Changing password at first login
When you are issued a CAC user name, you should first log in to a login node. You will be prompted to change your password. You do this just once, and it should change your password for all CAC resources that require a login. Refer to the rules for creating passwords. After you change your password, you will be logged in.
The preferred way to log in to the Windows login node is to use a Remote Desktop Connection (formerly Terminal Services Client) to winlogin.cac.cornell.edu. Though you can use SSH to log in to the Windows login node, you will not be prompted to change your password if it's new or expired; you must use Remote Desktop to see these messages.
Here are the steps to follow on Windows:
- Log in with your CAC user name and your current password (the domain name should be CTC_ITH)
- From the desktop, choose "Windows Security" from the Start menu; or, if you are coming from Windows, enter the key combination Ctrl-Alt-End
- Choose "Change a password..." and enter your old and new passwords as indicated.
Old Password: 0ldpassw0rd!! New Password: newpassw0rd!! Confirm New Password: newpassw0rd!!
You can follow these steps on the head node of a private cluster; if your CAC project doesn't have a private cluster, you can follow them on linuxlogin.cac.cornell.edu. On many Linux clusters, when you first change your password, you will also be asked for an ssh passphrase. You can leave this blank--just hit the Enter key.
Assume that you have an old password '0ldpassw0rd!!' and a new password 'newpassw0rd!!'.
Here is what should happen:
$ ssh firstname.lastname@example.org Password: (ENTER 0ldpassw0rd!!) WARNING: Your password has expired. You must change your password now and login again! Changing password for user your_username. Kerberos 5 Password: (ENTER 0ldpassw0rd!!) New UNIX password: (ENTER newpassw0rd!!) Retype new UNIX password: (ENTER newpassw0rd!!) passwd: all authentication tokens updated successfully. Connection to linuxlogin closed.
If you get a token error it very likely means that the password is not complex enough. Your password must be a mix of any three of the following: lower case letters, upper case letters, numbers and some sort of punctuation to create an 8 character or longer password (it is slightly more complex; don't use your user name or previous password - more info in Password Policy ).
If you have additional trouble, you can use either the rdesktop client (for linux) or the Remote Desktop client (for Windows or Mac) to log into the Windows login node winlogin.cac.cornell.edu, then follow the instructions for Windows above. This gives you better information about password complexity issues during the password change.