Installing, Configuring and Administering the Kerberos Server V 2.0 on HP-UX 11i
Administration
Manual Administration Using kadmin
Chapter 6188
You may choose to set a maximum ticket lifetime for the default group
template that is different than the krbtgt/ principal if you plan to
enter a block of users that should have restricted ticket lifetimes. After
the block of user principals are added, you can alter the default group
setting again.
This attribute cannot be set with Command-Line-Administrator.
Maximum Renew Time Attribute
The Maximum Renew Time controls the renew time limit for renewable
tickets. If this renew time is set to a time longer than the renew time
assigned to the krbtgt/REALM@REALM principal, the settings on the
krbtgt/ principal take precedence.
This attribute cannot be set with Command-Line-Administrator.
Key Type Attribute
The key type used to generate a secret key is an important security
decision.
Each principal can be associated with two different secret keys. These
are called the primary and secondary keys. Each key is associated with
an encryption type. The encryption type designates the encryption
algorithm used to generate the secret key. The three supported
encryption types are:
• DES-CRC
• DES-MD5
• DES3-MD5
This attribute cannot be set with Command-Line-Administrator.
Salt Type Attribute
A salt is a string of characters added to the beginning of a password
before it is transformed into a secret key. Salts strengthen passwords
and ensure that principals with the same password do not have the same
key. Salt settings apply only to user principals; service principals use a
random key, and as such do not require a designated salt (they use a salt
type of None).
Salt type settings are controlled through the Password tab of the
Principal Information window in Administrator.