HP UX Kerberos Data Security Software manual 110

Administration

Principals

Protecting Secret Keys

User principals must provide their passwords during authentication to create their secret keys. For best security, users should be required to periodically change their passwords.

This version of Kerberos has two methods of enforcing that users change their passwords. A user principal is required to change their passwords when:

•A system administrator enables the Password Change Required attribute. In this case, the user principal must change their passwords at the next logon.

•The password expiration date is exceeded. The expiration is calculated from the information in the password policy file, or the date set for the principal account using one of the Kerberos Server administrative tools. If the password has expired, the user principal must change its passwords.

In both the situations, users can change their passwords using kpasswd on UNIX. The user must enter the current password, followed by the new password twice to verify the new password string. The principal’s new password is automatically checked against the password policy file to ensure that it meets the enterprise criteria for secure passwords. Using the password policy file, you can specify rules that force users to build the kinds of passwords that can prevent easy discovery or cracking with brute-force methods. For more information on the Password Policy File, refer to “Password Policy File” on page 101.

An administrator using a principal account with the required administrative permissions can also change a user principal’s password. The administrator is not required to know the current password to change the password.

When a principal’s password is changed using one of the Kerberos Server’s administrative tools, the password is not verified against the password policy file. For this reason, the password set by an administrator must, by default, be changed the next time the user attempts to authenticate using the account. The Change Password Required attribute is automatically enabled. The user must know the temporary password created by the administrator at the next log on, so you must develop a secure method for communicating the temporary password to the user.