Uniqname

and Kerberos

 

 

 

 

 

 

 

 

 

 

 

Reference R1080

 

University of Michigan

Information Technology Division

February 1993

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Information Technology Division

 

©1993

The Regents of the University of Michigan

All rights reserved. This publication may be reproduced or reprinted without the permission of the Information Technology Division of the University of Michigan as long as the above copyright statement and source are clearly acknowledged. This publication or any reproductions may not be sold.

 

Copyrights, trademarks, and servicemarks referred to in this documentation are the property of their respective owners.

Uniqname: Your Campus-Wide Computing Identification

Uniqname— a software package developed at the University of Michigan (U-M) to establish and maintain common login name and UNIX identification number spaces for all users on campus, simplifying the authentication process required to access data stored in cooperating file systems. A uniqname is an individual user’s login name stored in the campus-wide Uniqname database.

 

Kerberos— A password and security mechanism developed at MIT that is used during the authentication process in the Institutional File System (IFS), the campus computing sites, and other systems..

An increasing number of campus computers and computing services at the University of Michigan are using uniqnames and Kerberos passwords to identify users. What is a uniqname? What is a Kerberos password? What purposes do they serve, and how do you acquire them?

 

The increasing use of uniqnames and Kerberos passwords is driven by the move from a host-centric, mainframe computing environment to a distributed computing environment. In a host-centric environment, all the computing resources a user needs may be supplied by a single, central computer. Users “login” to the central computer to gain access to printers, tape drives, data files, and programs. All programs such as electronic mail, conferencing, database management systems, and number-crunching run on the central computer.

 

The same services are also available in a distributed computing environment. The services, however, are provided by specialized servers distributed across the network. Much of your day-to-day computing is probably done on a local workstation. When you access these services, your workstation acts as a client to the various servers. This is often called the client-server model. In a client-server model, the network plays an essential role— it provides the “highways” by which information is conveyed.

 

Because a distributed computing environment can contain a large number of servers, each supported by a different sponsoring organization, it can quickly become difficult for the service providers to coordinate information on the service users. Information may be needed on users to accomplish any of the following tasks:

 

Identification Identifying a user.

Authentication Verifying the identity of a user.

Authorization Allowing only authorized users access to a service.

Allocation Ensuring that sufficient resources are available to the user.

Accounting Recording the value of the services used.

Billing Billing for the services provided.

 

Uniqname and Kerberos are two solutions to the problem of coordinating service information in the expanding distributed computing environment on the U-M campus.

 

Uniqname and Kerberos: Identification and Authentication

Many computing services “permit” what users can do based in part on who they are. Uniqnames provide a user with campus-wide computing identification. Kerberos provides a user with a password for campus-wide proof of identity. By entering your Kerberos password along with your uniqname when you log into a system, you authenticate (demonstrate) that you are the owner of your uniqname. More and more services are using uniqnames and Kerberos passwords to identify and authenticate users:

 

• ifs (the Institutional File System) uses uniqnames and Kerberos to control file system access.

• The itd Campus Computing Sites are now using uniqnames and Kerberos to allow access to machines.

• The Computer Aided Engineering Network (caen) also uses uniqnames and Kerberos passwords.

• In the form uniqname@umich.edu, a uniqname can also serve as a user’s e-mail name if the user has registered the local address where they want to receive mail in the X.500 database.

• Beginning in fall term 1992-93, users will be able to login to X.500 using their uniqnames and Kerberos passwords and edit the information that X.500 contains about them.

 

What Does a Uniqname Look Like?

Note that uniqnames are not the same as mts userIDs or dsc Top Secret userIDs.

A uniqname consists of three to eight lower case alphabetic characters. Since it is chosen by the user, it can be anything the user wishes. Uniqnames are allocated on a first-come, first-served basis. Traditional choices include initials, last names, or some combination of first name and initials. Oftentimes other members of the University community will need to remember your uniqname, so it helps to select a uniqname that is based on your real name. Examples of uniqnames are bettyk and jpsmith. You should avoid choosing a whimsical uniqname, because people whose opinions you care about may use it to send you e-mail, for example, an employer interviewing you for a job. As people become familiar with your uniqname, it may become difficult to change, so plan on your uniqname being yours— permanently.

 

Campus-Wide Identification Before Uniqname

Unlike many forms of identification, your uniqname (but not your password) is meant to be freely communicated. By using your uniqname as your only computing identification, you make it easier both for yourself and others to remember your identification. Take the example pictured in Diagram 1 below:

 

Diagram 1: Many names, many passwords

 

The diagram shows that Chris T. User is working with two different computers (A and B) and two different remote file systems (U and E). Chris has four different login names and four different passwords, which are stored in four separate “password” files.

 

Why did Chris get four different login names? Users’ login names are often chosen for them (perhaps when class accounts are created), so users can’t tell the system administrator what login names they have elsewhere.

 

Campus-Wide Identification After Uniqname

Uniqname was designed to rationalize the process of assigning login names. When a user wants to gain access to another computer or computing service for the first time, the user presents his or her uniqname to the system administrator, who queries the Uniqname database to verify the name. If the user can’t remember his or her uniqname, the system administrator can query the X.500 database to get it. For the benefit of a user who doesn’t yet have a uniqname, many system administrators are also uniqname administrators and can create uniqnames for users.

 

Under the uniqname system shown in Diagram 2, Chris T. User is much better off. With the exception of Computer B, which doesn’t use uniqnames, Chris now has login names that match the uniqname that she was assigned. Chris has also simplified the password situation by changing the passwords she was assigned by the various systems to the same password, using each system’s method for changing passwords. Unfortunately, while the passwords are set to be the same, Chris will have to remember to change them individually in four places if she wants to change the “single” password to something new. It would be much more convenient if there were one campus-wide password file so that the password would only have to be changed in one place.

 

Diagram 2: Mostly uniqnames; passwords set to be the same by the user

 

Kerberos: Toward Campus-Wide Authentication

Another problem arising out of today’s computing environment is that many computer communications that used to be passed on secure point-to-point lines are now being transmitted using open broadcast media such as Ethernet and LocalTalk networks. Using commonly available programs, it is possible for relatively unsophisticated users to “tap” these media and eavesdrop on your communications with other computers. In response, some programs are encrypting sensitive information, such as passwords, before placing it on the network. Passwords should be considered extremely sensitive information; possession of a password and your uniqname is all that is necessary to impersonate you and thereby gain access to all computing services to which you have access.

 

Diagram 3: Mostly uniqnames, using Kerberos password systems

 

Fortunately for Chris T. User, the system administrators of most of the computers and computing services Chris uses have adopted Kerberos. In Diagram 3 above, you can see that Computer A and File system U are now using the umich Kerberos database for authentication, while File system E is using the engin Kerberos database. Computer B is still not using Chris’ uniqname (a pre-condition for using Kerberos). This means that all authentication traffic between A, U, E, and the Kerberos servers will be handled securely.

 

One important thing to note is that while A, U, and E are all using Kerberos, they are not sharing the same Kerberos database. A and U are sharing the umich Kerberos database, while E is using the engin Kerberos database. This means that while the password used for A and U will always be the same, the password issued by E will be different unless one of the passwords is deliberately changed to match the other. This reflects the current state of affairs at U-M, where as of fall 1992, ifs and the Campus Computing Sites are sharing a single Kerberos database, but the caen database is separate.

 

Uniqname and Kerberos Q & A

 

Q: I don’t have a uniqname yet. Where can I get one?

A: You can obtain a uniqname and a umich Kerberos password at the Angell Hall Courtyard and nubs sites on Central Campus, at the Art & Architecture site on North Campus, or from the itd Accounts Office at 535 West William. If you don’t already have a uniqname when you get an ifs home directory, caen account, or ls&a unix ID, you will automatically get one as part of obtaining any of these services.

 

Q: Does using my uniqname for a login name automatically mean that my Kerberos password is valid for my departmental unix server?

A: No. A Kerberos password will only work if the system administrator has updated the system software to use Kerberos. A number of service providers at U-M are using the uniqname login IDs for identification, but they have not yet begun using Kerberos passwords for authentication.

 

Q: I was told that someone can get only one uniqname, but I have two. What gives?

A: There are a small number of people who in 1990 were “grandfathered” into the Uniqname database without proper identification and could therefore accidentally get an additional uniqname. These people will be asked to give up one of their uniqnames shortly. Some other people have login names that are not actually uniqnames, because they are not registered in the Uniqname database. To find out what your uniqname is, look up your entry in the X.500 database—if you use the maX.500 software, your uniqname should be in the lower right-hand corner.

 

Q: I’ve used my Kerberos password successfully at caen, so I know it’s correct. Why doesn’t it work on the Macintosh computers located at the Campus Computing Sites?

A: caen uses the engin Kerberos database to authenticate users, while itd uses the umich Kerberos database. If you are a CAEN user and want to use the same password for both systems, obtain both an ENGIN and UMICH Kerberos password and change one to match the other.

 

CAEN users who have ENGIN Kerberos passwords can also use those passwords to access machines at the Campus Computing Sites. To do this, enter uniqname@engin.umich.edu when prompted for your uniqname (enter your uniqname, not the word “uniqname”). When asked for your password, you can then enter your ENGIN kerberos password.

 

Q: How do I change my Kerberos password?

A: If you are logged in to a unix system using a Kerberos password, enter the kpasswd command and follow the directions. From a Macintosh, run the Chooser program available under the Apple menu. Select the AppleShare icon; then select a fileserver that uses your Kerberos password and click "OK." In the fileserver menu, select the button in the bottom center of the menu labeled "Set Password," and follow the directions.

 

Q: I just got my uniqname and Kerberos password, but they don’t work on the next machines at the Campus Computing Sites. Why not?

A: Unfortunately, the next uses some proprietary software that makes it difficult for system administrators to give access to new users. As a result, it may take as long as a day before your new uniqname and Kerberos password can be used on the next. You must also have an IFS home directory to make use if the NeXTs. IFS home directories are supplied by the ITD Accounts office, 535 W. William Street. Please see Institutional File System User Overview, Reference R1070 for an application form and information on how to obtain an IFS home directory.

 

Q: How do I edit the information about myself in the X.500 database?

A: Users of the um-x500 server available at the MichNet Which Host? prompt can use their uniqnames and Kerberos passwords when updating information in the X.500 database.

 

Later in the fall 1992 term, Macintosh maX.500 users will be able to log in to the X.500 database using their uniqnames and a umich Kerberos passwords. For now, maX.500 users wanting to edit information in X.500 will need a special X.500 password. To get one, contact the itd Accounts Office.

 

Q: I’ve forgotten my Kerberos password. How do I get it reset?

A: You will need to visit a University office in person to get your password reset. Passwords for the engin Kerberos database can be reset at the caen office, 249 Chrysler Center. Passwords for the umich database can be reset at the Computing Resource Center (crc), 3113 School of Education Building; at the Angell Hall Courtyard, nubs, or Art & Architecture sites; or at the itd Accounts Office.

 

Q: Where can I find out more about uniqnames and Kerberos?

A: Watch for more information in future issues of the Information Technology Digest, including topics such as Authorization, Allocation, Accounting, and Billing. Discussions on uniqnames and Kerberos are also taking place in the ifs:forum conference on mts. To join the conference, enter the following command on um-mts:

 

$source ifs:forum