X-Git-Url: https://sipb.mit.edu/gitweb.cgi/wiki.git/blobdiff_plain/537314853f3a4cfc77e68bc74eddcd6921bb5a7e..09dbb5f32f9845b266e83824ce658897f1e0f04b:/doc/root-instance.mdwn diff --git a/doc/root-instance.mdwn b/doc/root-instance.mdwn index 777bfed..301ed22 100644 --- a/doc/root-instance.mdwn +++ b/doc/root-instance.mdwn @@ -68,7 +68,7 @@ have developed shell scripts to make it easy to switch between them. use syntax like "krbroot ssh linerva" when you want to use your root instance for a command. You can also "krbroot shell". - * quentin has [kdo](http://web.mit.edu/quentin/Public/mac-bashrc), + * quentin and broder wrote [kdo](http://web.mit.edu/snippets/kerberos/kdo), which is similar in spirit to krbroot, but designed for Mac OS X. It takes advantage of the fact that OS X's Kerberos implementation is better at handling multiple tickets. @@ -100,9 +100,27 @@ extra instance's password instead. ## Getting them -You need to show up in person to IS&T User Accounts in N42 with a +You need to show up in person to [IS&T User +Accounts](http://ist.mit.edu/support/accounts) in +[E17](http://whereis.mit.edu/?go=E17) during business hours with a photo ID to obtain new Kerberos identities. For the reasons described above, being in control of your null instance and sending a zephyr or authenticated e-mail with it does not mean that you can go ahead and make changes to your root or extra instance too. While you're there, be sure to ask for a pts id, if you want to use your tickets with AFS. + +## Upgrading cryptographic strength + +You should change your root instance’s password with a command like this, to upgrade your key from critically weak DES encryption algorithm to strong AES encryption: + + kadmin -p andersk/root -q 'cpw -e aes256-cts:normal -e aes128-cts:normal andersk/root' + +(Note: This might make your password incompatible with a [handful of services](http://debathena.mit.edu/trac/ticket/529) that you should not have been using with your root instance in the first place.) You can confirm the change with + + kadmin -p andersk/root -q 'getprinc andersk/root' + +which should list a line like + + Key: vno 4, aes256-cts-hmac-sha1-96, no salt + +If you change your password again, you will need to specify your desired enctypes with the -e option; otherwise, they will be reset to the defaults.