Manualshelf

OSF DCE Administration Guide--Core Components

ManualsBrandsHP ManualsServerHP NonStop G-Series
401402403404405406407408409410
OSF DCE Administration Guide—Core Components
__________________________________________________________________
Option Meaning
__________________________________________________________________
__________________________________________________________________
The maximum ticket renewable. This is the
amount of time in hours before a principal’s
ticket-granting ticket expires and that principal
must log into the system again to reauthenticate
and obtain another ticket-granting ticket. The
lifetime of the principal’s service tickets can
never exceed the lifetime of the principal’s
ticket-granting ticket. The shorter you make
Maximum Certificate Renewable, the greater the
security of the system. However, since principals
must log in again to renew their ticket-granting
ticket, the time needs to take into consideration
user convenience and the level of security
required.
If you do not specify a maxtktrenew attribute
value for an account, the maxtktrenew attribute
value defined for the registry authorization policy
is used. (See Chapter 35.)
-maxtktrenew hours
__________________________________________________________________
Note: The maximum ticket lifetime and maximum ticket renewable can be set as
registry properties for the registry as a whole with the dcecp registry
modify command. When they are set with the dcecp account create or
account modify commands, they apply only to a specific account.
31.5.1 Setting Ticket Lifetimes
You should be aware of two other options set by the dcecp registry modify command:
default ticket lifetimes and minimum ticket lifetime.
Minimum Ticket Lifetime—The shortest possible lifetime that can be assigned to a
ticket. Note that the actual effective value of Minimum Ticket Lifetime is affected by
Default Certificate Lifetime.
Default Ticket Lifetime—The lifetime granted for tickets, unless the principal
specifically requests a different lifetime. Although principals can request a specific
lifetime for a ticket, the majority accept the default lifetime. (If a principal requests a
ticket lifetime of 0 (zero), the default lifetime is assigned to the ticket.)
Note that the actual effective value of Default Ticket Lifetime is affected by
Maximum Certificate Lifetime.
The actual lifetimes assigned to tickets depends on rules enforced by the DCE Security
Service regarding the settings of Maximum Ticket Lifetime, Default Ticket Lifetime,
and Minimum Ticket Lifetime. These rules are as follows:
The maximum ticket lifetime can never be larger than the renewable ticket lifetime
(in other words, max_life = min (max_life, renewable_life)) or less than 60
seconds. If the maximum ticket lifetime is larger than the renewable ticket lifetime,
31 10 Tandem Computers Incorporated 124243