PreviousNext

Overview - The Password Management API

User passwords are the weakest link in the chain of DCE security. Users, unless their choices are restricted, typically choose passwords that are easy for them to remember; unfortunately, these memorable passwords are also easy for attackers to "crack.''

The password management facility is intended to reduce this risk by providing the tools necessary to develop customized password management servers, and to call them from client password change programs. This facility enables cell administrators to

· Enforce stricter constraints on users' password choices than those in DCE standard policy

· Offer, or force, automatic generation of user passwords

The password management facility includes the following APIs:

· The password management interface, sec_pwd_mgmt_*( ), which enables clients to retrieve a principal's password management ERA values and to request strength-checking and generation of passwords.

· The password management network interface, rsec_pwd_mgmt_*( ), which enables a password management server to accept and process password strength checking and generation requests.

The following figure provides a schematic view of the relationships and uses of these interfaces, as well as some relevant security registry APIs. This topic first discusses the client API and then the network API.


Use of Password Management Facility APIs

For information on how to administer password generation and strength-checking, see the OSF DCE Administration Guide - Core Components.