Manualshelf

Installing, Configuring and Administering the Kerberos Server V 2.0 on HP-UX 11i

ManualsBrandsHP ManualsSoftwareHP-UX Kerberos Data Security Software
181182183184185186187188189190
Administration
Manual Administration Using kadmin
Chapter 6186
Normally, you would select the Set As Password Change Service
attribute for only the service principal defined as a change password
service. You can add other Change Password service principals to the
principal database if you have created custom applications that require
different password service principals.
To modify the parameter type attr of the principal admin, to set the Set
As Password Change Service Attribute, you need to do the following:
Command: mod
Name of Principal to Modify: admin
Parameter Type to be Modified (attr,fcnt,vno or quit) :attr
Attribute (or quit): {cpwsrv|nocpwsrv}
Principal modified.
Password Expiration Attribute
A principal password can have either a finite or an infinite lifetime.
Expiration time is controlled by several factors, including the principal
type:
Service Principals - The secret key stored in the service key table
file on the service’s host does not expire. However, we recommend
extracting new random keys periodically for best security practices.
Refer to “Maintaining Secret Keys In The Key Table File” on
page 210, for more information.
User principals - The expiration time for a user’s password
depends on the settings designated for the principal account.
Activating the Password Expiration attribute holds a principal in
accordance with the password expiration policy. The user is
prompted to change their password before the expiration date. If the
Password Expiration attribute is not enabled, the current principal’s
password never expires.
NOTE The password expiration date is stored in the security server with
each principal. It is changed to the current date plus the Expiration
value in the password policy file when a user changes the password.
Before the password expires, the user is given advance notice that
their password is about to expire. The advanced notice timing is
controlled by the NotifyTime parameter in the password policy file.