UCAR Central Authentication Server (UCAS) Passwords are necessary to access some internal UCAR systems, but not for accessing the NCAR supercomputers and other resources that CISL manages.
Authorized personnel can request UCAS Passwords for users via the Admin tab in the UCAR People Search portal. If you already have an authentication token (a YubiKey token or a CRYPTOCard keypad), you can create or reset your own UCAS Password at https://kcreate.ucar.edu. You will be assigned a temporary passphrase, which you will then change at https://kpasswd.ucar.edu.
A strong password is the first line of defense for an individual computer user's account. This document provides the information you need to help keep your account and NCAR computers secure.
For example, the following are equally ineffective:
Hackers are well aware of all these tricks and can easily break such passwords.
You can create a strong and memorable password—or passphrase—by building a phrase or sentence that is known only to you and using multiple words and both upper- and lower-case letters, with some punctuation and numbers. Longer is stronger. Many people find it easier to remember shocking nonsense phrases that they would never say aloud than to remember shorter acronyms.
Here are two non-shocking examples of passphrases:
Note 1: Since the passwords shown here are in a public document, do not use any of them for your personal password.
Note 2: We avoided blanks and single quotes in the above passphrases because those two characters cause problems on some systems.
Keep your passphrase private. Do not share it with anyone. Do not write it down where it can be found by others or identified as your passphrase for UCAR. If you find it absolutely necessary to write something down, do not write the phrase itself, but rather a hint that will remind only you of the passphrase. Do this on a card with no other information about where it applies, in case the card is stolen, and keep it safe. Good places are in a wallet or fireproof home safe.
The safest place to change your passphrase is on your UCAR workstation if you have one, or on the first UCAR host you normally log into.
If necessary, you can change your password on a central UCAR Kerberos familiarization host or web site.
To change your password on a UCAR command line host, you will run either of the following commands:
It will ask you for your old password, request the new one, and finally ask you to confirm the new one to avoid potential problems caused by typos.
If you are asked on a UCAR host for the old password for username@CIT.UCAR.EDU, username@MIT.EDU, or some other realm instead of UCAR.EDU, you can start over and specify UCAR this way: kpasswd username@UCAR.EDU.
If you are connecting from outside UCAR, or you do not know which of your division's hosts to use for the password change, you can ssh to our familiarization and password change system, kpasswd-ssh.ucar.edu. This replaces the old password.ucar.edu system formerly used for the same purpose.
These are the ssh key fingerprints for kpasswd-ssh.ucar.edu, for use when you connect from a host that does not have a copy of the canonical UCAR ssh known hosts file:
1024 5a:15:e6:01:53:26:fc:46:3f:89:04:d6:20:0c:0d:d3 (DSA)
2048 8b:00:7a:98:ed:1b:e3:32:cd:09:eb:ba:f8:a9:e0:d3 (RSA)
The easiest way is to run the Kerberos (Mac OS X 10.5) or Ticket Viewer (Mac OS X 10.6) applications your sysadmins may have made visible for you. It will ask you for your old password, request the new one, and finally ask you to confirm the new one to avoid potential problems caused by typos.
Otherwise, run the Terminal application, use it to log in to your normal divisional command line host or passwd.ucar.edu, and follow the command line host instructions above.
The easiest way is to run the Network Identity Manager or Leash application your sysadmins may have installed for you. Click on the password change button, or select the password change menu item. It will ask you for your old password, request the new one, and finally request you confirm the new one to avoid potential problems caused by typos.
Otherwise, run your ssh client (typically putty.exe or VanDyke Secure CRT), use it to log in to your normal divisional command line host or kpasswd.ucar.edu, and follow the command line host instructions above.
If you do not have the ability to change your passphrase on your workstation or on a system you normally log in to, then you should use the https://kpasswd.ucar.edu/ web form to change your passphrase.
Your UCAS Password login will continue to work in the same places as before. You'll just use the new UCAS Password you set or received in place of your old one.
The first time you use your password after creating or resetting it, you will need to change it to one only you know.
If you ever need or want to reset your password, and you have a UCAS token (a CRYPTOCard or Yubikey issued by UCAR), you can visit https://kreset.ucar.edu/ at any time, without having to wait.
If you do not have a UCAS token, you should contact your group's help desk or sysadmins for an assisted reset.
After you authenticate and get your master ticket, Kerberos V uses secure service tickets to transparently log you in to additional resources. You should be aware of just four basic commands.
Start with this one. This is the command you use to authenticate and get your initial ticket. It is often called transparently by your login dialog box, your screen saver unlock, and the like.
This is the command you use to change your passphrase. (Some systems use passwd -K for the same job.) It is sometimes called transparently for you by kinit when your passphrase has expired.
This is the command you use to list your tickets. You'll see your master Ticket Granting Ticket, and perhaps other service tickets for LDAP, ftp, and the like for resources Kerberos has transparently logged you in to use.
This is the command you use to remove your tickets when you're done with them. They'll expire on their own, but if you're finished for the day, it's a good idea to nuke them early. It is often called transparently when you log out from a system.
Run the Kerberos (Mac OS X 10.6) or Ticket Viewer (Mac OS X 10.6) application your sysadmins may have made visible to you. You can use this application to manage your Kerberos tickets use for login to Kerberized UCAR services.
Run the Network Identity Manager or Leash application your sysadmins may have installed for you. You can use this application to manage your Kerberos tickets, and cause them to be made available for login to Kerberized UCAR services.
Some systems have character sensitivities in passphrases. Currently known failures are caused by spaces in passphrases used on the wireless web heartbeat system, and by single quotes in passphrases used on multiple web applications and some command line systems.
The https://wireless.ucar.edu/ captive portal system does not work with spaces in passphrases. If you must have a space in your passphrase, use the SSH interface rather than the web heartbeat.
Many web applications and some command line systems do not work with single-quote characters in passphrases. The simplest solution is to avoid using single-quote characters in passphrases.