Installing, Configuring and Administering the Kerberos Server V 2.0 on HP-UX 11i
Administration
Manual Administration Using kadmin
Chapter 6182
• Service principal, the service accepts TGTs only from user
principals who obtained a TGT using a preauthentication protocol
NOTE Client applications require preauthentication by default; however, a
client can override this setting.
To modify the parameter type attr for the principal admin, to set the
Require Preauthentication Attribute, you need to do the following:
Command: mod
Name of Principal to Modify: admin
Parameter Type to be Modified (attr,fcnt,vno or quit) :attr
Attribute (or quit): {preauth|nopreauth}
Principal modified.
Require Password Change Attribute
The Require Password Change attribute determines whether a
principal must change the user’s password during the next
authentication attempt. When this attribute is set, users are required to
change their passwords.
When a new principal is added to the database or when a principal’s
password is changed, this attribute is controlled by the NoReqChangePwd
setting in the principal’s password policy file. By default,
NoReqChangePwd is set to zero, meaning the user must change their
password at first logon.
If a random key is designated for a principal using Administrator or the
kadmin addrnd command, the Require Change Password attribute is
not set by default. As a result, a service principal with an extracted key
is not required to have a new key extracted at the next authentication
attempt.
To modify the parameter type attr for the principal admin, to set the
Require Password Change Attribute, you need to do the following:
Command: mod
Name of Principal to Modify: admin
Parameter Type to be Modified (attr,fcnt,vno or quit) :attr
Attribute (or quit): {pwchg|nopwchg}
Principal modified.