-- PatrickCahalan - 2020-04-06

How do I change my password?

You can change your password either by logging into one of the Linux machines in the domain directly (at the terminal) or by sshing to login.cms.caltech.edu.

Using SSH is as simple as typing at a command line, if you use a Linux machine:

ssh [yourusername]@login.cms.caltech.edu

If you use Windows, you'll need to get an SSH client for Windows.

You can download one of the freely available SSH clients off of the Internet, such as PuTTY.

Use "login.cms.caltech.edu" as the host name, and SSH (port 22) as the protocol.

At a command prompt, type in passwd then follow the instructions.


[somebody@login:~]> passwd

Press Enter

Changing password for user somebody.
Enter login(LDAP) password:

Type in your current password and press Enter

New password:

Type in your new password and press Enter

Retype new password:

Re-enter your new password and press Enter

LDAP password information changed for somebody
passwd: all authentication tokens updated successfully.

Your new password needs to be:

  • at least 8 characters in length
  • not be based on a dictionary word
  • contain a mix of alpha and non-alphanumeric characters
  • cannot be similar to your previous password
A common practice is to think of a phrase that you won't forget, like "My CMS password is really easy right now", and then take the first character of each word and make it your password, adding a punctuation mark. In the above example, your password would be "MCpirern."

Note - don't use that particular example!

What's the password policy in CMS?

CMS has a password lifecycle of 180 days, adjusted to compensate for change-of-term and end-of-year. If you have a CMS account, you will be required to change your password twice a year.

You will be notified via the CMS department newsletter when a password changing event is coming up. You will also be prompted when/if you log into the CMS UNIX hosts that your password is near to expiring for several days prior to your account being locked out.

If you need practical information on how to change your password, see "How do I change my password?" above.

When you change your password, you will be required to follow UNIX-style minimum password requirements. If you also have a Windows account, we suggest that you make your password fit the Windows-style minimum password requirements as well, so that you can use the same password for both accounts.

If you forget your password, and you need your account reset, you can email helpATcms.caltech.edu to contact the system administrators. We will need to be able to confirm your identity somehow in order to reset your account. The easiest method of accomplishing this is to physically walk over to our office, in 112 Annenberg, with your Caltech ID.

What is CMS's account policy?

When you request a CMS account through the CMS account request form, your account is created with a default expiration date of 4 years from your request date, or your estimated graduation date, whichever is earlier. This is for ease of administration - your CMS account may be culled if you are no longer affiliated with the Institute. If you are a visitor, your account is enabled only for the length of your stay at Caltech.

CMS accounts are intended for use by the requestor of the account ONLY. Do not share your CMS username and password with anyone.

Each account has a password expiration cycle of 180 days. You must change your CMS password at least once every 6 months. If you do not change your password, your interactive login access will be locked. 14 days before your password expires, you will be warned at a login prompt when you log into a CMS machine, either remotely via login.cms.caltech.edu or at the console. Once your password expires, you have a 7 day grace period in which to change your password. You will also receive email warnings that your password is going to expire. Note that these email warnings go to your CMS account (IMSS account for undergrads), so if you do not read your CMS mail locally, forward your CMS mail to an active email account!

At the time of your expiration date, your account will become locked - that is, your account will still exist, but you will be unable to log in interactively.

One month after your account has expired, you will be reminded via email that your account has been expired, and at that point (if you still need your CMS account or expect that you will need your CMS account in the future) it is your responsibility to inform the CMS sysadmins (helpATcms.caltech.edu) that you wish to keep your account, the reason that you need to keep your account, and (if you are moving to a graduate student position) the sponsoring professor.

Six months after your account expiration date, your data store will be archived, your homedirectory removed, and your local mail delivery halted. This archival process is not backed up, so any data that is remaining in your homedirectory is no longer guaranteed to exist past archival date.

As a service to former CMS students who have published their CMS mail accounts on academic papers, you may leave the CMS sysadmins with a forwarding address. We will continue to forward all email to your (username)@cms.caltech.edu account to that destination address, provided that the email delivery continues to be allowed. It is your sole responsibility to keep your forwarding address current. If your destination address consistently bounces/rejects mail, we will remove the mail forward.

Once we remove you from the mail alias list, we will not re-instate your mail forward.

We do not provide web redirection or other services to former holders of CMS accounts. Be aware that your CMS webspace is available only for the duration of your account.

If you do not graduate within 4 years, or if you stay at the institute as a graduate student, you may of course continue to use your CMS account. However, since there is no automated fashion in which we can acquire this information, it is again the responsibility of the CMS account holder to inform the CMS sysadmins (via helpATcms.caltech.edu) that you are staying at the institution, and that you need your account active.

It may come to pass after undergraduate graduation or completion of a doctoral program that you will be continuing to collaborate on projects with existing CMS students or faculty. If this is going to be the case, you may inform the CMS sysadmins that you are requesting collaborator status. This MUST be accompanied by approval from a faculty member. Collaborator accounts are enabled for a 1 year block of time. At the end of the year, unless informed again by the faculty member of an extension for another 1 year period, your account will be expired following the process above.

Finally, it is always the responsibility of the CMS account holder to read all email originating from the CMS sysadmins, so that you will be kept abreast of system outages, changes, etc.

What is the remote login policy?

It is always better to log into your CMS account at a console - that is, sitting in front of a keyboard at the machine you're logging into.

This is of course not always feasible. If you are remotely logging into CMS machines, your sysadmins request that you follow these general rules:
  • Do not connect to CMS machines from unknown or untrusted hosts!
This means, don't log into CMS machines from a public terminal at a convention somewhere. If you are not absolutely certain of the security state of a public machine, and if that machine is compromised, you're giving away your username and password.

This also means that you need to be keeping your personal computer(s) up to date and patched with the latest security updates.
  • If you're connecting remotely to ANY resource in CMS, we ask that you start at login.cms.caltech.edu.
So if you need to connect to a particular machine for some reason, and you're coming from your home machine, ssh to login.cms.caltech.edu, and then from login.cms.caltech.edu connect to the machine you're trying to reach. This seems counter-intuitive, but that way the CMS system administrators can keep an eye on the individual auth logs and catch "strange" connections as possible security intrusions.
  • Do not chain through multiple hosts to get to CMS machines.
If you're sitting at your home machine, and you want to connect to CMS, ssh to login.cms.caltech.edu directly. For example, don't connect to your account at Berkeley, then your account at your old high school, then your buddy's machine in West Germany, and finally to CMS. If there are any compromises on any of those other machines, you may be giving away your username and password.

How do I create a web page?

By default, every user is allowed to host a web page (within the bounds of their quota) on the CMS users site. To do this, create a folder called public_html in your home directory, and ensure that the folder is world-readable and executable. Then any files you place in ~/username/public_html" will be visible at http://users.cms.caltech.edu/~username

How do I password-protect my web page?

First, you need to be aware that http://users.cms.caltech.edu is not encrypted and any passwords involved should not be related to your normal CMS password(s) because the passwords involved will be sent as clear plain text.

To password-protect a directory (in ~/public_html, or http://users.cms.caltech.edu/~user):

Create a file named .htaccess that contains:
AuthUserFile /home/user/public_html/.htpasswd
AuthType Basic
AuthName "User's Secrets"
Require valid-user

where "user" is your CMS username. You may optionally name "AuthName" anything you like.

NOTE: This password protects the directory and all sub-directories below where the .htaccess file is located. To protect specific files instead, replace the "Require" directive above with:
<Files "filename.html">
  Require valid-user

Next, create the .htpasswd file by envoking (on LOGIN.CMS):
htpasswd2 -c [the location in "AuthUserFile"] username

where "username" is the username allowed access after authentication. The above command will prompt you for a password (twice, to confirm).

NOTE: the -c parameter specifies to CREATE the file, so if the file exists, it will be rewritten and truncated, eliminating any existing usernames/passwords.

Finally, make the two files, .htaccess and .htpasswd, group-accessible to the 'www' group so that the web server may read them. Remove world-read/write bits on the files as well, with:
chgrp www .htaccess
chgrp www .htpasswd
chmod o-rwx .htaccess
chmod o-rwx .htpasswd
Topic revision: r1 - 2020-04-06, PatrickCahalan
This site is powered by FoswikiCopyright &© by the contributing authors. All material on this site is the property of the contributing authors.
Ideas, requests, problems regarding CMS Wiki? Send feedback