Kerberos
Kerberos at CSAIL
The CSAIL computing infrastructure uses Kerberos V5 at the core for authentication of many CSAIL services such as public login, ssh, OIDC, and AFS. Each CSAIL user has a CSAIL.MIT.EDU “Kerberos Principal”, which is a strong authentication credential that is built upon cryptographic techniques. By exchanging time-sensitive tickets, you can make transactions secure without sending passwords in plaintext over the network. Think of it as your passport to all of the computing and information services CSAIL has to offer.
Your CSAIL Kerberos account is unique from your MIT Kerberos (Athena) account.
How do I Get a CSAIL Kerberos Account?
How do I setup Kerberos on my client?
- CSAIL Kerberos on CSAIL Linux CSAIL Linux comes pre-configured for CSAIL Kerberos authentication
- CSAIL Kerberos on Windows
- CSAIL Kerberos on MacOS
- CSAIL Kerberos on GNU/Linux (fixed link 2019-02)
How do I change my Kerberos Password?
If you already know your password and want to change it:
- Run
kpasswdon any TIG-managed CSAIL Linux machine - Go to https://my.csail.mit.edu/home
- Mac OS: open Ticket Viewer.app “Change Password”.
- Windows: right-click Network Identity Manager (ice cube icon next to clock) “Change password.”
If you have forgotten your CSAIL Kerberos Password:
- Please send an email to help@csail.mit.edu
- Come by the TIG area room 32-270 or thereabouts during business hours with a valid photo ID and a system administrator can help you reset it.
CSAIL Kerberos Account Password requirements
In accordance with NIST SP800-63B version 4, we require:
- Minimum password length: 15
- Password must not contain username (or vice versa)
- Password must not be on a list of known trivial or compromised passwords
Existing accounts created before this policy was adopted in 2024 may have weaker passwords, but in the absence of compromise we do not force them to be changed. (Passwords older than July, 2019, were expired after a compromise.)
Not every user interface for changing passwords is currently able to check the database of compromised passwords.
Kerberos Credentials Expire After a While
By default, Kerberos tickets and AFS tokens expire automatically to protect your account. For automated tasks, long-running compute jobs, or persistent terminal sessions, you will need to use specific tools to prevent your Kerberos tickets from expiring. See the Guide to Long-Running and Uninterrupted Sessions for officially supported methods and important security policies.
What is Kerberos?
Pleasse see the MIT Kerberos release page.