X-Git-Url: https://sipb.mit.edu/gitweb.cgi/wiki.git/blobdiff_plain/6553da4ac008646227467f7d99ca4672716d2793..09dbb5f32f9845b266e83824ce658897f1e0f04b:/doc/root-instance.mdwn diff --git a/doc/root-instance.mdwn b/doc/root-instance.mdwn index 46666b1..301ed22 100644 --- a/doc/root-instance.mdwn +++ b/doc/root-instance.mdwn @@ -100,9 +100,27 @@ extra instance's password instead. ## Getting them -You need to show up in person to IS&T User Accounts in N42 with a +You need to show up in person to [IS&T User +Accounts](http://ist.mit.edu/support/accounts) in +[E17](http://whereis.mit.edu/?go=E17) during business hours with a photo ID to obtain new Kerberos identities. For the reasons described above, being in control of your null instance and sending a zephyr or authenticated e-mail with it does not mean that you can go ahead and make changes to your root or extra instance too. While you're there, be sure to ask for a pts id, if you want to use your tickets with AFS. + +## Upgrading cryptographic strength + +You should change your root instance’s password with a command like this, to upgrade your key from critically weak DES encryption algorithm to strong AES encryption: + + kadmin -p andersk/root -q 'cpw -e aes256-cts:normal -e aes128-cts:normal andersk/root' + +(Note: This might make your password incompatible with a [handful of services](http://debathena.mit.edu/trac/ticket/529) that you should not have been using with your root instance in the first place.) You can confirm the change with + + kadmin -p andersk/root -q 'getprinc andersk/root' + +which should list a line like + + Key: vno 4, aes256-cts-hmac-sha1-96, no salt + +If you change your password again, you will need to specify your desired enctypes with the -e option; otherwise, they will be reset to the defaults.