How can I change my pass­word?

You can reset your password on the page serviceportal.math.uni-paderborn.de. To do this, log in on the linked page with your current login data.

Select the "Settings" tab, Enter your old password in the upper field and the new password in the two lower fields. Complete the process with the "Confirm" button.

What is Ker­ber­os?

Kerberos is an authorisation service with which users, computers or services can authorise themselves to other users, computers or services. It supports encrypted connections and enables single sign-on: a user only has to enter their password once during the entire session. In addition to symmetric cryptography, Kerberos uses a so-called ticket-based procedure. Tickets are electronic ID cards that users and computers use to identify themselves to each other. When a user logs on to the system, they receive - in simple terms - a ticket with which they can identify themselves to all of the system's services (such as ssh or IMAP).

kpass­wd - How do I change my pass­word?

To change your own password, Kerberos provides the command 'kpasswd'. In order to change the password, a person must already have a valid Kerberos ticket. Normally (e.g. after logging in) this is the case, so a simple 'kpasswd' is sufficient:

$ kpasswd
Password for dhilbert@MATH.UNI-PADERBORN.DE:
Enter new password:
Enter it again:

klist - How can I find out which tick­ets I cur­rently have?

To display a list of all currently valid tickets, use the 'klist' command:

$ klist
Ticket cache: FILE:/tmp/krb5cc_56510_3pfHET
Default principal: dhilbert@MATH.UNI-PADERBORN.DE

Valid starting Expires Service principal
28.06.2019 10:41:43 28.06.2019 20:41:43 krbtgt/MATH.UNI-PADERBORN.DE@MATH.UNI-PADERBORN.DE
renew until 29.06.2019 06:41:43

kinit - How do I get new tick­ets?

Tickets are generated automatically as long as a person has a "Ticket Granting Ticket" - a kind of general ID card with which a person can identify themselves universally. This ticket is generated the first time you log in, but only lasts for 10 hours for security reasons. After that, it becomes invalid. To request a new ticket granting ticket, use the command 'kinit':

$ kinit
Password for dhilbert@MATH.UNI-PADERBORN.DE:

The new ticket granting ticket has a lifetime of 10 hours again. After that, a new one must be requested if required.

kdes­troy - How do I des­troy tick­ets?

Sometimes it makes sense to invalidate your own tickets, e.g. if you leave the computer and want to be on the safe side. The 'kdestroy' command is available for this purpose:

$ kdestroy

What is Se­cure Shell?

ssh stands for secure shell and is a programme for logging on to a remote computer and executing commands. ssh offers secure encrypted communication even over an insecure network.

Together with ssh, the programme scp is installed in the mathematics network, with which files can be copied between two computers in encrypted form. (Further information can be found below in the explanation of "Alternatives to ftp").

 

How do I use ssh?

You can use ssh within the maths networks without any further preparation. The following command establishes an encrypted connection to the kepler computer and wants to log in the user name of the local computer:

 

$ ssh kepler

If you want to use a different user name than the one on the local computer, you can do this as follows (assuming the user is called user):

$ ssh user@kepler

The remote computer then normally requires the password of the user:in user to be logged in.

For which op­er­at­ing sys­tems is ssh avail­able?

In principle, there is an implementation of ssh for every operating system.

Under Linux, OpenSSH can be used via the terminal with the ssh command.
The PuTTY programme is available under Windows. Microsoft has also included ssh in Windows 10 since version 1809. Similar to Linux, ssh can be used via the command line (cmd) or PowerShell.

How do I cre­ate a pub­lic-key au­then­tic­a­tion with ssh?

1. if you do not yet have a $HOME/.ssh directory, you must create one with

cd ~

mkdir .ssh

chmod 700 .ssh

2. to generate a key pair, you must use

gudrun@vieta[~]>>ssh-keygen -b 2048 -t dsa -f identity

to generate a key pair. You will be asked for a password for the key. A password can be entered, but is not mandatory.

gudrun@vieta[~]>>ssh-keygen -b 2048 -t das -f identity

Generating public/private das key pair.

Enter passphrase (empty for no passphrase):

Enter same passphrase again:

Your identification has been saved in /gauss/user/gudrun/.ssh/id_dsa. Your public key has been saved in /gauss/user/gudrun/.ssh/id_dsa.pub.

The key fingerprint is: 0f:9d:ff:48:59:42:71:10:00:f9:09:a8:55:34:ab:8a my key

Two keys are generated.

identity.pub -> public key

identity -> secret key

What al­tern­at­ives are there to FTP?

With ftp, the data is transported in plain text over the network. Alternatively, you can use scp. The following example copies the file test.txt from the news directory of the local computer to the computer kepler in the home directory of the user user:

user@laptop [~]$ scp test.txt kepler:

Conversely, if the file test.txt is to be copied from the user software from the computer kepler to the current local directory, the command is:

$ scp software@kepler:test.txt

As with the cp command, scp also supports the recursive copying of entire directories with the -r option.

How ssh works

When logging in from computer A to computer B, ssh first checks the so-called host_key. This ensures that computer B is actually computer B and not a computer pretending to be computer B. A file with the name known_hosts is used for this mechanism. Here, ssh first searches for a global, centrally managed file in which the system administrator enters the host_keys after installing the computers. If no entry for the corresponding computer is found there, the local file of the respective user:in under $HOME/.ssh/known_hosts is checked. If the identity of computer B can be verified using these files, computer A and computer B are connected. If host B is still unknown to the system, you will receive the following query:

The authenticity of host 'kepler.math.uni-paderborn University.de (131.234.116.31)' can't be established.
ECDSA key fingerprint is SHA256:X.
Are you sure you want to continue connecting (yes/no)?

Note: The current fingerprints of our servers can be found under Fingerprints. Only connect to servers that you can trust. If you select yes, the host_key of computer B is automatically stored in your personal file $HOME/.ssh/known_hosts. The next time you log on to computer B, the host_key will be known and you will no longer receive the above error message. The connection between computer A and computer B is now established. The next step is to authenticate the user:in. To do this, ssh either uses the public key method or asks for the password. Once authentication is complete, the shell is available.

ssh con­nec­tion without pass­word entry

If you do not always want to enter your password when using ssh (or scp), you must enter the public key of your ssh-key in the file ~/.ssh/authorised_keys (as one line).

Fur­ther in­form­a­tion

A detailed documentation of the individual commands can be found in the corresponding man pages.