![[pico screen shot]](picoafterpaste.png)
by Franklin M. Siler
This document would not exist without the generous support of Jay Kreibich. In fact, this document is now obsolete because he has published a nice package to install it cleanly on Jaguar.
This works on MacOS 10.2.1 but has not been tested on any other version of MacOS. It also has some issues if you're behind an NAT router (a Linksys or D-Link "Broadband router", for instance). I have done my best to write with the non-geek in mind, but please bear with me.
Please understand that your milage may vary. This is not officially supported by CITES or any other university department. University policy specifies that U of I direct should not be used on multiuser systems, so be sure to disable ssh and other services that would let others use your box while you're using U of I direct.
In this document, commands will be notated with a mono-spaced font (ie command).
Also, this document was really designed with Jaguar in mind. Provided that Kerberos and Kerberized telnet are installed correctly, the same config file should work with Linux, BSD, and whatever other POSIX flavors you could conjure up. The only difference is that the location of the config file is /etc/krb5.conf. I have personally tested this setup on the latest unstable install of Debian Linux, and it works fine. You need the krb5-tools package (and all of its dependencies) on Debian. The only other gotcha is that you must set your TERM variable to vt100,vt220, or aixterm or use a client that shows up as being one of these terminals. env will display TERM and a lot of other variables. Also, keymaps are something of a problem but if you only use the control sequences it should work fine.
Fortunately, it's very simple to set up. You need to bring up a terminal window, which is located in Applications->Utilities->Terminal. You should get a window with some sort of prompt and cursor. You also need to be an 'admin user' and know your password.
Type sudo pico /Library/Preferences/edu.mit.Kerberos at the prompt. You must type it exactly as it is here with the same capitalization. You will be prompted for a password, for which you should enter your admin password.
Now all you have to do is copy and paste the text into the window, which shouldn't have any text between the top bar and the menus on the bottom.
[libdefaults]
default_realm = UIUC.EDU
default_tkt_enctypes = des-cbc-crc
default_tgs_enctypes = des-cbc-crc
[realms]
UIUC.EDU = {
kdc = kerberos1.uiuc.edu:88
kdc = kerberos2.uiuc.edu:88
admin_server = kadmin.uiuc.edu:749
default_domain = UIUC.EDU
}
NCSA.EDU = {
kdc = kerberos.ncsa.uiuc.edu:88
kdc = kerberos-1.ncsa.uiuc.edu:88
kdc = kerberos-2.ncsa.uiuc.edu:88
admin_server = kadmin.ncsa.uiuc.edu:749
default_domain = ncsa.uiuc.edu
}
[domain_realm]
.uiuc.edu = UIUC.EDU
.ncsa.uiuc.edu = NCSA.EDU
.ncsa.edu = NCSA.EDU
If you have done everything correctly, you will see something similar to the screen shot below.
Now type Ctrl-O and hit Return. Then type Ctrl-X. This should return you to the prompt. Now, if you type cat /Library/Preferences/edu.mit.Kerberos and hit Return you should see the above text.
Now for the fun part. Log in and pull up another Terminal. Type whoami at the prompt. If this shows your NetID, then all you have to do is type kinit and enter your password and you will have the requisite ticket to access U of I direct. If whoami doesn't give you your netid, then you need to type kinit followed by your NetID and enter your password when prompted. After that, all you have to do is type telnet -x register.aiss.uiuc.edu and you will see the familiar U of I direct prompts. It works just as it does from any other location, though some keystrokes may not function properly.
VERY IMPORTANT: Left alone, the Kerberos tickets will expire and therefore not be usable by anyone trying to access your schedule. However, it is good practice to use kdestroy to destroy the ticket, hence making the system inoperable until you use kinit again and give the system your password.
Summary of how to use:
kinit [NetID]klist to see that you have a tickettelnet -x register.aiss.uiuc.edu (access U of I Direct)kdestroyklist to verify that you have destroyed the ticketBasically, U of I direct uses something called Kerberos to verify your identity. Kerberos
is a system developed at MIT that issues 'tickets' which allow to use services. The tickets will expire eventually (klist will tell you when they expire), but it is good practice to destroy them once you're done.
NAT is the protocol used by broadband routers to allow multiple machines to hide behind one IP. This causes problems with Kerberos. The workaround is to use kinit -A [NetID] (make sure it's a capital 'A'). This disables IP verification on your ticket. I have no idea how much less secure the system is with this setup, but at least on my machine it's much slower than just plugging directly into the wall. In a pinch, however, it works fine.