|
Getting Started with CalNet Kerberos Authentication These instructions describe the basics of how, you can use your CalNet ID and password to securely identify ("authenticate") yourself from certain Macintosh programs to selected online services at UC Berkeley. |
Contents
Activating your CalNet ID
Installing Kerberos software and UCB settings
Logging in
Logging out
Accessing files on a computer running Windows
Using Fetch to transfer files to a website
|
To use the CalNet Authentication Service, you will need to
activate your CalNet ID, which serves as your "online identity"
at UC Berkeley.
The CalNet website describes how you can activate your ID:
http://calnet.berkeley.edu (This link requires a working connection to the Internet.) |
Installing Kerberos software and UCB settings
|
You will also need to install Kerberos software from the Massachusetts
Institute of Technology (MIT), along with UC Berkeley-specific
settings, on your Macintosh computer.
If you haven't already installed these items, you can do so by running the CalNet Kerberos Auth installer, which is available from the WSS Software site: http://software.berkeley.edu (This link requires a working connection to the Internet.) |
|
Once you've obtained and activated your CalNet ID, and installed the Kerberos software and UCB settings on your computer, here's how you can log in to UC Berkeley's CalNet Authentication Service from your Macintosh: |
|
| • |
(Under Mac OS X) Open the Kerberos application, which you can find either in
the Utilities folder within your Applications folder (Mac OS X 10.2 and higher)
or in your Applications folder (Mac OS X 10.1).
(Under Mac OS 8 or 9) Select Control Panels from the Apple menu and open the Kerberos control panel. |
| TIP: You can also find an icon for the Kerberos application in the Dock, if you've installed the Kerberos software under Mac OS X 10.2 and higher. |
| • |
If you see a Get Tickets ... button, click that button.
(If you don't see that button, just proceed to the next step, below.) |
In the window which appears:
| • |
Enter your CalNet ID in the Username box, and your CalNet
password ("passphrase") in the Password box, then click "OK".
If your CalNet ID and password are accepted, the words "Active User" and your CalNet ID will appear in the window. |
TIP:
If you're connecting securely to a service in EECS, Haas, or
another campus Kerberos realm, select the name of that realm, such as
EECS.BERKELEY.EDU
or
HAAS.UC.BERKELEY.EDU,
from the
Realm pop-up menu. If you don't see this realm
in that pop-up menu, select Edit Favorite Realms...
from the Edit menu of the Kerberos application or
control panel to add it. If you still do not see the
name of your desired realm listed, and if you are using
Mac OS X's Kerberos application,
you can also manually type it into the "Realm" box,
rather than selecting it from the pop-up menu.
|
| TIP: After you've logged in once, you can then connect securely to various various Kerberos-enabled services at UC Berkeley without having to re-enter your CalNet ID and passphrase, until you log out or restart your computer. |
| If you intend to be away from your computer for some time, you can enhance your security by manually logging out of the CalNet Authentication Service. To do so: | |
| • | Open the Kerberos application (under Mac OS X) or the Kerberos control panel (under Mac OS 8 or 9). |
| • |
In the "Ticket" section of this window, click on the
line with a triangle to its left.
This line will typically look something like: |
|
| • | Click the Destroy Tickets button. This will log you out. |
|
TIP:
Even you don't manually log out, as an added security
measure, you will automatically be logged out of the CalNet Authentication Service after a
certain period of time has elapsed. By default, this period
is set for 10 hours.
You can change the period after which you are automatically logged out to between 10 minutes and 10 hours. To change this automatic logout time, log out of the CalNet Authentication Service if you are currently logged in. Open the Kerberos application (under Mac OS X) or the Kerberos control panel (under Mac OS 8 or 9), if it is not already open. Click the Show Options or Options... button. Then select a different time period via the Ticket Lifetime 'slider' control. |
Accessing files on a computer running Windows
|
If your computer is running Mac OS X 10.3 ("Panther"), you
can identify yourself via Kerberos and thus connect
securely when accessing files on certain campus computers
running Microsoft Windows.
(You may also be able to do this with some non-Windows computers
that make files available in the same way.)
You can then "mount" folders shared by those computers as disks on your
Desktop, and work with them there.
The instructions below describe how to use Mac OS X 10.3 to access files on one of these computers: |
| TIP: Your Macintosh must be running Mac OS X 10.3 ("Panther"). In addition, the computer whose files you wish to access must be a member of the campus' CalNet Active Directory, and support Kerberos authentication for "SMB/CIFS" connections. Check with the appropriate system administrator or your departmental computing support provider if you aren't sure about this. |
| TIP: You will need a client access license (CAL) to connect to resources hosted by a Windows server, even if you're connecting from a Macintosh. If you connect without a CAL, you could potentially be violating the terms of the Microsoft End User Licensing Agreement (EULA). Check with the appropriate system administrator or your departmental computing support provider if you aren't sure whether a CAL has been obtained for your use. |
| • | If you haven't already done so, log in to the CalNet Authentication Service as described above. |
| • | Choose Connect to Server... option from the Finder's Go menu. |
| • | In the Connect To Server window, enter the address of the server and disk to which you want to connect, as in the following example: |
| • |
Click the Connect button.
After doing so, if the server address is correct and you have the appropriate permissions to access this disk, an icon for this disk should soon appear on your desktop. |
| • | After you are done using this disk, it is a good security practice to eject (unmount) the disk and manually log out from the CalNet Authentication Service. |
|
TIP:
For more information about connecting from a Macintosh to resources in the
CalNet Active Directory (CalNetAD) at UC Berkeley, please visit:
http://calnetad.berkeley.edu/documentation/interoperability (This link requires a working connection to the Internet.) |
|
Fetch is a file transfer (FTP) program, which allows
you to copy files between two computers. If you are affliated with
UC Berkeley, you can download Fetch from the WSS Software site:
http://software.berkeley.edu (This link requires a working connection to the Internet.) A common use of Fetch is transferring files from your Macintosh to another computer on which you maintain a website. The instructions below describe how to configure Fetch (versions 4.0 and later) so that you can identify yourself via Kerberos and connect securely to a website on Socrates (socrates.berkeley.edu), a shared Unix host on the UC Berkeley campus. |
| TIP: You will only be able to connect in this way if the computer on which your website is located is running an FTP server that supports Kerberos authentication. Check with the appropriate system administrator or your departmental computing support provider if you aren't sure. |
| • | If you haven't already done so, log in to the CalNet Authentication Service as described above. |
| • | Open the Fetch application program. |
| • | Choose New Connection... from the File menu. |
In the window which appears:
| • |
Enter
socrates.berkeley.edu
in the Host box.
|
| • |
Enter your user ID on Socrates in the User ID box. ( myuserid
is shown here as an example.)
|
| TIP: Do not enter your CalNet ID in this box. | |
| • | Select GSS from the Security pop-up menu. |
| • | Click the small triangle (near the bottom left corner) to view additional options. |
| • |
Enter
public_html
in the
Initial directory box.
(This is the directory location of most personal websites on Socrates.) |
| • |
Enter
821
in the
Non-standard port number box.
|
| TIP: This port number is specific to Socrates. With some FTP servers on other campus hosts, you may not need to enter a "non-standard" port number. | |
| • | Click OK. |
| • |
If you've successfully connected, you will then see a window displaying
the files and folders (directories) for your website on Socrates.
To upload files, you can drag files and folders from your Macintosh disks into this window. |
| • | To disconnect, choose Close from Fetch's File menu. |
|
TIP:
For more information about using Fetch, select the Fetch Help
item under the application's Help menu.
If you use Fetch to maintain a website on a remote computer, the following are two features that you might find particularly useful:
|