Ensure that your users have strong passwords.
Within any operating system, password maintenance is an important system admin task, and AIX is no different. So let's look at some password maintenance techniques.
Within AIX, you can specify rules in password administration. The most common ones are these:
- Password length, setting the minimum and maximum character length
- Amount of repeating characters
- Expiry date of the account
- The number of previous passwords that cannot be reused
- The number of characters in the previous password not to be used in the new password
- The number of non-alpha and alpha characters that must be used in the password
- The number of weeks before a password is expired
In the following examples, our user will have the name "alpha."
To enforce a password change upon the next login session, use the pwdadm command, which is used to administer user passwords:
# pwdadm -f ADMCHG alpha
Now, when user alpha tries to login, he is forced to change his password, like so:
login: alpha
alpha's Password:
[compat]: 3004-610 You are required to change your password.
Please choose a new one.
alpha's New password:
You can query the pwdadm settings using the q flag:
pwdadm -q <user>
# pwdadm -q alpha
alpha:
lastupdate = 1310489962
flags = ADMCHG
In the above output, the lastupdate attribute reflects in epoch time (total seconds) when a change was issued via pwdadm or, more typically, when the password was last changed. To convert this to a more meaningful date format, we could use perl:
# perl -e 'print scalar(localtime(1310489962)), "\n"'
Tue Jul 12 17:59:22 2011
To bypass any password- rule checking that is currently set on a user, use pwdadm with the NOCHECK flags:
# pwdadm -f NOCHECK alpha
# pwdadm -q alpha
alpha:
lastupdate = 1310490666
flags = NOCHECK
To reset the user's password attributes to the default (by that, I mean to clear the current password flags set by the pwdadm command), use the c flag:
# pwdadm -c alpha
Then query the user to check:
# pwdadm -q alpha
alpha:
lastupdate = 1310492513
To make the user alpha change his password in three weeks time, use the maxage attribute with the chuser command. The following will ensure that user alpha will need to change his password in three weeks:
# chuser maxage=3 alpha
This change can be confirmed using the lsuser command and extracting the maxage attribute:
# lsuser -a maxage alpha
alpha maxage=3
To actually determine the date/time of user alpha's next password change, we need to do a little arithmetic involving the number of seconds. We know that there are 86,400 seconds in a day. The password change has been set to three weeks (as demonstrated earlier), so we need to work out how many seconds there are in three weeks ( 21 days):
# expr 86400 \* 21
1814400
We also know that the last password change was 1310492513. So add these two figures (last password change time value +three weeks time value), and we get this:
# expr 1310490666 + 1814400
1312305066
Now convert to normal time with perl:
# perl -e 'print scalar(localtime(1312305066)), "\n"'
Tue Aug 2 18:11:06 2011
We can now see that user alpha's next password change or expire will be on Tuesday, August 2.
If we wanted to change the length of the password that should be given when changing a password, we can use the minlen attribute, like so:
# chuser minlen=8 alpha
Now if user alpha changes his password and gives a password length less than eight characters, the system will return an error:
$ whoami
alpha
$ passwd
Changing password for "alpha"
alpha's Old password:
alpha's New password:
3004-603 Your password must have:
a minimum of 8 characters in length.
If you need to change a lot of users' passwords yourself, it can be quite time-consuming going to each user's account and changing the password. A more efficient approach is to use the chpasswd command to automatically change users' passwords. This has its advantages as it can be used within a script if required. Here's the format:
user : password | chpasswd
To change user alpha's password to dongle201 from the command line, I could use this:
# echo "alpha:dongle201"| chpasswd
If I wanted to clear the password flags—that is, not force user alpha to change his password at the next login and instead use the current one now being set—I could use this:
# echo "alpha:dongle201"| chpasswd -c
To change many users' password at once, create a file, with the following format:
user1:password1
user2:password2
….
Then pipe that file through chpasswd. For example:
# cat pass
alpha:Pipered90
bravo:LookHtw
# cat pass | chpasswd
Of course, you will have to notify the users of the password change!
Stay Safe!
Ensuring that your users have strong passwords is truly one of the easiest steps toward system integrity. Take advantage of these techniques and sleep better tonight knowing that you've just made your company's system and data more secure.
pseries, ibm, power systems
LATEST COMMENTS
MC Press Online