Accounts and Authentication
Getting an Account
Access to just about everything TIG has to offer is granted via your CSAIL Kerberos name and password. You can obtain a user account, and optionally sign up to read and send your mail via the CSAIL email server, by filling out the application form. If you are also getting a new MIT.EDU (main campus) account at the same time, please wait about an hour after that account is set up before requesting your new CSAIL account. (Otherwise email may not be delivered properly.)
Once you have applied for an account and your supervisor approves the request, you gain access to several new resources:
- A Kerberos account, which grants you login privileges on most CSAIL Ubuntu workstations and Public Login Servers
- A shared home directory in CSAIL’s AFS cell
- A CSAIL email address (this works for forwarding mail whether or not you are using the CSAIL email server)
- Other storage options
- A personal web site that becomes available as soon as you put content in a certain sub-directory of your home directory (~/public_html).
- Access to a shared batch computing cluster and the OpenStack private cloud
Will my CSAIL account go away when I leave?
We understand that many CSAIL alumni continue to collaborate with their colleagues at the Lab after they graduate (or retire, or resign). For students and employees who leave CSAIL on favorable terms, we expect to maintain accounts for some time into the future. Provided that your account does not represent a security issue, and that your use of the account does not harm CSAIL’s resources or reputation, we will maintain accounts and email forwarding indefinitely. However, even though we do not delete accounts, you will lose access to your account if you fail to:
- Keep your CSAIL email forwarding current,
- Respond to mail we send you at your CSAIL email address
- Keep an active association with your former supervisor (or another CSAIL supervisor) as sponsor of your account.
You should not expect to be able to continue to use CSAIL IMAP for your email after you leave. To update your email forwarding address, use INQUIR. Before you leave CSAIL, you can link a third-party identity (such as a GitHub or Google account) to your INQUIR record, which will allow you to update your email forwarding and directory information even after your CSAIL account expires.
CSAIL supervisors must approve the continuation
of student accounts at the end of each Institute fiscal year.
They may choose, at their
discretion, to renew each student\’s account for a term
or to allow it to expire.
will receive mail a few weeks before the deadline with a list of users
and a link to the appropriate WebINQUIR function.)
If your account is allowed to expire, you will lose access on July 1 following your last term. (Mail forwarding will continue indefinitely, as will Web service for files in your
~/public_html directory and Web
Supervisors have a 45-day grace period to renew accounts; after that time, a system administrator must reactivate the account.
CSAIL account expiration
CSAIL accounts for certain classes of users—students, visitors, affiliates, guests, alumni, and certain temporary employees—automatically expire at the end of every fiscal year (specifically, at midnight UTC on July 1, which is 8 PM on June 30 local time here in Cambridge).
Users who have changed supervisors should have their new supervisor or supervisor’sassistant notify email@example.com to confirm the change. Notifications to supervisors are sent out annually at the beginning of June (usually the first business day). Users whose accounts are not renewed receive a notification email on or around July 1. (Some users have unusual expiration dates set by their supervisors and will not get any notifications.)
How do I change my Kerberos Password?
If you already know your password:
kpasswdon any TIG-managed CSAIL Ubuntu machine
- Mac OS: open Ticket Viewer.app “Change Password”. (or
- Windows: right-click Network Identity Manager (ice cube icon next to
clock) “Change password.” (or
If you have forgotten your CSAIL Kerberos Password:
- Please come by the TIG area room 32-270 or thereabouts during business hours with a valid photo ID and a system administrator can help you reset it.
CSAIL Kerberos Account Password Requirements
- Minimum Characters: 8
- Minimim Character Classes: 2
(alphanumeric, punctuation, whitespace)
- May not contain the username
- Passwords do not expire, but will be locked after 16 failed password attempts
Treat your Kerberos password like your Passport
Your Kerberos principal is your digital identity at CSAIL. You establish your identity using a username and password. However, you should think of your Kerberos principal like a passport. If someone gains access to it, they can very effectively pretend to be you, causing much destruction and pain for you if they desire. A CSAIL Kerberos principal unlocks access to a very large amount of network bandwidth and computation power, enough to cripple a small country if used maliciously. You are responsible for your Kerberos principal, so treat it well.
Some common mistakes people make with their CSAIL accounts include using the same password they use for low- or no-security applications like Gmail accounts, Dropbox, Facebook, or any other web-based free services. Such passwords are often gleaned and used to access login accounts, so you should choose totally different passwords for these two distinct types of applications.