CLASSE Authentication
Wherever possible, new CLASSE systems and services authenticate using CLASSE usernames and passwords. For information on resetting your CLASSE password, please see
UserAccountsAndPasswords . For information on CLASSE groups, please see
ClasseGroups.
Password Reset
Use the following self-service form to reset your password.
https://www.classe.cornell.edu/pwm/
Kerberos Tickets ("Auto login")
CLASSE uses the Kerberos authentication protocol, so "tickets" are used to prove your identity to systems and services. For example, if you already have a valid ticket, you won't be prompted to type your password when ssh'ing into a remote CLASSE system or when browsing to restricted CLASSE wiki pages. If you do not already have a kerberos ticket, or are accessing a CLASSE service from a web browser that does not support HTTP Negotiate authentication (see below), you will be prompted to login using your CLASSE username and password.
Kerberos tickets are automatically granted whenever you type your password to ssh into a remote system or login to or unlock a system graphically. In addition, from a command-line you can use the command
kinit -f
or
kinit -f username
to generate a ticket.
By default, tickets last 10 hours.
Unmanaged computers
In order to support
kinit
on non-CLASSE-managed computers, you may need to add CLASSE.CORNELL.EDU to the kerberos configuration file on your system. One option is to use the attached
edu.mit.Kerberos file. On Mac OS X systems, this should be copied to
/Library/Preferences/edu.mit.Kerberos
. On Linux systems, this should be copied and renamed to
/etc/krb5.conf
.
In addition, we recommend you add the following to the ~/.ssh/config file on your local / client computer:
GSSAPIAuthentication yes
GSSAPIDelegateCredentials yes
Shared or group accounts.
Kerberos tickets can be used to grant access to a shared or group account by adding entries to that account's ~/.k5login file. For example, if I want to give user1 and user2 access to groupaccount, /home/groupaccount/.k5login would look like:
groupaccount@CLASSE.CORNELL.EDU
user1@CLASSE.CORNELL.EDU
user2@CLASSE.CORNELL.EDU
Once the ~/.k5login file is set, anyone in that file can become the target user using their own kerberos tickets. For example:
kinit -f user1
ssh groupaccount@lnx201
or
kinit -f user2
ksu groupaccount
Web Services
To gain access to web services that authenticate against CLASSE (for example,
https://wiki.classe.cornell.edu,
https://svn01.classe.cornell.edu, etc.), you must authenticate using your CLASSE username and password.
Most CLASSE web services are configured to first try HTTP Negotiate authentication (using existing kerberos tickets instead of prompting the user for a password) and then fallback to basic authentication (prompting for username and password). Therefore, if you already obtained a kerberos ticket by logging into a CLASSE computer or using kinit as described above, you would not be prompted to authenticate when interacting with CLASSE services from the command line or from browsers that support HTTP Negotiate authentication. Safari supports this by default. Firefox must be configured to support this (see below). This is by far the best way to interact with CLASSE services.
Firefox
Please follow these steps to configure Firefox to support HTTP Negotiate authentication. By default all managed CLASSE systems should already have this configuration set.
- In the address bar of Firefox, type about:config to display the list of current configuration options.
- In the Filter field, type negotiate to restrict the list of options.
- Double-click the network.negotiate-auth.trusted-uris entry to display the "Enter string value" dialog box.
- Double-click the network.negotiate-auth.delegation-uris entry to display the "Enter string value" dialog box.
For more, please see
https://ping.force.com/Support/PingFederate/Integrations/How-to-configure-supported-browsers-for-Kerberos-NTLM
Current Status
Most importantly, anytime you are prompted for "CLASSE Username," "CLASSE Credentials," or "CLASSE Authentication," use your CLASSE username and password.