andersk/root'
+
+which should list a line like
+
+ Key: vno 4, aes256-cts-hmac-sha1-96, no salt
sipb-www / wiki.git / blobdiff