Do DCE servers automatically update their long term secret keys?
No. Except for exceptional circumstances, all DCE servers should periodically change their long-term key. However, neither the servers provided by DCE nor those written by you or third parties will do this out-of-the-box. The way to have a server update its key is by spawning a thread that calls sec_key_mgmt_manage_key() (which never returns under normal circumstances). As distributed by Open Group, DCE has no password expirations set, so sec_key_mgmt_manage_key() won’t actually do anything. You may set the password expiration time or lifespan using an admin tool such as rgy_edit or dcecp. In 1.0.x releases, DCE only enforced passwd expiration in the clients (such as printing a warning in dce_login). As of DCE 1.1, however, the security server will no longer grant a TGT for an account who’s password/key has expired, so servers that aren’t correctly running the manage key code before their password expires will require administrative intervention to become operational again.
