Administering the Kerberos Server
Manual Administration Using kadmin
Following is a sample output of the Password Change Service attribute:
Command: mod
Name of Principal to Modify: admin
Parameter Type to be Modified (attr, fcnt, vno, policy,dn or q ui) :attr
Attribute (or quit): {cpwsrvnocpwsrv}
Principal modified.
Password Expiration AttributeA principal password may have a finite or an infinite lifetime. Following are the factors that control the expiration time of a password, including the principal type:
•Service Principals – The secret key stored in the service key table file on the host of the service does not expire. However, HP recommends that you extract new random keys periodically for best security practices. See “Maintaining Secret Keys in the Key Table File” on page 244, for more information.
•User principals – The expiration time for the password of a user depends on the settings designated for the principal account.
Activating the Password Expiration attribute holds a principal in accordance with the password expiration policy. You are prompted to change the password before the expiration date. If you do not enable the Password Expiration attribute, the password of the current principals never expires.
NOTE | The password expiration date is stored on the Kerberos server with |
| each principal. When you change the password, the current date and |
| the expiration value also change in the password policy file. |
| Before the password expires, you are notified that the password is |
| |
| about to expire. The NotifyTime parameter controls the advance |
| notice timing in the password policy file. If you ignore the advance |
| notice and the expiration date elapses, you must change the |
| password before you can obtain any more tickets from the Kerberos |
| server. |
Chapter 8 | 221 |