Technical and Policy Requirements for Authentication Arising in Interboundary Work

1. Technical and Policy Requirements for Authentication Arising in Interboundary Work MIT Case Study Notes Paul B. Hill

2. Setting context • MIT is a private institution • We don’t have a medical school… • We are a Sakai partner… • We have one Kerberos realm that is accepted by the financial system … • Virtually all users have X.509 certificates… 2

3. Initial login on many machines Email IM (Jabber and Zephyr) SAP financial system File systems Remote shells All Library Journals MIT theses (non-MIT personnel are charged for access) WebSIS – Online Student Information System Lotteries – Campus ‘lotteries’ e.g., Housing, Phys.Ed. Obtaining an MIT user certificate Educational discounts for computer purchases Access to MIT-only web pages Ability to download MIT licensed software Sloan’s web portal Kerberos is Primary authentication for… 3

4. Identifiers at MIT • MIT ID card • MIT ID number • Athena Kerberos principal name • X.509 certificates for users • UUID • WIN SID • WIN Kerberos principal name • IDs created by Departments, Labs, and Centers (DLCs) 4

5. Who can get an MIT ID card? • Incoming Students • Special and Cross-Registered Students • Employees • Spouses and Partners • Alumni • Visiting Scholars and Post-Doctoral Associates • Unofficial Members of the MIT community • E.g. contractor 5

6. Who can get an MIT ID number? • Issuers • Human Resources • Registrar • IS&T Accounts office • Students, Faculty, Staff, Contractors, Visiting Scholars, Post-Doctoral Associates, Affiliates, Contractors, Guests 6

7. What is an MIT ID number • The MIT ID number is a unique identifier for people in MIT Information Technology (I/T) systems. Having an MIT ID number does not in itself provide any status, relationship, access, responsibility, or privileges. These are conferred and defined by the Institute business processes for which I/T systems exist. Thus who has an MIT ID number is defined by the MIT businesses. The system of record of all MIT ID numbers is the MIT ID server operated by IS&T. 7

8. Who can get an Athena Kerberos ID? • All MIT community members (faculty, students, and staff) are entitled to have a Kerberos ID. • If you know your MIT ID number, you can obtain a Kerberos ID via the web • “A sponsored guest account is required for voucher or temp staff, former students or staff who are no longer eligible but need continuing access to their account, as well as visitors who need an MIT electronic identity” • Account can be sponsored by any current member of the MIT faculty or staff, but not students • Guest accounts are valid for up to 2 years and easily renewed 8

9. Sponsoring a guest account 9

10. Deactivation • MIT ID cards expire • MIT ID numbers are immutable and do not expire • Athena Kerberos principal names do get deactivated 10

11. How Kerberos IDs are deactivated • Automatically in January after the graduation of a student in the prior year. • Manually when notice is received from HR that an employee has been terminated. • Manually when a guest’s sponsor does not respond to a renewal request. • Almost never for faculty. 11

12. Existing Kerberos demographics on campus (2005) Total of 28,506 IDs as of 2/13/2005 12

13. *other • Other includes vouchers/temp (308), system accounts (245), pre-frosh (142), random project staff (214), etc. 13

14. Re-use or re-assignment • MIT ID numbers do not get reassigned • MIT ID numbers should get re-used by the same person (transitions or returns) • Kerberos names used to get re-used and re-assigned, they no longer do 14

15. Identity at MIT [Ovals not to scale] People who have MITKerberos IDs – 28,500 People who are MITemployees, students, or“official” visitors – approx. 21,000 Small number of peoplewho probably exist but wedon’t know about (maybenull set) Approx. 3400 peoplewho are “sponsored” butwith unknown affiliation Hundreds of graduate students, plus a few staff whonever got Kerberos IDs Former students, staff, etc.who still have Kerberos IDs – approx 2500 People who have MIT ID numbers(includes former students, spouses,alums, etc.) – 113,800 15

16. Getting started at MIT…post-docs and employees • MIT ID number • Your ID number is automatically generated when Human Resources processes the paperwork for your appointment. Your appointment papers are handled by the department/lab/center where you will be working. • Account registration page will ask these users for their MIT ID number and their name 16

17. Getting started at MIT …students • Student receives “MIT Kerberos / Athena Account Coupon” upon acceptance. • An assigned MIT ID number • Six unique keywords that the student will use to initially authenticate to the registration server • Instructions on how to use this information with the registration service to obtain a Kerberos principal name and choose a password 17

18. Getting started at MIT…guests • Sponsor submits name, reason, and birth date to accounts office. • Guest is provided with MIT ID number and directed to account registration page • User is prompted for name and MIT ID number 18

19. Practices • Password expiration – we don’t on most accounts • Password reset • Photo ID in person at the account office • Self service via web form • Exceptional cases have been done over the phone • Password analysis and policy • KDC evaluates the password (dictionary, history) 19