Planning and Configuring HP DCE 1.8
30 Chapter1
About HP DCE/9000 Version 1.8
Notes, Cautions and Warnings Regarding This Release
compiler.
This restriction also applies to applications on HP-UX 10.x systems built
using the HP-UX user-space threads library (libcma).
dce_login -r Option
Starting with HP DCE 1.4, the -r option, which refreshes a user's
credentials, was added to dce_login. Users are encouraged to use
dce_login -r rather than kinit to refresh their credentials, since
dce_login -r uses the more secure DCE Third-party preauthentication
protocol, whereas kinit uses the less secure Kerberos 5 Timestamps
protocol.
Removing DCE Credentials
A user's DCE credentials (stored in the directory
/var/opt/dce/security/creds) are not automatically removed by
exiting a shell or logging out. Unless you plan to leave background
processes running that require your DCE credentials, you should
manually remove your credentials before logging out by running the
kdestroy utility. This will make the system more secure by decreasing
the opportunity for someone to maliciously gain access to your network
credentials.
The kdestroy command has been modified to allow destruction of
credentials older than a specified number of hours. kdestroy -e
exp-period
may be run manually or regularly as a cron job to purge
older credential files. See the kdestroy (1m) man page for syntax and
usage information.
Credentials are automatically removed at system boot.
HP-UX Integrated Login Utilities
Most systems will require the transfer of account information from
/etc/passwd to the DCE Security Registry before the system will be
useful.
The script /usr/sbin/auth.adm is supplied to activate the integrated
login utilities once your system has been set up with the needed
accounts. See Chapter 6 for more information about using the
/usr/sbin/auth.adm script.