Administration

Manual Administration Using kadmin

Normally, you would select the Set As Password Change Service attribute for only the service principal defined as a change password service. You can add other Change Password service principals to the principal database if you have created custom applications that require different password service principals.

To modify the parameter type attr of the principal admin, to set the Set As Password Change Service Attribute, you need to do the following:

Command: mod

Name of Principal to Modify: admin

Parameter Type to be Modified (attr,fcnt,vno or quit) :attr

Attribute (or quit): {cpwsrvnocpwsrv}

Principal modified.

Password Expiration Attribute

A principal password can have either a finite or an infinite lifetime. Expiration time is controlled by several factors, including the principal type:

Service Principals - The secret key stored in the service key table file on the service’s host does not expire. However, we recommend extracting new random keys periodically for best security practices. Refer to “Maintaining Secret Keys In The Key Table File” on

page 210, for more information.

User principals - The expiration time for a user’s password depends on the settings designated for the principal account.

Activating the Password Expiration attribute holds a principal in accordance with the password expiration policy. The user is prompted to change their password before the expiration date. If the Password Expiration attribute is not enabled, the current principal’s password never expires.

NOTE

The password expiration date is stored in the security server with

 

each principal. It is changed to the current date plus the Expiration

 

value in the password policy file when a user changes the password.

 

Before the password expires, the user is given advance notice that

 

 

their password is about to expire. The advanced notice timing is

 

controlled by the NotifyTime parameter in the password policy file.

186

Chapter 6

Page 186
Image 186
HP UX Kerberos Data Security Software manual Password Expiration Attribute