Planning and Configuring HP-UX DCE 2.0
About HP-UX DCE Version 2.0
Notes, Cautions and Warnings Regarding This Release
Chapter 2 17
dce_login -r Option
Starting with HP-UX DCE 1.4, the -r option, which refreshes a user's
credentials, was added to dce_login. Users are encouraged to use
dce_login -r rather than kinit to refresh their credentials, since
dce_login -r uses the more secure DCE Third-party pre authentication
protocol, whereas kinit uses the less secure Kerberos 5 Timestamps
protocol.
Removing DCE Credentials
A user's DCE credentials (stored in the directory
/var/opt/dce/security/creds) are not automatically removed by
exiting a shell or logging out. Unless you plan to leave background
processes running that require your DCE credentials, you must
manually remove your credentials before logging out by running the
kdestroy utility. This will make the system more secure by decreasing
the opportunity for someone to maliciously gain access to your network
credentials.
The kdestroy command has been modified to allow destruction of
credentials older than a specified number of hours. You can manually
run the kdestroy -e exp-period command or regularly run a cron job
to purge older credential files. See kdestroy (1) for syntax and usage
information.
Credentials are automatically removed at system boot.
Support for POSIX 1003.1c Threads
CMA applications have to be migrated from Draft 4 of the POSIX
threads standard to the final, ratified 1003.1c standard for kernel
threads. This migration will result in source incompatibility, and it is
recommended that application developers plan for this transition. HP
plans to preserve binary compatibility. However, developers can prepare
for this change as follows:
1. Isolate new threads API usage to macros or wrapper APIs.
2. Minimize the use of signals, and use only POSIX semantics when
programming with signals.
For example, HP recommends that threaded applications use only the
sigaction(), sigprocmask(), and sigwait() functions.