Planning and Configuring HP DCE 1.7

Planning and Conﬁguring HP DCE 1.7 1-17

About HP DCE/9000 Version 1.7

Notes, Cautions and Warnings Regarding This Release

ANSI C Requirement for HP DCE/9000

Hewlett-Packard supports only the ANSI C compiler for building HP

DCE applications. Hewlett-Packard cannot provide support for problems

with HP DCE applications that were not compiled using the ANSI C

compiler.

This restriction also applies to applications on HP-UX 10.x systems built

using the HP-UX user-space threads library (libcma).

dce_login -r Option

Starting with HP DCE 1.4, the -r option, which refreshes a user’s

credentials, was added to dce_login. Users are encouraged to use

dce_login -r rather than kinit to refresh their credentials, since

dce_login -r uses the more secure DCE Third-party preauthentication

protocol, whereas kinit uses the less secure Kerberos 5 Timestamps

protocol.

Removing DCE Credentials

A user’s DCE credentials (stored in the directory

/var/opt/dce/security/creds) are not automatically removed by exiting

a shell or logging out. Unless you plan to leave background processes

running that require your DCE credentials, you should manually remove

your credentials before logging out by running the kdestroy utility. This

will make the system more secure by decreasing the opportunity for

someone to maliciously gain access to your network credentials.

The kdestroy command has been modiﬁed to allow destruction of

credentials older than a speciﬁed number of hours. kdestroy -e

exp-period may be run manually or regularly as a cron job to purge older

credential ﬁles. See the kdestroy (1) man page for syntax and usage

information.

Credentials are automatically removed at system boot.