Manualshelf

Planning and Configuring HP-UX DCE 1.9

ManualsBrandsHP ManualsSoftwareHP-UX DCE Software
11121314151617181920
Chapter 2
About HP-UX DCE Version 1.9
Notes, Cautions and Warnings Regarding This Release
13
Notes, Cautions and Warnings Regarding This Release
Security and Remote Login Utilities
You can use standard UNIX remote login utilities (remsh, rlogin, telnet) to perform remote DCE cell
administration. However, these utilities expose the cell administrator's password to network attackers
whenever you perform a task on a remote system. If a network attacker obtains the password, the security of
the cell's DCE services is compromised. The most secure way to perform cell administration is to log in locally
to each system you want to administer. The use of Secure Internet Services (SIS) does not provide better
security for the purpose of remote DCE cell administration.
Security and Credential Lifetime
DCE credentials consist of Kerberos tickets shared by principals and the security server. The security server
encrypts the tickets with a server key. Usually, the credential lifetime for a Kerberos ticket is a defined
expiration time.
Hewlett-Packard recommends using Kerberos tickets with a defined expiration time and changing the server
keys frequently. Using tickets with an infinite lifetime makes it difficult to automatically change server keys
without invalidating the outstanding tickets. It also defeats the automatic key garbage collection, which the
sec_key_mgmt_change_key operation performs.
ANSI C Requirement for HP-UX DCE 1.9
Hewlett-Packard supports only the ANSI C compiler for building HP-UX DCE applications. Hewlett-Packard
cannot provide support for problems with HP-UX DCE applications that were not compiled using the ANSI C
compiler.
dce_login -r Option
Starting with HP-UX DCE 1.4, the -r option, which refreshes a user's credentials, was added to dce_login.
Users are encouraged to use dce_login -r rather than kinit to refresh their credentials, since dce_login
-r uses the more secure DCE Third-party pre authentication protocol, whereas kinit uses the less secure
Kerberos 5 Timestamps protocol.
Removing DCE Credentials
A user's DCE credentials (stored in the directory /var/opt/dce/security/creds) are not automatically
removed by exiting a shell or logging out. Unless you plan to leave background processes running that require
your DCE credentials, you should manually remove your credentials before logging out by running the
kdestroy utility. This will make the system more secure by decreasing the opportunity for someone to
maliciously gain access to your network credentials.
The kdestroy command has been modified to allow destruction of credentials older than a specified number
of hours. kdestroy -e exp-period may be run manually or regularly as a cron job to purge older credential
files. See the kdestroy (1) manpage for syntax and usage information.
Credentials are automatically removed at system boot.