Administering the Kerberos Server

Manual Administration Using kadmin

Because the expiration time is calculated from the time you add a new principal to the database, the password change load on the server is distributed over time. Therefore, you can select a password expiration in the default group principal template without affecting the administrative load, provided you add new principals over a period of time.

To modify the parameter type attr of the principal admin to set the

Password Expiration attribute, you need to execute the following:

Command: mod

Name of Principal to Modify: admin

Parameter Type to be Modified (attr,fcnt,vno, policy,dn or qui t) :attr

Attribute (or quit): {cpwexpnocpwexp}

Principal modified.

Principal Expiration Attribute

The Principal Expiration attribute determines the expiration time of a principal account. You can set the expiration time to a definite time or to never. An expired principal account is essentially locked; it can no longer be used to access the security network. However, this account can be re-enabled by resetting the expiration time, because the principal still exists in the principal database.

Setting a principal expiration time may be useful for granting access to temporary employees. However, if you specify an expiration date for the default group principal, all principals added using that template setting will expire at the same time. You must consider the administrative requirements of expiring all principal accounts on the same day.

You cannot set this attribute using the command-line administrator.

Maximum Ticket Lifetime Attribute

The Maximum Ticket Lifetime attribute determines the maximum lifetime for an initial or service ticket that the principal requests. If you set the lifetime to a time longer than the lifetime assigned to the krbtgt/REALM@REALM principal, the settings in the krbtgt/ principal take precedence.

You may choose to set a maximum ticket lifetime for the default group template that is different from the krbtgt/ principal if you plan to enter a block of users that have restricted ticket lifetimes. After adding the block of user principals, you can alter the default group setting again.

222

Chapter 8

Page 222
Image 222
HP UX Kerberos Data Security Software manual Principal Expiration Attribute, Maximum Ticket Lifetime Attribute