Identity at MIT
February 25, 2005
Discussion at the Dean’s Council
Presented by Jerry Grochow
Agenda

Identification vs. Authentication vs. Authorization

What is Kerberos

Who can get a Kerberos ID

Guest Account Request Form

Existing Kerberos ID Breakdown

Identity at MIT

Kerberos ID provides access to…

Discussion Topics
2
Identification / Authentication / Authorization



MIT ID provides you an identification number
Kerberos allow your identify to be authenticated
Roles, and other systems, provide authorization
to access certain resources
However, implementation of these concepts is not consistent across
organizations and systems
3
What is Kerberos


Network authentication software that provides
security on physically insecure networks
Kerberos “provides the tools of authentication
and strong cryptography over the network to
help you secure your information systems
across your entire enterprise”
Kerberos IDs:
Key to access online, protected information
Easy to obtain
4
Who can get a Kerberos ID

All MIT community members (faculty, students, and
staff) are entitled to have a Kerberos ID.


If you know your MIT ID number, you can obtain a Kerberos ID
via the web
“A sponsored guest account is required for voucher or
temp staff, former students or staff who are no longer
eligible but need continuing access to their account, as
well as visitors who need an MIT electronic identity”


Account can be sponsored by any current member of the MIT
faculty or staff, but not students
Guest accounts are valid for up to 2 years and easily renewed
Guest Accounts:
 Easy online form (see following page)
 Valid for up to 2 years – renewal contact annually
5
Guest Account Request Form
6
Existing Kerberos ID Breakdown
Faculty
Staff
Undergrad
Grad
Guest
Other*
Current
(MIT Fact Book ‘05)
983
9780
Number with
Kerberos IDs
2473
11156
4136
6184
--
4697
6777
2415
--
988
* Other includes vouchers/temp (308), system
accounts (245), pre-frosh (142), random
project staff (214), etc.
Total of 28,506 IDs as of 2/13/2005
7
How Kerberos IDs are deactivated




Automatically in January after the graduation of
a student in the prior year.
Manually when notice is received from HR that
an employee has been terminated.
Manually when a guest’s sponsor does not
respond to a renewal request.
Almost never for faculty.
8
Identity at MIT
[Ovals not to scale]
People who have MIT
Kerberos IDs – 28,500
People who are MIT
employees, students, or
“official” visitors –
approx. 21,000
Small number of people
who probably exist but we
don’t know about (maybe
null set)
Approx. 3400 people
who are “sponsored” but
with unknown affiliation
Former students, staff, etc.
who still have Kerberos IDs
– approx 2500
Hundreds of graduate
students, plus a few staff who
never got Kerberos IDs
People who have MIT ID numbers
(includes former students, spouses,
alums, etc.) – 113,800
9
Kerberos Identity Provides Access to…

Community Level






Email account
File space allocation
Athena – Academic computing facility
All library journals
MIT theses (non-MIT personnel are charged for access)
Web-certificate based services




Student Level



Educational discounts for computer purchases
Access to MIT-only web pages
Ability to download MIT licensed software
WebSIS – Online Student Information System
Lotteries – Campus ‘lotteries’ e.g., Housing, Phys.Ed.
Sloan Student Level


Sloan’s web portal
Sloan’s NT lab
10
Discussion Topics




Identification, authentication, and authorization
Linking MIT ID and Kerberos ID
Define policies for terminating Kerberos ID
Other topics of interest…
11