HP UX Kerberos Data Security Software manual Require Password Change Attribute

Page 182

Administration

Manual Administration Using kadmin

	• Service principal, the service accepts TGTs only from user
	principals who obtained a TGT using a preauthentication protocol
	Client applications require preauthentication by default; however, a
NOTE
	client can override this setting.
	To modify the parameter type attr for the principal admin, to set the

	Require Preauthentication Attribute, you need to do the following:
	Command: mod
	Name of Principal to Modify: admin
	Parameter Type to be Modified (attr,fcnt,vno or quit) :attr
	Attribute (or quit): {preauthnopreauth}
	Principal modified.
	Require Password Change Attribute
	The Require Password Change attribute determines whether a
	principal must change the user’s password during the next
	authentication attempt. When this attribute is set, users are required to
	change their passwords.
	When a new principal is added to the database or when a principal’s
	password is changed, this attribute is controlled by the NoReqChangePwd
	setting in the principal’s password policy ﬁle. By default,
	NoReqChangePwd is set to zero, meaning the user must change their
	password at ﬁrst logon.
	If a random key is designated for a principal using Administrator or the
	kadmin addrnd command, the Require Change Password attribute is
	not set by default. As a result, a service principal with an extracted key
	is not required to have a new key extracted at the next authentication
	attempt.
	To modify the parameter type attr for the principal admin, to set the
	Require Password Change Attribute, you need to do the following:
	Command: mod
	Name of Principal to Modify: admin
	Parameter Type to be Modified (attr,fcnt,vno or quit) :attr
	Attribute (or quit): {pwchgnopwchg}
	Principal modified.

182

Chapter 6

Image 182

Contents Edition Manufacturing Part Number T1417-90003 E0602Legal Notices Page Page Contents Administration Contents Contents Inter-realm Troubleshooting Glossary Index Contents Tables Tables Figures Figures Preface Related Software Products Accessing the World Wide WebAudience Related DocumentationRelated Request for Comments RFCs Conventions WidthUsing This Manual Glossary Index Overview Chapter Overview How The Kerberos Server Works Conﬁguring and Administering the Kerberos Server on HP-UX Authentication Process Authentication Process StepTGT Authentication Process Authentication Process Krbtgt/REALM Name is the ticket-granting principal. This is DES vs 3DES Key Type SettingsMust be assigned a key type or default keys issued by Is added to the database. The krbtgt/REALM NAMEprincipalInstallation Installation Before Installing The Kerberos Server Hardware Requirements Software Requirements Installing The Kerberos Server With SD-UX Installing The Kerberos Server Chapter Migration Migration Policy Migration on Step-wise Procedure For Migration on Policy Migration Step-wise Procedure For Migration For version 2.0 of the Kerberos Server, as described in Step On successful completion the following message is displayed Step-wise Procedure For Migration Chapter Interoperability With Windows Interoperability With Windows Chapter Overview Understanding the Terminology Understanding the Terminology Table of Analogous Terms Table of Analogous Terms HP’s Kerberos Server WindowsHP’s Kerberos Server and Windows 2000 Interoperability CaseEstablishing Trust Between HP’s Kerberos Servers and Windows Single Realm Domain Authentication Inter-Realm Inter-Domain Authentication Encryption Considerations Special Considerations for InteroperabilityDatabase Considerations Postdated TicketsSpecial Considerations for Interoperability Chapter Conﬁguration Conﬁguration File Conﬁguration Files For The Kerberos ServerSecurity Server Files That Require Conﬁguration Auto-Conﬁguration of the Security Server Auto-Conﬁguration of the Security Server Return to the main menu Manual Conﬁguration Of The Kerberos Server Editing the Conﬁguration FilesManual Conﬁguration Of The Kerberos Server Krb.conf Krb.conf FormatRealm Sample krb.conf File Reference Krb.realms Krb.realms Format Krb.realms Sample krb.realms Sample krb.realms Chapter Conﬁguring The Primary Server Creating The Principal Database After Installation Administrator Add An Administrative PrincipalTo add an administrative principal using Run Command-Line-Administrator,kadmin Create The host/fqdn principal And Extract Its Service Key Start the Kerberos daemons Deﬁne Secondary Server Network Locations Security Policies Password Policy FileAdminaclﬁle Starting the Security Server Summary Sbin/initd/krbsrv start Copy the Kerberos Conﬁguration File Conﬁguring The Secondary Security ServersCreate the Principal Database Create a host/fqdn Principal and Extract Its Key Administration Administration Administering the Kerberos Database Kadmind Adminaclﬁle Assigning Administrative Permissions List prinicpal. This is redundant with i or Adding Entries to the adminaclﬁle How the r/R Modiﬁers Work Creating Administrative AccountsUsing Restricted Adminsitrator 100 Default Password Policy Settings for the base group Password Policy FileEditing the Default File Password Policy setting Default102 Principals 104 Adding New Service Principals Adding User PrincipalsReserved Service Principals Chapter 107 Do not remove or modify this principal entry Remove Special Privilege Settings Removing User PrincipalsProtecting Secret Keys Removing Service Principals Kadmin Vs kadminl Administration ToolsAdministration Tools Tool Name Tool Description Administrator Standard Functionality of the Administrator ApplyLocal Administrator kadminlui Usage of kadminluiChapter 117 Principals Tab Principals TabChapter 119 General Tab Principal Information window General Tab Principal Information WindowChapter 121 Adding Principals to the Database To add a principalSame settings To simultaneously add multiple principals withCreating an Administrative Principal To create an administrative principalChapter 125 Search Criteria Finding a PrincipalTo search for a principal Chapter 127 128 Deleting a Principal To delete a user principalLoading Default Values for a Principal To reload the default values for a principalTo restore previously saved values for a principal Restoring Previously Saved Values for a PrincipalChanging Ticket Information To change ticket informationChapter 133 Rules for Setting Maximum Ticket Lifetime ExampleRules for Setting Maximum Renew Time ExamplesChanging Password Information To change the password informationA principal’s password. You must inform the principal Password at their next logonWindow Password Tab Principal InformationPassword Tab Principal Information Window Chapter 139 Change Password window Password tab Change Password Window Password TabChapter 141 Changing Key Types To change a DES principal’s key type to 3DESChapter 143 Changing Principal Attributes To change principal attributesAttributes Tab Principal Information Attributes Tab Principal Information Window146 Chapter 147 148 Chapter 149 Deleting a Service Principal To delete a service principalExtracting Service Keys To securely extract principal keys to the service key152 Extract Service Key Table window Extract Service Key Table Window154 Using Groups to Control Settings To edit the default groupGroup Information window Principal Group Information Window Principal Attributes Setting the Default Group Principal AttributesDefault Principal Attributes Setting Administrative Permissions To set administrative permissionsAdministrative Permissions Administrative PermissionsChapter 161 162 Realms Tab Realms TabRealm Information window Realms tab 10 Realm Information Window Realms TabAdding a Realm To add a realmDeleting a Realm To delete a realmRemote Administrator kadminui 168 Administration Manual Administration Using kadmin Chapter 171 Add a New Principal Add Random KeyDelete a Principal Specify New PasswordChange Password to a New Randomly Generated Password Extract a Principal List the Attributes of a Principal Modifying a PrincipalTo modify the principal admin, you need to do the following Number of Authentication failures fcntKey Version Number Attribute AttributesAllow Postdated Attribute Allow Renewable AttributeAllow Forwardable Attribute Allow Proxy Attribute Require Preauthentication Attribute Allow Duplicate Session Key AttributeRequire Password Change Attribute Allow as Service Attribute Lock Principal AttributeRequire Initial Authentication Attribute FollowingAuthentication Set As Password Change Service Attribute TgtbasedPassword Expiration Attribute Principal Expiration Attribute Maximum Ticket Lifetime AttributeSalt Type Attribute Maximum Renew Time AttributeKey Type Attribute Chapter 189 Principal Database Utilities Principal Database Utilities If you want to Use This ToolCreating the Kerberos Database 192 Database Encryption Database Master Password Destroying the Kerberos Database Dumping the Kerberos Database Loading the Kerberos Database Stashing the Master Key Chapter 199 Situations that require Starting and Stopping Daemons Services Situation Daemons and ServicesStarting and Stopping Daemons Protecting Security Server Secrets Maintenance TasksMaster Password Host/fqdn@REALMBacking Up Primary Server Data Special Note on Backing up the Principal DatabaseChapter 203 Removing Unused Space From the Database Chapter 205 206 Propagation 208 Propagation Hierarchy Propagation RelationshipsMaintaining Secret Keys In The Key Table File Service Key Table v5srvtabExtracting a Key to the Service Key Table File Creating a New Service Key Table File Deleting Older Keys From the Service Key Table FilePropagation Tools Propagation Tools If You Want To Use This ToolChapter 213 Kpropd Mkpropcf 216 Kpropd.ini Defaultvalues section SectionsChapter 219 Secsrvname Section Examples All servers contain the following entries222 Prpadmin Setting Up Propagation Chapter 225 226 Chapter 227 228 Monitoring the Log File Critical Error MessagesMonitoring Propagation Monitoring Propagation Queue Files Monitoring for Old File Date and Large File SizePrincipal.ok Time Stamp Does Not Update Comparing the Database to its CopiesAuthentication Problems Occur Administration Appears NormalNumber of Principals Does Not Match Log Files Indicate ProblemsAuthentication Tests Succeed KdbdumpRestarting Propagation Using the Simple Process Restarting Propagation Using the Full Dump Method Propagation FailureConverting a Secondary Server to a Primary Server Restarting Services Cleaning the Temp Directory238 Primary Servers That Support Multiple Realms Conﬁguring for Multi-realm EnterprisesNumber of Realms per Database Database Propagation for Multi-realm Databases Multiple Primary Servers That Support a Single RealmAdding More Realms to a Multi-realm Database To Conﬁgure a propagation in a multi-realm environment 242 Inter-realm 244 Two-way Trust Considering Trust RelationshipsOne-way Trust Hierarchical Trust Other Types Of TrustChapter 247 248 Chapter 249 Conﬁguring Direct Trust Relationships Direct Trust Relationship Example Hierarchical Inter-realm Example Hierarchical Inter-realm TrustHierarchical Chain of Trust Hierarchical Inter-realm Conﬁguration 254 Chapter 255 256 Chapter 257 258 Troubleshooting 260 Chapter 261 Characterizing the Problem Chapter 263 Diagnostic Tools Summary Diagnostic ToolsLogging Capabilities Troubleshooting KerberosError Messages Services Checklist Unix Syslog FileTroubleshooting Techniques Table of Errors Messages Chapter 269 270 Locking and Unlocking Accounts General ErrorsForgotten Passwords Clock Synchronization Typical User Error Messages Decrypt integrity check failedService key not available while getting initial ticket Administrative Error MessagesPassword has expired while getting initial ticket ActionChapter 275 Reporting Problems to Your Hewlett-Packard Support Contact Chapter 277 278 Glossary Glossary Glossary 281 Ticket-granting-ticket Symbols Index284 285

Related manuals

Manual 327 pages 9.34 Kb

Manual 13 pages 9.67 Kb