account(8dce) — Maintenance
NAME
account — A dcecp object that manages an account in the DCE Security Service
SYNOPSIS
account catalog [cell_name] [simplename ]
account create account_name_list mypwd password password password group group_name organization organization_name [attribute attribute_list | attribute value ]
account delete account_name_list
account generate account_name
account help [operation | verbose ]
account modify account_name_list [mypwd password] {change attribute_list | attribute value }
account operations
account show account_name_list [policies | all ]
Arguments
account_name
A list of one or more names of accounts to act on. Note that accounts are identified by principal names, so when you create an account you supply a principal name for the account name.
Supply the names as follows:
•Fully qualified account names in the form /.../cell_name/account_name or /.:/account_name
•Cell-relative account names in the form account_name. These names refer to an account in the cell identified in the _s(sec) convenience variable, or if the _s(sec) convenience variable is not set, in the local host’s default cell.
Do not mix fully qualified names and cell-relative names in a list. In addition, do not use the names of registry database objects that contain account information; in other words, do not use account names that begin with /.:/sec/account/.
account_name_list
The name of a single account to act on. See account_name_list for the name format.
cell_nameThe name of a specific cell (or /.: for the local cell) in which to catalog accounts.
operationThe name of the account operation for which to display help information.
Description
The account object represents registry accounts. Although an account is associated with one principal, one group, and one organization, it is identified by the principal’s primary name. Alias names are differentiated for principals, so one principal can have multiple accounts under different alias names.
When this command executes, it attempts to bind to the registry server identified in the _s(sec) variable. If that server cannot process the request or if the _s(sec) variable is not set, the command binds to either an available slave server or the master registry server, depending on the operation. Upon completion, the command sets the _b(sec) convenience variable to the name of the registry server it bound to.
Attributes
The account object supports the following two kinds of attributes:
•Account attributes may or may not have default values. They assume a default value or a value set by administrators.
•Policy attributes regulate such things as account and password lifetimes for all accounts associated with a particular registry. Policy attributes have registry wide default values. They always assume the most restrictive value whether it is the registry wide default value or a value set for an individual account.
•Public Key attributes regulate the creation and modification of public key pairs used for public key authentication.
Account Attributes
acctvalid {yes | no}
A flag set to determine account validity. Its value is either yes or no. An account with an acctvalid attribute set to no is invalid and cannot be logged in to. The default is yes.
client {yes | no}
A flag set to indicate whether the account is for a principal that can act as a client. Its value is either yes or no. If you set this flag to yes, the principal is able to log in to the account and acquire tickets for authentication. The default is yes.
created creators_name ISO_timestamp
A list of two items. The first is the principal name of the creator of the account, the second is an ISO timestamp showing the time of creation. This attribute is set by the system at the time of account creation and cannot be specified or modified.
description
A text string (limited to the Portable Character Set) typically used to describe the use of the account. The default is the empty string ("").
dupkey {yes | no}
A flag set to determine whether tickets issued to the account’s principal can have duplicate keys. Its value is either yes or no. The default is no.
In DCE this attribute is currently only advisory. However, Kerberos clients and servers make use of it when they interact with a DCE Security server.
expdate ISO_timestamp
The date on which the account expires. To renew the account, change the date in this field. To specify the time, use an ISO-compliant time format such as CCYY-MM-DD-hh:mm:ss or the string none. The default is none.
forwardabletkt {yes | no}
A flag set to determine whether a new ticket-granting ticket with a network address that differs from the present ticket-granting ticket’s network address can be issued to the account’s principal. The proxiabletkt attribute performs the same function for service tickets. Its value is either yes or no. The default is yes.
In DCE this attribute is currently only advisory. However, Kerberos clients and servers make use of it when they interact with a DCE Security server.
goodsince ISO_timestamp
The date and time the account was last known to be in an uncompromised state. Any tickets granted before this date are invalid. The value is an ISO timestamp. When the account is initially created, the goodsince date is set to the current date. Control over this date is especially useful if you know that an account’s password was compromised. Changing the password can prevent the unauthorized principal from accessing the system again using that password, but the changed password does not prevent the principal from accessing the system components for which tickets were obtained fraudulently before the password was changed. To eliminate the principal’s access to the system, the tickets must be canceled.
The default is the time the account was created.
group group_name
The name of the group associated with the account. The value is a single group name of an existing group in the registry. This attribute must be specified for the account create command; it does not have a default value.
If a group is deleted from the registry, all accounts associated with the group are also deleted.
home directory_name
The file system directory in which the principal is placed at login. The default is the / directory.
lastchange principal_name ISO_timestamp
A list of two items. The first is the principal name of the last modifier of the account; the second is an ISO timestamp showing the time of the last modification. This attribute is set by the system whenever the account is modified; it cannot be set or modified directly. The initial value consists of the principal name of the creator of the account and the time the account was created.
organization organization_name
The name of the organization associated with the account. The value is a single organization name of an existing organization in the registry. This attribute must be specified for the account create command; it does not have a default value.
If an organization is deleted from the registry, all accounts associated with the organization are deleted also.
password password
The password of the account. This attribute must be specified for the account create command; there is no default value. This attribute is not returned by an account show command.
postdatedtkt {yes | no}
A flag set to determine if tickets with a start time some time in the future can be issued to the account’s principal. Its value is either yes or no. The default is no.
In DCE, this attribute is currently only advisory. However, Kerberos clients and servers make use of it when they interact with a DCE Security server.
proxiabletkt {yes | no}
A flag set to determine whether a new ticket with a different network address than the present ticket can be issued to the account’s principal. The forwardabletkt attribute performs the same function for ticket-granting tickets. Its value is either yes or no. The default is no.
In DCE, this attribute is currently only advisory. However, Kerberos clients and servers make use of it when they interact with a DCE Security server.
pwdvalid {yes | no}
A flag set to determine whether the current password is valid. If this flag is set to no, the next time a principal logs in to the account, the system prompts the principal to change the password. (Note that this flag is separate from the pwdexpdate policy, which sets time limits on password validity.) Its value is either yes or no. The default is yes.
renewabletkt {yes | no}
A flag set to determine if the ticket-granting ticket issued to the account’s principal can be renewed. If this flag is set to yes, the authentication service renews the ticket-granting ticket if its lifetime is valid. Its value is either yes or no. The default is yes.
In DCE this attribute is currently only advisory. However, Kerberos clients and servers make use of it when they interact with a DCE Security server.
server {yes | no}
A flag set to indicate whether the account is for a principal that can act as a server. Its value is either yes or no. This flag should be yes for any server that engages in authenticated communications. The default is yes.
shell path_to_shell
The path of the shell that is executed when a principal logs in. The legal value is any shell supported by the home cell. The default value is the empty string ("").
stdtgtauth {yes | no}
A flag set to determine whether service tickets issued to the account’s principal use the standard DCE ticket-granting ticket authentication mechanism. Its value is either yes or no. The default is yes.
usertouser {yes | no}
For server principals, a flag set to determine whether the server must use user-to-user authentication. Its value is either yes (must use user-to-user authentication) or no (uses server-key-based authentication). The default is no.
Policy Attributes
maxtktlife relative_time
The maximum amount of time that a ticket can be valid. To specify the time, use the Distributed Time Service (DTS) relative time format ([-]DD-hh:mm:ss). When a client requests a ticket to a server, the lifetime granted to the ticket takes into account the maxtktlife set for both the server and the client. In other words, the lifetime cannot exceed the shorter of the server’s or client’s maxtktlife. If you do not specify a maxtktlife for an account, the maxtktlife defined as registry authorization policy is used.
maxtktrenew relative_time
The amount of time before a principal’s ticket-granting ticket expires and that principal must log in to the system again to reauthenticate and obtain another ticket-granting ticket. To specify the time, use the DTS relative time format ([-]DD-hh:mm:ss). The lifetime of the principal’s service tickets can never exceed the lifetime of the principal’s ticket-granting ticket. The shorter you make maxtktrenew, the greater the security of the system. However, since principals must log in again to renew their ticket-granting ticket, the time specified needs to balance user convenience against the level of security required. If you do not specify this for an account, the maxtktrenew lifetime defined as registry authorization policy is used.
This feature is not currently used by DCE; any use of this option is unsupported at the present time.
Public Key Attributes
pkgenprivkey {integer | default}
Updates the public key pair used by the security server for public key authentication. Used only with the modify operation and only for the principal named krbtgt/cellname. The integer argument defines the bit length of the key modulus. It can be a value of 0 or a number from 256 through 1024 inclusive. A 0 indicates that no key pair will be generated. The default for integer is 0.
The default argument indicates that the public key default for the key modulus should be used.
pkkeycipherusage pk_attributes
Generates or modifies information used to encrypt public key pairs. Used with the create and modify operations, this attribute allows you to generate new key pairs, update existing key pairs, and change the public key password. The pk_attributes listed below define the tasks to perform and supply the information needed to perform the tasks.
generatekey {integer | default}
Randomly generate a new public key pair to use for encryption. The randomly generated key pair will create a new pair if none exists for the account or update the existing pair. If you supply this attribute, you cannot supply the publickeyfile and privatekeyfile attributes. The integer argument defines the bit length of the key modulus. It can be a value of 0 or a number from 256 through 1024 inclusive. A 0 indicates that no key pair will be generated. The default for integer is 0.
The default argument indicates that the public key default for the key modulus should be used.
oldpassphrase string
The current public key password used to verify your identity when creating or modifying public key attributes. To change only the password, supply this attribute and the newpassphrase attribute with no other public key attributes.
newpassphrase string
Use this attribute to supply a new password. To change the password, you must also supply the oldpassphrase attribute to verify your identity.
privatekeyfile file_path
Use the key stored in the file identified by the file_path option to create the private key part of a public key pair used for ecryption. If you supply this attribute, you cannot supply the generatekey attribute.
publickeyfile file_path
Use the key stored in the file identified by file_path to create the public key part of a public key pair used for ecryption. If you supply this attribute, you cannot supply the generatekey attribute.
pksignatureusage pk_attributes
Generates or modifies information used to generate digital signatures. Used with the create or modify operation, this attribute allows you to generate a new signed key pair, update an existing pair, and change the public key password. The pk_attributes define the tasks to perform and supply the information needed to perform the tasks. They are the same attributes as the ones described for the pkkeycipherusage attribute.
pkmechanism {file | pkss}
The public key mechanism to use for storing public key information.
The file argument indicates the public key information will be stored in a file that is given the account principal’s UUID as a filename in the directory opt/dcelocal/var/security/pk_file/uuid.
The pkss argument indicates the public key information will be stored by the Private Key Storage Server.
See the OSF DCE Administration Guide for more information about account attributes.
Errors
A representative list of errors that might be returned is not shown here. Refer to the OSF DCE Problem Determination Guide for complete descriptions of all error messages.
Operations
account catalog
Returns a list of the names of all accounts in the registry. The syntax is as follows:
account catalog [cell_name] [simplename ]
Options
simplename
Returns a list of account names in the registry without prepending the name of the cell.
The catalog operation returns a list of the names of all accounts in the local registry database. Use the cell_name argument to return a list of accounts in another cell’s registry. By default, fully qualified names are returned in the form cell_name/account_name. Use the simplename option to return the names without the cell name in the form account_name.
Privileges Required
You must have r (read) permission to the principal named in the account.
Examples
dcecp> account catalog -simplename
nobody
root
daemon
uucp
bin
dce-ptgt
dce-rgy
krbtgt/goodco.com
cell_admin
hosts/pmin17/self
hosts/pmin17/cds-server
hosts/pmin17/gda
ward
dcecp>
dcecp> account catalog
/.../goodco.com/nobody
/.../goodco.com/root
/.../goodco.com/daemon
/.../goodco.com/uucp
/.../goodco.com/bin
/.../goodco.com/dce-ptgt
/.../goodco.com/dce-rgy
/.../goodco.com/krbtgt/goodco.com
/.../goodco.com/cell_admin
/.../goodco.com/hosts/pmin17/self
/.../goodco.com/hosts/pmin17/cds-server
/.../goodco.com/hosts/pmin17/gda
/.../goodco.com/ward
dcecp>
account create
Creates a new account in the registry database. The syntax is as follows:
account create account_name_list mypwd password
password password group group_name
organization organization_name
[attribute attribute_list | -attribute value]
Options
-attribute value
As an alternative to using the attribute option with an attribute list, you can specify individual attribute options by prepending a hyphen (-) to any attributes listed in the Attributes section of this reference page.
attribute attribute_list
Allows you to specify attributes by using an attribute list rather than using the -attribute value option. The format of an attribute list is as follows:
{{attribute value}...{attribute value}}
group group_name
The name of the group to associate with the account. See Account Attributes for the format of a group name.
mypwd password
Your DCE privileged password. You must enter your privileged password to create an account. This check prevents a malicious user from using an existing privileged session to create unauthorized accounts. You must specify this option on the command line; it cannot be supplied in a script.
organization organization_name
The name of the organization to associate with the account. See Account Attributes for the format of an organization name.
password password
The DCE account password. See Account Attributes for the format of a password.
The create operation creates a new account. The account_name_list argument is a list of names of principals for which the accounts are to be created. This operation returns an empty string on success.
You must specify the group , organization , password, and mypwd attributes on the command line (either in an attribute list or with attribute options). The attributes specified are applied to all of the accounts created.
To protect the account password being entered, the account create command can be entered only from within dcecp . You cannot enter this command from the operating system prompt by using dcecp with the c option.
Before you can create a new account, you must create a principal by using the principal create command. Then you must add the principal to an existing group and organization using the group add and organization add commands.
Privileges Required
You must have the following permissions:
•gmau (groups, mgmt_info, auth_info, and user_info) permissions to the principal named in the account
•rtM (read, test, Member_list) permissions to the organization named in the account
•tM (test, Member_list) permissions to the group named in the account
•r (read) permission on the registry policy object.
Examples
dcecp> principal create John_Hunter
dcecp>
dcecp> group add users -member John_Hunter
dcecp>
dcecp> organization add users -member John_Hunter
dcecp>
dcecp> account create John_Hunter -group users -organization users \
> -mypwd my.secret.password -password change.me
dcecp>
account delete
Deletes existing accounts from the registry. The syntax is as follows:
account delete account_name_list
The delete operation deletes existing accounts from the registry. The argument is a list of names of accounts to be deleted. If the accounts do not exist, an error is generated. This operation returns an empty string on success.
Privileges Required
You must have rmau (read, mgmt_info, auth_info, user_info) permissions for the principal named in the account.
Examples
dcecp> account delete john_hunter
dcecp>
account generate
Randomly generates a password for a named account. The syntax is as follows:
account generate account_name
To run the account generate command, the pwd_strength server must be running, the principal identified by account_name must exist, and the pwd_mgmt_binding and pwd_val_type Extended Registry Attributes must be attached to that principal. Otherwise, an error is generated. The command returns a randomly generated password on success.
See the OSF DCE Administration Guide for more information about the pwd_strength server.
After the password is generated, run the account create command to establish the account. Supply the randomly generated password as the account’s password (using the password option).
Privileges Required
You must have the gmau (groups, mgmt_info, auth_info, and user_info) permissions for the principal named in the account.
Examples
dcecp> account generate john_hunter
dcecp>
account help
Returns help information about the account object and its operations. The syntax is as follows:
account help [operation | verbose ]
Options
verboseDisplays information about the account object.
Used without an argument or option, the account help command returns brief information about each account operation. The optional operation argument is the name of an operation about which you want detailed information. Alternatively, you can use the verbose option for more detailed information about the account object itself.
Privileges Required
No special privileges are needed to use the account help command.
Examples
dcecp> account help
catalog Returns the names of all accounts in the registry.
create Creates an account in the registry.
delete Deletes an account from the registry.
generate Generates a random password for an account in the registry.
modify Modifies an account in the registry.
show Returns the attributes of an account.
help Prints a summary of command-line options.
operations Returns a list of the valid operations for this command.
dcecp>
account modify
Changes attributes and policies of existing accounts. The syntax is as follows:
account modify account_name_list
[ mypwd password] {change attribute_list | -attribute value}
Options
-attribute value
As an alternative to using the change option with an attribute list, you can change individual attribute options by prepending a hyphen (-) to any attributes listed in the ATTRIBUTES section of this reference page.
change attribute_list
Allows you to modify attributes by using an attribute list rather than individual attribute options. The format of an attribute list is as follows:
{{attribute value}...{attribute value}}
mypwd password
Lets you supply your privileged password when changing policy or administration data. You must enter your privileged password to change an account password; otherwise, the mypwd option is optional. This check prevents a malicious user from using an existing privileged session to modify passwords of existing accounts.
The modify operation modifies account attributes. The add and remove options are not supported because the attributes created when the account is created cannot be deleted, nor can additional attributes be added. To change an account attribute, supply the new value in an attribute list or as an individual attribute option. The operation returns an empty string on success.
To protect any passwords being entered, you can execute the account modify command only from within the dcecp program; you cannot execute it from the operating system prompt using dcecp with the c option.
Privileges Required
You must have rm (read, mgmt_info) permissions for the principal named in the account.
Examples
The following example changes the account’s expiration date and login shell by specifying the expdate and shell attributes as individual attribute options.
dcecp> account modify John_Hunter -expdate 1998 -shell /bin/csh
dcecp>
dcecp> account show John_Hunter
{acctvalid yes}
{client yes}
{created /.../my_cell.goodco.com/cell_admin 1994-06-15-18:31:08.000+00:00I-----}
{description {}}
{dupkey no}
{expdate 1995-06-16-00:00:00.000+00:00I-----}
{forwardabletkt yes}
{goodsince 1994-06-15-18:31:05.000+00:00I-----}
{group users}
{home /}
{lastchange /.../my_cell.goodco.com/cell_admin 1994-06-16-12:21:07.000+00:00I-----}
{organization users}
{postdatedtkt no}
{proxiabletkt no}
{pwdvalid yes}
{renewabletkt yes}
{server yes}
{shell /bin/csh}
{stdtgtauth yes}
dcecp>
The following example generates a public key pair for John_Hunter.
dcecp> account modify John_Hunter -pkmechanism pkss
> -generatekey 485 -newpassphrase pokey
dcecp>
account operations
Returns a list of the operations supported by the account object. The syntax is as follows:
account operations
The list of available operations is in alphabetical order except for help and operations, which are listed last.
Privileges Required
No special privileges are needed to use the account operations command.
Examples
dcecp> account operations
catalog create delete generate modify show help operations
dcecp>
account show
Returns attribute information for the specified accounts. The syntax is as follows:
account show account_name_list [policies | all ]
Options
policiesReturns only account polices.
allReturns account attributes followed by account policies.
The show operation returns an attribute list describing the specified accounts. The argument is a list of names of accounts to be operated on. If more than one account is given, the attributes and policies are concatenated and a blank line inserted between accounts. The policies option lets you return the policies of the account instead of the attributes. The all option returns the attributes followed by the policies.
Attributes and policies are returned in lexical order. If the account has no policies, the operation displays the string nopolicy.
The policies that are actually in effect can be different from the account policies due to conflicts with registry wide policies. If this is the case, the show operation alters the attribute structure on output to include an effective tag and the effective value, much in the same way organization show does.
Privileges Required
You must have r (read) permission to the principal named in the account.
Examples
dcecp> account show John_Hunter {acctvalid yes}
{client yes}
{created /.../my_cell.goodco.com/cell_admin 1994-06-15-18:31:08.000+00:00I-----}
{description {}}
{dupkey no}
{expdate 1995-06-16-00:00:00.000+00:00I-----}
{forwardabletkt yes}
{goodsince 1994-06-15-18:31:05.000+00:00I-----}
{group users}
{home /}
{lastchange /.../my_cell.goodco.com/cell_admin 1994-06-16-12:21:07.000+00:00I-----}
{organization users}
{postdatedtkt no}
{proxiabletkt no}
{pwdvalid yes}
{renewabletkt yes}
{server yes}
{shell {}}
{stdtgtauth yes}
dcecp>
Related Information
Commands: dcecp(8dce), group(8dce), organization(8dce), principal(8dce), registry(8dce).