OSF DCE Administration Guide--Core Components

ManualsBrandsHP ManualsServerHP NonStop G-Series

501

502

503

504

505

506

507

508

509

510

OSF DCE Administration Guide—Core Components

When you bring up a security server in locksmith mode, secd automatically creates a

locksmith account or, if the locksmith account exists, it lets you supply a new password

for that account. Once the security server is running, you can log into the locksmith

account by using the newly changed password, if you changed it, and access the registry

to change the account or policy information that may have prevented you from accessing

the registry by using your normal credentials.

In locksmith mode, all principals with valid accounts can log in and operate on the

registry with normal access checking. The locksmith principal, however, is granted

special access to the registry: no access checking is performed for the authenticated

locksmith principal. This means that, as the locksmith principal, you can operate on the

registry with full access.

40.2.1 Automatic Changes to the Locksmith Account

If the locksmith account exists when you start the security server in locksmith mode, the

security server checks certain account and registry policy information and makes the

changes shown in Tables 40-1 and 40-2. These changes ensure that, even if account or

registry policy was tampered with, you will now be able to log into the locksmith

account. For example, if an intruder changes the Account Lifespan registry policy to 1

minute, the locksmith account will never be valid long enough to be used. Therefore, if

the security server ﬁnds that the Account Lifespan registry policy is set to less than what

is required for the locksmith account to be valid for at least 1 hour, it changes the

Account Lifespan policy to be the time difference between the creation time of the

locksmith account and the time 1 hour from the current time.

TABLE 40-1. Locksmith Account Changes Made by the Security Server

__________________________________________________________

If the security server ﬁnds the... It changes the....

__________________________________________________________

Password-Valid Flag is set to no Password-Valid Flag to yes

__________________________________________________________

Account Expiration Date is set to

less than the current time plus 1

hour

Account Expiration Date to the

current time plus 1 hour

__________________________________________________________

Client Flag is set to no Client Flag to yes

__________________________________________________________

Account-Valid Flag is set to no Account-Valid Flag to yes

__________________________________________________________

Good Since Date is set to greater

than the current time

Good Since Date to the current

time

__________________________________________________________

Password Expiration Date is set

to less than the current time plus

1 hour

Password Expiration Date to

the current time plus 1 hour

__________________________________________________________

40 − 2 Tandem Computers Incorporated 124243