Tags

CLASSE Authentication

Wherever possible, new CLASSE systems and services authenticate using CLASSE usernames and passwords. For information on resetting your CLASSE password, please see UserAccountsAndPasswords . For information on CLASSE groups, please see ClasseGroups.

Password Reset

Use the following self-service form to reset your password.

https://www.classe.cornell.edu/pwm/

Kerberos Tickets ("Auto login")

CLASSE uses the Kerberos authentication protocol, so "tickets" are used to prove your identity to systems and services. For example, if you already have a valid ticket, you won't be prompted to type your password when ssh'ing into a remote CLASSE system or when browsing to restricted CLASSE wiki pages. If you do not already have a kerberos ticket, or are accessing a CLASSE service from a web browser that does not support HTTP Negotiate authentication (see below), you will be prompted to login using your CLASSE username and password.

Kerberos tickets are automatically granted whenever you type your password to ssh into a remote system or login to or unlock a system graphically. In addition, from a command-line you can use the command kinit -f or kinit -f username to generate a ticket.

By default, tickets last 10 hours.

Unmanaged computers

In order to support kinit on non-CLASSE-managed computers, you may need to add CLASSE.CORNELL.EDU to the kerberos configuration file on your system. One option is to use the attached edu.mit.Kerberos file. On Mac OS X systems, this should be copied to /Library/Preferences/edu.mit.Kerberos. On Linux systems, this should be copied and renamed to /etc/krb5.conf.

In addition, we recommend you add the following to the ~/.ssh/config file on your local / client computer:
GSSAPIAuthentication yes 
GSSAPIDelegateCredentials yes 

Shared or group accounts.

Kerberos tickets can be used to grant access to a shared or group account by adding entries to that account's ~/.k5login file. For example, if I want to give user1 and user2 access to groupaccount, /home/groupaccount/.k5login would look like:
groupaccount@CLASSE.CORNELL.EDU
user1@CLASSE.CORNELL.EDU
user2@CLASSE.CORNELL.EDU

Once the ~/.k5login file is set, anyone in that file can become the target user using their own kerberos tickets. For example:
kinit -f user1
ssh groupaccount@lnx201
or
kinit -f user2
ksu groupaccount

Web Services

To gain access to web services that authenticate against CLASSE (for example, https://wiki.classe.cornell.edu, https://svn01.classe.cornell.edu, etc.), you must authenticate using your CLASSE username and password.

Most CLASSE web services are configured to first try HTTP Negotiate authentication (using existing kerberos tickets instead of prompting the user for a password) and then fallback to basic authentication (prompting for username and password). Therefore, if you already obtained a kerberos ticket by logging into a CLASSE computer or using kinit as described above, you would not be prompted to authenticate when interacting with CLASSE services from the command line or from browsers that support HTTP Negotiate authentication. Safari supports this by default. Firefox must be configured to support this (see below). This is by far the best way to interact with CLASSE services.

Firefox

Please follow these steps to configure Firefox to support HTTP Negotiate authentication. By default all managed CLASSE systems should already have this configuration set.
  1. In the address bar of Firefox, type about:config to display the list of current configuration options.
  2. In the Filter field, type negotiate to restrict the list of options.
  3. Double-click the network.negotiate-auth.trusted-uris entry to display the "Enter string value" dialog box.
    • Enter classe.cornell.edu
  4. Double-click the network.negotiate-auth.delegation-uris entry to display the "Enter string value" dialog box.
    • Enter classe.cornell.edu

For more, please see https://ping.force.com/Support/PingFederate/Integrations/How-to-configure-supported-browsers-for-Kerberos-NTLM

Current Status

Most importantly, anytime you are prompted for "CLASSE Username," "CLASSE Credentials," or "CLASSE Authentication," use your CLASSE username and password.

System or Service Authentication System Notes
Scientific Linux 7
CLASSE
 
edit
Windows 10
CLASSE
 
edit
wiki
CLASSE
edit
svn01
CLASSE
See SubVersion for more information.
edit
cesrwww
CLASSE
CESRWWW wiki and web server
edit
www.classe.cornell.edu
CLASSE
 
edit
accserv
CLASSE
Accelerator Subversion Repository
edit
Training database
CLASSE
 
edit
EDMS
CLASSE
 
edit
cesrweb
CLASSE
Legacy cesr web server
edit
ELOG
CLASSE
 
edit

Topic revision: r23 - 09 Sep 2021, JamesPulver
This site is powered by FoswikiCopyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding CLASSE Wiki? Send feedback