Planning and Configuring HP DCE 1.8
Chapter 6 135
HP-UX Integrated Login
Integrating DCE with HP-UX Integrated Login
• Make sure the DCE Security Registry is not set up to hide exported
passwords. When exported passwords are hidden, passwd_export
does not export the encrypted passwords from the DCE Security
Registry to /etc/ passwd. You can verify this property of the DCE
Security Registry by running dcecp and issuing the command
registry show at the prompt. You can disable hidden passwords by
issuing the command registry modify -hidepwd no at the prompt.
To change this property, you must have cell_admin DCE credentials.
NOTE If you wish to take advantage of the increased security provided by the
DCE Security Registry hidden passwords policy, do not configure ux as a
fallback technology. Specify DCE as the primary login technology, with
no fallback login technology.
• Set up a cron job to export information from the DCE Security
Registry to /etc/passwd. You are asked, during the activation
process, whether or not to set up such a cron job. With your approval,
a passwd_export cron job is set up. If NSS-DCE is activated, this
cron job is run once every day. Otherwise, it is run once every hour.
You can adjust this frequency by using the crontab(1) command.
Frequencies greater than once per hour are not recommended.
• If you wish to prevent a certain user from logging in to the local
system, create an entry for that user in the passwd_override file
and place the word "OMIT" in the password field of the entry.
passwd_export will exclude those entries from /etc/passwd when
transferring information from the DCE Security Registry.
Users who configure DCE as the primary login and UNIX as the backup
technology should be aware that the UNIX backend is useful as a backup
only for names and passwords that meet UNIX requirements,
restrictions, and semantics. Also, be aware that configuring the UNIX
backend as a backup technology can cause the following known
problems:
• If the DCE registry enforces hidden passwords (which it does by
default), an asterisk (*) is placed in /etc/passwd for all entries and
the UNIX backup will be unable to process any password. Therefore,
configuring UNIX as the fallback login technology will fail to
authenticate the user and cause confusion when attempting to
change a password. Unless you plan not to enforce hidden passwords,
do not configure UNIX as the backup technology.