How do I change my password?

You can change your password either by logging into one of the machines in the domain directly (at the terminal) or by sshing to

Using SSH is as simple as typing

ssh [yourusername]

at a command line, if you use a Linux machine. If you use Windows, you'll need to get an SSH client for Windows. You can download one of the freely available SSH clients off of the Internet, such as PuTTY. Use "" as the host name, and SSH (port 22) as the protocol.

At a command prompt, type in passwd then follow the instructions.


[somebody@login:~]> passwd

Press Enter

Changing password for user somebody.
Enter login(LDAP) password:

Type in your current password and press Enter

New password:

Type in your new password and press Enter

Retype new password:

Re-enter your new password and press Enter

LDAP password information changed for somebody
passwd: all authentication tokens updated successfully.

Your new password needs to be:

  • at least 6 characters in length
  • not be based on a dictionary word
  • contain a mix of alpha and non-alphanumeric characters
  • cannot be similar to your previous password

A common practice is to think of a phrase that you won't forget, like "My CMS password is really easy", and then take the first character of each word and make it your password, adding a punctuation mark. In the above example, your password would be "MCpire."

Note - don't use that particular example!

What's the password policy in CMS?

CMS has a password lifecycle of 180 days, adjusted to compensate for change-of-term and end-of-year. If you have a CMS account, you will be required to change your password twice a year.

You will be notified via the CMS department newsletter when a password changing event is coming up. You will also be prompted when/if you log into the CMS UNIX hosts that your password is near to expiring for several days prior to your account being locked out.

If you need practical information on how to change your password, see "How do I change my password?" above.

When you change your password, you will be required to follow UNIX-style minimum password requirements. If you also have a Windows account, we suggest that you make your password fit the Windows-style minimum password requirements as well, so that you can use the same password for both accounts.

If you forget your password, and you need your account reset, you can email to contact the system administrators. We will need to be able to confirm your identity somehow in order to reset your account. The easiest method of accomplishing this is to physically walk over to our office, in 112 Annenberg, with your Caltech ID.

What is CMS's account policy?

When you request a CMS account through the CMS account request form, your account is created with a default expiration date of 4 years from your request date, or your estimated graduation date, whichever is earlier. This is for ease of administration - your CMS account may be culled if you are no longer affiliated with the Institute. If you are a visitor, your account is enabled only for the length of your stay at Caltech.

CMS accounts are intended for use by the requestor of the account ONLY. Do not share your CMS username and password with anyone.

Each account has a password expiration cycle of 180 days. You must change your CMS password at least once every 6 months. If you do not change your password, your interactive login access will be locked. 14 days before your password expires, you will be warned at a login prompt when you log into a CMS machine, either remotely via or at the console. Once your password expires, you have a 7 day grace period in which to change your password. You will also receive email warnings that your password is going to expire. Note that these email warnings go to your CMS account (IMSS account for undergrads), so if you do not read your CMS mail locally, forward your CMS mail to an active email account!

At the time of your expiration date, your account will become locked - that is, your account will still exist, but you will be unable to log in interactively.

One month after your account has expired, you will be reminded via email that your account has been expired, and at that point (if you still need your CMS account or expect that you will need your CMS account in the future) it is your responsibility to inform the CMS sysadmins ( that you wish to keep your account, the reason that you need to keep your account, and (if you are moving to a graduate student position) the sponsoring professor.

Six months after your account expiration date, your data store will be archived, your homedirectory removed, and your local mail delivery halted. This archival process is not backed up, so any data that is remaining in your homedirectory is no longer guaranteed to exist past archival date.

As a service to former CMS students who have published their CMS mail accounts on academic papers, you may leave the CMS sysadmins with a forwarding address. We will continue to forward all email to your (username) account to that destination address, provided that the email delivery continues to be allowed. It is your sole responsibility to keep your forwarding address current. If your destination address consistently bounces/rejects mail, we will remove the mail forward.

Once we remove you from the mail alias list, we will not re-instate your mail forward.

We do not provide web redirection or other services to former holders of CMS accounts. Be aware that your CMS webspace is available only for the duration of your account.

If you do not graduate within 4 years, or if you stay at the institute as a graduate student, you may of course continue to use your CMS account. However, since there is no automated fashion in which we can acquire this information, it is again the responsibility of the CMS account holder to inform the CMS sysadmins (via that you are staying at the institution, and that you need your account active.

It may come to pass after undergraduate graduation or completion of a doctoral program that you will be continuing to collaborate on projects with existing CMS students or faculty. If this is going to be the case, you may inform the CMS sysadmins that you are requesting collaborator status. This MUST be accompanied by approval from a faculty member. Collaborator accounts are enabled for a 1 year block of time. At the end of the year, unless informed again by the faculty member of an extension for another 1 year period, your account will be expired following the process above.

Finally, it is always the responsibility of the CMS account holder to read all email originating from the CMS sysadmins, so that you will be kept abreast of system outages, changes, etc.

What is the remote login policy?

It is always better to log into your CMS account at a console - that is, sitting in front of a keyboard at the machine you're logging into.

This is of course not always feasible. If you are remotely logging into CMS machines, your sysadmins request that you follow these general rules:

  • Do not connect to CMS machines from unknown or untrusted hosts!

This means, don't log into CMS machines from a public terminal at a convention somewhere. If you are not absolutely certain of the security state of a public machine, and if that machine is compromised, you're giving away your username and password.

This also means that you need to be keeping your personal computer(s) up to date and patched with the latest security updates.

  • If you're connecting remotely to ANY resource in CMS, we ask that you start at

So if you need to connect to a particular machine for some reason, and you're coming from your home machine, ssh to, and then from connect to the machine you're trying to reach. This seems counter-intuitive, but that way the CMS system administrators can keep an eye on the individual auth logs and catch "strange" connections as possible security intrusions.

  • Do not chain through multiple hosts to get to CMS machines.

If you're sitting at your home machine, and you want to connect to CMS, ssh to directly. For example, don't connect to your account at Berkeley, then your account at your old high school, then your buddy's machine in West Germany, and finally to CMS. If there are any compromises on any of those other machines, you may be giving away your username and password.

How can I use IMAP to read my mail in CMS?

The IMAP server in CMS accesses mail stored in Maildir format in your home directory; more specifically the "Maildir" subdirectory in your home directory.

You can read/retrieve IMAP mail by pointing your IMAP client (Mozilla/Thunderbird/Outlook) at:

Use of SSL/TLS/StartTLS is highly required for the sake of security, to protect your password and privacy.

For detailed instructions on how to configure your mail, see these documents:

CanIt Pro End User Documentation Thunderbird End User Documentation

How do I create a web page?

By default, every user is allowed to host a web page (within the bounds of their quota) on the CMS users site. To do this, create a folder called public_html in your home directory, and ensure that the folder is world-readable and executable. Then any files you place in ~/username/public_html" will be visible at

How do I password-protect my web page?

First, you need to be aware that is not encrypted and any passwords involved should not be related to your normal CMS password(s) because the passwords involved will be sent as clear plain text.

To password-protect a directory (in ~/public_html, or

Create a file named .htaccess that contains:

AuthUserFile /home/user/public_html/.htpasswd
AuthType Basic
AuthName "User's Secrets"
Require valid-user

where "user" is your CMS username. You may optionally name "AuthName" anything you like.

NOTE: This password protects the directory and all sub-directories below where the .htaccess file is located. To protect specific files instead, replace the "Require" directive above with:

<Files "filename.html">
  Require valid-user

Next, create the .htpasswd file by envoking (on LOGIN.CMS):

htpasswd2 -c [the location in "AuthUserFile"] username

where "username" is the username allowed access after authentication. The above command will prompt you for a password (twice, to confirm).

NOTE: the -c parameter specifies to CREATE the file, so if the file exists, it will be rewritten and truncated, eliminating any existing usernames/passwords.

Finally, make the two files, .htaccess and .htpasswd, group-accessible to the 'www' group so that the web server may read them. Remove world-read/write bits on the files as well, with:

chgrp www .htaccess
chgrp www .htpasswd
chmod o-rwx .htaccess
chmod o-rwx .htpasswd

How do I print directly to the printers?

You should only ever print directly to the printer if you have a networked printer that is not for general use (such as a research group's color printer) or a printer that you can physically monitor. Never print a large print job directly to a printer without first checking with other users who may be using a print queue.

Public or semi-public printers in Annenberg include:

  • (instructional lab)
  • (first floor postdoc printer)
  • (second floor printer)
  • (third floor copy room printer)

If you use Windows Vista, Windows 7, or Mac OSX, the "add new printers" wizards in those operating systems can locate the printers by their DNS name, and drivers for those printers are included in the operating system.

If you use Windows XP, you will need to add the printers manually.

First, go to the printer's website and download the latest driver package for Windows 2000/XP for your printer. For the first floor printer "" and the third floor printer "", you need the HP Laserjet 4250 dtn driver. CMS sysadmins recommend the PostScript version of this driver instead of the PCL version of this driver, but you may occasionally have trouble with either depending upon what type of documents you print.

Download the file to your desktop, and double click on it to launch the executable. Click on "Run" to decompress the software, uncheck the "When done unzipping" box and unpack it to the default location (c:\drivers\hp4250):

After the unpacking is finished, click "Okay".

Now, we need to actually launch the Add New Printers wizard. Go to the Start... menu, choose Settings... Printers... This opens the Printers Control Panel.

Double click on "Add a Printer" under "Printer Tasks" on the left.

This launches the Add New Printer Wizard, select "Next" to continue:


In the next window, select the radio button next to Local printer, but uncheck the box for Automatically detect and install my Plug and Play printer:


The next window is the Select the Printer Port window. By default, it will have "Use the following port: selected (with LPT1)". Click on the radio button next to "Create a new port" and in the pull down menu next to it, change it from Local Port to Standard TCP/IP Port:


This will launch another wizard - the "Add Standard TCP/IP Printer Port" Wizard:


Hit "Next" to continue. At this point it's going to ask you to enter a printer name or IP address (the printer names are listed above):


Hit "Next" to continue, and then hit "Finish" on the next screen to close the TCP/IP port wizard:


At this point it's going to ask you for the drivers:


Click on "Have Disk", then hit the "Browse" to the folder that has the drivers:


The files will be located in c:\drivers\hp4250 if you've been following the directions precisely. Hit "Open" to continue:


Select the HP 4250 PS option, and hit "Next":


Name the printer appropriately in the printer name box, and click on "Yes" to make it your default printer. Then hit "next" again:


It will then prompt you to either share the printer or not.

Do NOT share the printer!

Hit "Next":


Then Next again to print a test page. Assuming the test page comes out okay, you're all set!


What software is available via the campus site license?

Caltech has many software packages available for use by students, staff, and faculty. IMSS maintains the tracking of the usage and the management of the installation files. All campus licensed software can be acquired via the IMSS software licensing website.

You must be on campus or on the VPN to access the software licensing site.

Caltech also has a site license available for Windows Office XP, Microsoft FrontPage, Microsoft Project, Microsoft Visio, Visual Studio .NET, and Adobe Acrobat (the full version).

Finally, if you are a grad student or if you are working on a research project, your group may have access to some other applications. For more information, see your research group professor.

What is this .snapshot directory I keep seeing?

Snapshots are a native function of our file server. In every directory, when a directory is created the system also creates '.snapshot'. Periodically throughout the day, 4 times a day, the system copies all diff data on disk into the appropriate snapshot. At 8am, noon, 4pm, and 8pm, data that is different from the previous snapshot point is linked to its appropriate snapshot, marked as something similar to:


There are:

  • hourly snapshots (done 4 times a day),
  • nightly snapshots (which is essentially the last hourly snapshot), and
  • weekly snapshots (which is basically the last nightly snapshot).

The system keeps:

  • the last 6 hourly snapshots,
  • the last 2 nightly snapshots, and
  • the last 2 weekly snapshots.

This ability to have in-line rotating backups allows you to quickly restore something that you have inadvertantly deleted without waiting for the system admin to restore the data from tape.

However, you should definitely keep in mind that data that is not stored during a snapshot will not appear in a .snapshot at all.

In other words, if you:

  1. create a file at 9am.
  2. delete the same file at 11am.

the file has not been stored long enough to be captured in a snapshot, and cannot be recovered. (This is similar to tape backups where you create and destroy data before the backup process has had a chance to write it to a tape for offline archive.)

Also, you should note that snapshots are not for storing data as the data itself is part of your disk usage quota, and snapshots are rotated out every 2 weeks.

For obvious reasons, you cannot delete the .snapshot directory, though it should be "hidden" from most casual directory listings due to the name beginning with a .

What computational resources are available to me in the department?

Every member of the CMS department has access to the instructional lab on the first floor. Please read the acceptable use policy for the instructional lab before using the lab machines!

Currently, the CMS department does not maintain a general-access computational cluster. Some research groups have high-memory compute nodes available, you will need to see your research group professor.

Caltech has a HPC cluster for undergraduate instructional use.

Central IMSS has deployed a small compute cluster specifically for undergraduate use. The more use it gets, the more likely it is that additional resources can be funneled towards expanding it and adding additional functionality. See the BeaverWulf home page for more information.

If you're interested in running compute-intensive tasks such as large processing jobs or compiling software, you should explore using BeaverWulf.

My machine won't connect to the network. What might be causing this problem?

First, you may have a physical connection problem. In Annenberg, the wall plates have three jacks, but typically only two of the jacks are for network connectivity, while the third is for the digital phone system. Check your computer for a physical link light (generally, a solid amber light with a flicerking green light on the port where the computer connects to the cable indicates that you're connected to the network). If there is no connection light, either you are plugged into a telephone jack, the cable is broken, or the network card in your computer is dead.

Second, you may have been blocked from accessing the campus network because your machine has been compromised. You can check to see if you're on IMSS Security's blocked list by vising this security page from another computer and entering your MAC address.

It is difficult for IMSS Security to keep track of all the hosts on campus, and to ensure the campus network is safe, they sometimes need to block machines without knowing who is the user of the machine. If you are running your own machine (as opposed to a CMS-managed installation), we recommend that you register your MAC address with IMSS Security, so that they can contact you directly in the event your machine is compromised.

You can register your MAC at this URL

If you have multiple hosts to register, you can do that via this URL

How do I find out my MAC address?

There are many methods that will work, depending upon your operating system.

The easiest one for Windows is as follows:

Click on the "Start" menu

Choose "Run"

In the open box, type in:


and hit "enter". An old DOS style command window will open. Type in:

ipconfig /all

and hit "enter". You'll see the following output (or, rather, something like it):

  • Windows IP Configuration
  • Host Name:............... your hostname
  • Primary DNS suffix:......
  • Node Type:............... Hybrid
  • IP routing enabled....... No
  • WINS proxy enabled....... No
  • DNS suffix search list...

  • Ethernet adapter Local Area Connection:

  • Connection-specific DNS Suffix :
  • Description....................: Intel Pro/100 Network Connection
  • Physical Address...............: 00:07:10:4F:D2:01
  • ...
  • etc
  • ...

Your "Physical Address" is your MAC address.

How do I redirect my web page?

If you want to redirect your user-private web page to an off-CMS web site, the easiest way to do this is by putting an index.html file in your web directory (~/public_html on CMS systems) with the following contents:


How do I import the CMS Certificate Authority?

CMS maintains its own Certificate Authority (CA), which we use to sign SSL certificates for services run in CMS. Importing the CA certificate will allow your applications to trust any certificate signed by our CA, thus removing the need to import our certificates one at a time in your browser, etc.

You can get the public certificate for our CA from our PKI web page:

We have two CA certificates, the certificate that we use to sign SSL certificates is the CA: CMS-CA certificate.

Clicking on the "Download to Firefox" link, for example, will open the following dialogue box:


Click on all three check boxes, and hit the "OK" button to import the certificate. Now Firefox will trust the SSL certificates signed by the CMS CA.

To import the certificate into your email client, click on the "Download as PEM" link. A dialogue box will open, save the file (CMSCA.pem) to your desktop.

After the CA certificate has been downloaded, open up Thunderbird. Choose the "Tools" menu, and then "Options".


Click on the "View Certificates" button. The following window will open, hit "Import" to continue:


Browse to the CMSCA.pem file and select it:


A dialogue box similar to the one picture above will open, click all three check boxes and hit "OK". Your mail client will now import the CA certificate.