Filter
Top Products
Administering the Kerberos Server
Manual Administration Using kadmin
Chapter 8 221
Following is a sample output of the Password Change Service
attribute:
Command: mod
Name of Principal to Modify: admin
Parameter Type to be Modified (attr, fcnt, vno, policy,dn or q
ui) :attr
Attribute (or quit): {cpwsrv|nocpwsrv}
Principal modified.
Password Expiration Attribute
A principal password may have a finite or an infinite lifetime. Following
are the factors that control the expiration time of a password, including
the principal type:
• Service Principals – The secret key stored in the service key table file
on the host of the service does not expire. However, HP recommends
that you extract new random keys periodically for best security
practices. See “Maintaining Secret Keys in the Key Table File” on
page 244, for more information.
• User principals – The expiration time for the password of a user
depends on the settings designated for the principal account.
Activating the Password Expiration attribute holds a principal in
accordance with the password expiration policy. You are prompted to
change the password before the expiration date. If you do not enable
the Password Expiration attribute, the password of the current
principals never expires.
NOTE The password expiration date is stored on the Kerberos server with
each principal. When you change the password, the current date and
the expiration value also change in the password policy file.
Before the password expires, you are notified that the password is
about to expire. The NotifyTime parameter controls the advance
notice timing in the password policy file. If you ignore the advance
notice and the expiration date elapses, you must change the
password before you can obtain any more tickets from the Kerberos
server.