OSF DCE Application Development Guide--Core Components
Chapter 35. The Password Management API
User passwords are the weakest link in the chain of DCE security. Users, unless their
choices are restricted, typically choose passwords that are easy for them to remember;
unfortunately, these memorable passwords are also easy for attackers to ‘‘crack.’’
The password management facility is intended to reduce this risk by providing the tools
necessary to develop customized password management servers, and to call them from
client password change programs. This facility enables cell administrators to
• Enforce stricter constraints on users’ password choices than those in DCE standard
policy
• Offer, or force, automatic generation of user passwords
The password management facility includes the following APIs:
• The password management interface, sec_pwd_mgmt_*(), which enables clients to
retrieve a principal’s password management ERA values and to request strength-
checking and generation of passwords.
• The password management network interface, rsec_pwd_mgmt_*(), which enables
a password management server to accept and process password strength checking
and generation requests.
Figure 35-1 provides a schematic view of the relationships and usages of these
interfaces, as well as some relevant security registry APIs. This chapter first discusses
the client API and then the network API.
Figure 35-1. Use of Password Management Facility APIs
124245 Tandem Computers Incorporated 35−1