How to Change UW HEP Passwords

Every day there are break-in attempts on Physics Department computers.  It is therefore important that you have a strong password that is kept secret.  Do not use the same password for different accounts, because if security is breached at one site, stolen passwords can be used to gain access elsewhere.

Physics Department AFS and UNIX accounts use an authentication system called Kerberos.  To change your password for accessing these services, you therefore need to change your Kerberos password.

If your computer has Kerberos installed and configured (e.g. if it is AFS-enabled), you can change your Kerberos password using the kpasswd command on your computer.  Example:

kpasswd youraccount@HEP.WISC.EDU


Otherwise, you can use the kpasswd command on the Department UNIX computers.  To do the latter, you will need to connect to login.hep.wisc.edu via ssh.  On a Windows computer, you can use an ssh client such as PuTTY or the UNIX-style ssh command in Cygwin.  On a Mac, you can use ssh from the Terminal app found in Applications/Utilities.

Below is an example ssh session used to change my password.  I am entering these commands via the Mac Terminal app.  Note that the ‘$’ sign is not part of the command.  It is part of the command prompt.  Therefore, when copying the command, enter just ssh youraccount@login.hep.wisc.edu.

$ ssh dan@login.hep.wisc.edu
dan@login.hep.wisc.edu's password:
Last login: Tue Apr 15 11:24:06 2014 from 128.104.164.180


#######################################################
    Welcome to login01.hep.wisc.edu
    Scientific Linux release 6.4 (Carbon)

    996.66 MB RAM
    1 cores of type QEMU Virtual CPU version 1.1.2
#######################################################

[dan@login01 ~]$ kpasswd
Password for dan@HEP.WISC.EDU:
Enter new password:
Enter it again:
Password changed.
[dan@login01 ~]$ logout
Connection to login.hep.wisc.edu closed.

 

One problem you may encounter is something like the following when you attempt to ssh to the login machine:

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
12:f8:06:a3:1a:57:32:06:56:2b:29:4e:03:ac:95:ab.
Please contact your system administrator.

This is expected if your last ssh session was prior to the login server upgrade to Scientific Linux 6.  As part of that upgrade, we made changes to the way we manage the login machines so that the ssh keys will be preserved across future upgrades.

If you are sshing from a unix machine, to tell ssh that you want it to accept the new key, you can clear its memory of the old one with the following command:

ssh-keygen -R login.hep.wisc.edu
ssh-keygen -R 128.104.160.33
ssh-keygen -R 128.104.160.34

Then try sshing again and answer ‘yes’ when it asks whether to accept the new key:

$ ssh dan@login.hep.wisc.edu
The authenticity of host 'login.hep.wisc.edu (128.104.160.33)' can't be established.
RSA key fingerprint is 12:f8:06:a3:1a:57:32:06:56:2b:29:4e:03:ac:95:ab.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'login.hep.wisc.edu' (RSA) to the list of known hosts.

Other University Accounts