Administering the Kerberos Server

Manual Administration Using kadmin

Following is a sample output of the Password Change Service attribute:

Command: mod

Name of Principal to Modify: admin

Parameter Type to be Modified (attr, fcnt, vno, policy,dn or q ui) :attr

Attribute (or quit): {cpwsrvnocpwsrv}

Principal modified.

Password Expiration Attribute

A principal password may have a finite or an infinite lifetime. Following are the factors that control the expiration time of a password, including the principal type:

Service Principals – The secret key stored in the service key table file on the host of the service does not expire. However, HP recommends that you extract new random keys periodically for best security practices. See “Maintaining Secret Keys in the Key Table File” on page 244, for more information.

User principals – The expiration time for the password of a user depends on the settings designated for the principal account.

Activating the Password Expiration attribute holds a principal in accordance with the password expiration policy. You are prompted to change the password before the expiration date. If you do not enable the Password Expiration attribute, the password of the current principals never expires.

NOTE

The password expiration date is stored on the Kerberos server with

 

each principal. When you change the password, the current date and

 

the expiration value also change in the password policy file.

 

Before the password expires, you are notified that the password is

 

 

about to expire. The NotifyTime parameter controls the advance

 

notice timing in the password policy file. If you ignore the advance

 

notice and the expiration date elapses, you must change the

 

password before you can obtain any more tickets from the Kerberos

 

server.

Chapter 8

221

Page 221
Image 221
HP UX Kerberos Data Security Software manual Password Expiration Attribute