Manualshelf

Planning and Configuring HP-UX DCE 1.9

ManualsBrandsHP ManualsSoftwareHP-UX DCE Software
21222324252627282930
Chapter 2
About HP-UX DCE Version 1.9
HP Password Management Server
22
Unlike the other sample applications, where you are encouraged to generate a new UUID when you make
modifications, you must not make changes to rsec_pwd_mgmt.idl. secd is linked with the client stub for the
rsec_pwd_mgmt interface so changing the interface UUID will cause communication problems between secd
and your Password Management Server.
Administrative Setup
The dce_config and pwd_config files supplied with this DCE release are set up to configure and start up a
Password Management Server that conforms to the guidelines listed above.
In order to have the policies implemented by any Password Management Server apply to a given principal,
the administrator must attach instances of the following two Extended Registry Attributes to the principal's
node in the DCE Registry:
pwd_val_type
The pwd_val_type attribute controls the type of password management that applies to a given principal.
The values are:
0 — Check passwords entered by this principal using the DCE Registry policy only.
1 — Check passwords entered by this principal using the Password Management Server.
2 — Principal may either choose a password (which is then checked with the Password Management Server),
or can use a password that has been generated by the Password Management Server (no additional strength
checking is done).
3 — Principal must use a password generated by the Password Management Server.
The HP Account Manager can facilitate the administration of ERAs.
pwd_mgmt_binding attribute
The pwd_mgmt_binding attribute specifies the binding to the Password Management Server that will be used
for this principal. In future releases, more than one Password Management Server may be supported, but for
now, the value of the pwd_mgmt_binding attribute must always be:
{pwd_mgmt_binding {{dce /.:/pwd_strength pktprivacy secretname}\
{/.:/subsys/dce/sec/pwd_mgmt/pwd_strength}}} \
pwd_SecureWare_chk
HP's default implementation of the Password Management Server uses an additional Extended Registry
Attribute to control the level of strength checking algorithm that will be applied to a given principal. The
values are:
0 — Use DCE Registry algorithm only (such as, depending on DCE registry policies, check password length,
blanks, alphanumeric).
1 — In addition to checking against the DCE Registry algorithm, use a proprietary SecureWare algorithm
that verifies the password meets certain tests for non-triviality (not a circular shift of the principal's name or
its reverse, contains at least 2 alphanumeric characters, contains at least one non-alphanumeric character).
2 — In addition to the two previous checks, use a proprietary SecureWare algorithm that verifies the
password is not a word (and is not a palindrome, does not contain the same characters as any group or
principal name in the DCE Registry, and is not found in the spell program's dictionary).
If a principal does not have an instance of pwd_SecureWare_chk attached, then the Password Management
Server uses the DCE Registry algorithm only.