OSF DCE Administration Guide--Core Components
OSF DCE Administration Guide—Core Components
36.2.12 Howpasswd_override Handles Multiple Override Entries
When more than one override entry applies to an account, the entry with the most
specific account identifier (that is, either a principal UNIX ID, a group UNIX ID, or a
principal name) is selected. Principal names are the most specific, followed by the
principal UNIX ID and group UNIX ID.
For example, assume that the override file contains the following two entries that
override the login shells:
mozart::::::/bin/ksh
:::25:::/bin/csh
If a principal logs in as mozart, the override that is keyed by mozart is in effect. In this
case, the principal (mozart) is more specific than the group (25 ).
36.3 Changing the Registry’s Master Key
All passwords stored in a registry are encrypted by a master key. Note that the master
key is created when you create the registry database during system configuration.
You can use the dcecp registry modify command with the -key option to change the
registry’s master key and to reencrypt all passwords with the new master key. Each
replica (master and slave) maintains its own master key to access the data in its copy of
the registry.
You should change each replica’s master key on a regular basis. Before you run either
program to do this, ensure that you are logged into an administrative account.
The following command line changes the master key and reencrypts all the passwords
for the replica art_server_1:
dcecp> registry modify /.../giverny.com/subsys/dce/sec/art_server_1 -key
36.4 Validating the Authenticity of the DCE Security Service
The secval process within the DCE daemon can confirm that the DCE security server is
an authentic server. An illegitimate DCE security server could give a malicious user
root access on a machine by returning a counterfeit local system identity. A secval ping
operation confirms the authenticity of the DCE security server by performing an
authenticated RPC to the secval process. A successful return (1) indicates that the
security server used all of the correct passwords needed for the authenticated RPC to
succeed.
36 − 10 Tandem Computers Incorporated 124243