CLASSE User Accounts and Passwords -- detailed description
Note: In the coming months the Laboratory will be transitioning to a single central system for authenticating CLASSE personnel and authorizing their access to CLASSE IT resources. To simplify this transition, you may consider setting all of your CLASSE passwords to a single value. For more information, and documentation on resetting most of your CLASSE passwords, please see Computing/UserAccountsAndPasswords.
As of January 14, 2014, all CLASSE Linux computers which run Scientific Linux V6 are using CLASSE Active Directory domain authentication. The first to be migrated was LNX201, which is often used from off campus. Unfortunately, the older VMS, Tru64 and Solaris systems cannot be made compatible with Microsoft's kerberos service, but very few people need access to those systems. We strongly urge that you set all of your CLASSE passwords to the same value, so when the changeover to CLASSE authentication happens, you won't notice it because you'll still be using the same password. More information will be available in the near future.
Each of your accounts has its own username and password and exists independently from any other account. Changing your password for one account does not
affect any other account you have at Cornell or CLASSE
You have at least five (5) computer accounts with passwords at CLASSE:
- Windows AD - CLASSE (Microsoft kerberos)
- Unix/Linux Interactive login (MIT kerberos) - Legacy
- Unix/Linux network (MIT kerberos) - Legacy
- VMS (not kerberized) - Legacy
- Replicon (not kerberized)
- Vacation/Sick leave (no longer CLASSE: now a central Cornell service)
1. Windows - CLASSE
CLASSE now has a single Active Directory Windows domain: the older LNSNTCAD domain has been shut down. Starting in January, 2013, your CLASSE userid and password is needed to access Windows SAMBA network file shares and the CLASSE VPN. As of May 28, 2013, it is used to access the CLASSE Wiki (Foswiki)i at https://wiki.classe.cornell.edu/
Starting on October 21, 2013, it is used by some Linux computers. As of January, 2014, it is used by all Linux computers running Scientific Linux v6.
Except in very special cases, usernames in the CLASSE domain are the same as a person's Cornell NetID, but must not
use the same password as that NetID.
You should change your CLASSE password periodically. Active Directory has a maximum password lifetime of 999 days, after which it'll be automatically expired, forcing you to change it.
- , To change your Windows CLASSE password from any computer, use your favorite Web browser to go to
- To change your Windows CLASSE password, after logging onto a CLASSE Windows PC which is part of the CLASSE domain, press CTRL-ALT-DEL and click on the Change a password... line.
- To change your Windows CLASSE password from a Mac or Linux computer on the CLASSE network or VPN, you can use the kpasswd command in a terminal window:
- kpasswd youruserid@CLASSE.CORNELL.EDU
- If you aren't at CLASSE, or don't have easy access to a CLASSE Windows computer, you can login remotely to a Linux computer as above, or on a virtual Windows 7 computer to change your CLASSE password. Remote login instructions are available at Windows remote access instructions.
When you login on a CLASSE Windows computer which is in the CLASSE domain, be sure to select "Log on to: CLASSE". Do not select "this computer". All CLASSE Windows 7 computers are members of the CLASSE domain. You may need to click on the "Options >>" button to see this selection.
Use this procedure to change your password on the virtual Windows 7 computer at Windows remote access instructions
- Send Ctrl-Alt-Del
- You then should get a new screen display which shows a list of options:
- Lock this computer
- Switch User
- Log off
- Change a password...
- Start Task Manager
- [ Cancel ]
- The individual items are text strings that you can click on. [ Cancel ] is the only one which looks similar to a physical button.
- Click on the text "Change a password..." to get the change-password dialog.
2. LNS UNIX interactive
Used to login to Solaris, Tru64 and on legacy SL5 and older managed Linux computers
Your LNS UNIX interactive login password must be changed at least every 3 years for it to remain valid.
To change your LNS UNIX interactive login password,
- login interactively to any CLASSE UNIX or Linux system (e.g. use ssh or PuTTY to LNX201.CLASSE.cornell.edu or LNS101.LNS.cornell.edu)
- type the command kpasswd youruserid/@LNS.CORNELL.EDU
- If you receive a "command not found" error, type the command
/usr/bin/kpasswd to use the full path to kpasswd.
- To change your LNS interactive password (i.e. the password associated with your LNS Kerberos principal)
- login interactively (i.e. ssh to or use PuTTY to login on) LNS101.LNS.CORNELL.EDU using your LNS interactive userid and password
- type the command
- provide your current LNS interactive password
- twice provide your new LNS interactive password
Your CLASSE UNIX interactive login password will expire three years after you change it.
3. LNS UNIX network
Used to login to the Unix Mail server and a few CLASSE Internal services
(including Request Tracker:RT
, and other Web programs which use Kerberos "w4restrict" authentication.)
You change your network principal (/net password) using the knetpw
command and your LNS Unix login password.
- Login interactively on any LNS UNIX system (such as LNS101.LNS.CORNELL.EDU).
- Type the command: knetpw
- Enter your existing LNS Unix interactive login password (the one you used to login on LNS101)
- Enter your new /net password.
- Confirm your new /net password.
- All messages from knetpw are error messages, even if they don't look like errors. It says nothing at all if you manage to set a new password. If you see change_password: Password is in the password dictionary while changing password for, this error message indicates that the new password was NOT accepted. Please try a different password.
(*These instructions do NOT apply to Replicon
which doesn't use Kerberos authentication. Replicon has its own separate login and password. See below
Your CLASSE Unix network password does not expire.
To change your VMS password, log onto a VMS machine (ssh to lns62.lepp.cornell.edu) and type the command, SET PASSWORD
Accounts on the CESR VMS control cluster are separate from LNS62 accounts. VMS Control cluster passwords must be changed on CESR29.
Your VMS password does not expire.
- Configuring your password for CLASSE's Replicon time accounting software is described on the Wiki page RepliconQuickstart. The program can be accessed on the Replicon server.
When you became a member of CLASSE, you were given accounts on our VMS, UNIX, and CLASSE domains.
Your UNIX account is unique in that it has both an interactive password and a network password (aka "Network Principal"). The interactive password is used to logon to the small number of CLASSE Unix machines, and the network password is used for access to a few restricted CLASSE services and the Unix mail servers.
CLASSE Password Requirements
Cornell provides a Web page for testing the strength of passwords at https://netid.cornell.edu/psc/lookup.html
CLASSE and LNS UNIX Kerberos passwords have requirements enforced by builtin policies.
The default policy requires a minimum of 8 characters from at least 3 classes. The
five possible classes are lowercase, uppercase, numbers, punctuation, and all
other characters. This requirement is more stringent that it used to be. It now is the same as Cornell's NetID password requirement.
Also, a password may not be
- a previously used password
- a single word or proper name found in any dictionary
- a single word or proper name found in any dictionary spelled backward
- a word found in a dictionary but with its letters replaced by visually similar numbers or symbols (aka leet speak -- see http://en.wikipedia.org/wiki/Leet )
- some common two-word combinations
for a description of Cornell's requirements and suggestions for generating a password.
Because of its ancient design, VMS passwords have other requirements. The only special characters VMS accepts are underscore "_", hyphen "-", dollar "$" and percent "%". Also, it is not case-sensitive. It does not distinguish between upper and lower case letters.
CORNELL E-mail, NetIDs, Passwords, and other Cornell Computing Services
Cornell maintains their own Computer Services, including Cornell E-mail, NetIDs, and Passwords. The Cornell NetID and Password is required for accessing and/or forwarding Cornell E-mail, as well as accessing Kronos (Cornell Employee Timecards), Cornell Workday, and other Cornell Computing Services.
- 31 Jan 2014