OSF DCE Administration Guide--Core Components

ManualsBrandsHP ManualsServerHP NonStop G-Series

381

382

383

384

385

386

387

388

389

390

Creating and Maintaining Principals, Groups, and Organizations

• To protect password security, and to optimize performance, the password

management server should run on the same machine as the master DCE security

server.

• The default pathname for the password management server is

$DCELOCAL/bin/pwd_strengthd. You can change this pathname by using the

PWD_MGMT_SVR environment variable in conﬁg.env.

• While dce_conﬁg supports conﬁguration of only one password management server

in a cell, it is possible to manually conﬁgure additional servers. Principal

pwd_mgmt_binding ERAs can then be set to point to the appropriate server for each

principal.

• To replace the sample password management server with another version, follow

this procedure:

1. Kill pwd_strengthd.

2. Rename $DCELOCAL/bin/pwd_strengthd.

3. Copy the new server into $DCELOCAL/bin/pwd_strengthd.

4. Start pwd_strengthd.

Do not unconﬁgure and reconﬁgure pwd_strengthd. If you do so, secd will be

unable to communicate with it until secd is restarted or the previous server’s keys

expire.

• The log ﬁle for the sample password management server resides in

$DCELOCAL/var/security/pwd_strengthd.log. This location is built into the

server code and is not conﬁgurable.

30.6.3.2 Generating Passwords with dcecp

If a pwd_val_type ERA having the values 2 (USER_CAN_SELECT)or 3

(GENERATION_REQUIRED) exists for a principal, that principal can (or will be

required to) request a generated password when he changes passwords. If you are the

principal smitty, the following sequence of dcecp commands can be used to do this:

dcecp> set p [account generate smitty]

newgenpwd

This command requests a generated password from the password management server,

places the new password in the p variable, and prints it to the screen (newgenpwd). (Be

sure to remember the new password.) Next, pass the value stored in p as the value of

new password in an account modify or account create command:

dcecp> account modify smitty -password $p -mycurrentpwd -dce-

Warning: Never execute the following dcecp command, since the

password will be changed in the account, but the user will not

see the new password:

124243 Tandem Computers Incorporated 30− 13