Data Fabric: An Intelligent Data Architecture for AI
09
Thu, Jan
0 New Articles
  1. You are here:  
  2. Home
  3. Security
  4. Security - Other
  5. TechTip: Passwords Are Key to AIX Security

TechTip: Passwords Are Key to AIX Security

Security - Other
Tools
Typography
  • Smaller Small Medium Big Bigger
  • Default Helvetica Segoe Georgia Times

Ensure that your users have strong passwords.

 

Within any operating system, password maintenance is an important system admin task, and AIX is no different. So let's look at some password maintenance techniques.

 

Within AIX, you can specify rules in password administration. The most common ones are these:

  1. Password length, setting the minimum and maximum character length
  2. Amount of repeating characters
  3. Expiry date of the account
  4. The number of previous passwords that cannot be reused
  5. The number of characters in the previous password not to be used in the new password
  6. The number of non-alpha and alpha characters that must be used in the password
  7. The number of weeks before a password is expired

 

In the following examples, our user will have the name "alpha."

 

To enforce a password change upon the next login session, use the pwdadm command, which is used to administer user passwords:

 

 # pwdadm -f ADMCHG alpha

 

Now, when user alpha tries to login, he is forced to change his password, like so:

 

login: alpha

alpha's Password:

[compat]: 3004-610 You are required to change your password.

        Please choose a new one.

alpha's New password:

 

You can query the pwdadm settings using the q flag:

 

pwdadm -q <user>

 # pwdadm -q alpha

alpha:

        lastupdate = 1310489962

        flags = ADMCHG

 

In the above output, the lastupdate attribute reflects in epoch time (total seconds) when a change was issued via pwdadm or, more typically, when the password was last changed. To convert this to a more meaningful date format, we could use perl:

 

# perl -e 'print scalar(localtime(1310489962)), "\n"'

Tue Jul 12 17:59:22 2011

 

To bypass any password- rule checking that is currently set on a user, use pwdadm with the NOCHECK flags:

 

# pwdadm -f NOCHECK alpha

# pwdadm -q alpha

alpha:

        lastupdate = 1310490666

        flags = NOCHECK

 

To reset the user's password attributes to the default (by that, I mean to clear the current password flags set by the pwdadm command), use the c flag:

 

# pwdadm -c alpha

 

Then query the user to check:

 

# pwdadm -q alpha

alpha:

        lastupdate = 1310492513

 

To make the user alpha change his password in three weeks time, use the maxage attribute with the chuser command. The following will ensure that user alpha will need to change his password in three weeks:

 

# chuser maxage=3 alpha

 

This change can be confirmed using the lsuser command and extracting the maxage attribute:

 

# lsuser -a maxage alpha

alpha maxage=3

 

To actually determine the date/time of user alpha's next password change, we need to do a little arithmetic involving the number of seconds. We know that there are 86,400 seconds in a day. The password change has been set to three weeks (as demonstrated earlier), so we need to work out how many seconds there are in three weeks ( 21 days):

 

 # expr 86400 \* 21

1814400

 

We also know that the last password change was 1310492513. So add these two figures (last password change time value +three weeks time value), and we get this:

 

# expr 1310490666 + 1814400

1312305066

 

Now convert to normal time with perl:

 

# perl -e 'print scalar(localtime(1312305066)), "\n"'

Tue Aug  2 18:11:06 2011

 

We can now see that user alpha's next password change or expire will be on Tuesday, August 2.

 

If we wanted to change the length of the password that should be given when changing a password, we can use the minlen attribute, like so:

 

# chuser minlen=8 alpha

 

Now if user alpha changes his password and gives a password length less than eight characters, the system will return an error:

 

$ whoami

alpha

$ passwd

Changing password for "alpha"

alpha's Old password:

alpha's New password:

 

3004-603 Your password must have:

        a minimum of 8 characters in length.

 

If you need to change a lot of users' passwords yourself, it can be quite time-consuming going to each user's account and changing the password. A more efficient approach is to use the chpasswd command to automatically change users' passwords. This has its advantages as it can be used within a script if required. Here's the format:

 

user : password | chpasswd

 

To change user alpha's password to dongle201 from the command line, I could use this:

 

# echo "alpha:dongle201"| chpasswd

 

If I wanted to clear the password flags—that is, not force user alpha to change his password at the next login and instead use the current one now being set—I could use this:

 

# echo "alpha:dongle201"| chpasswd -c

 

To change many users' password at once, create a file, with the following format:

 

user1:password1

user2:password2

….

 

Then pipe that file through chpasswd. For example:

 

# cat pass

alpha:Pipered90

bravo:LookHtw

 

# cat pass | chpasswd

 

Of course, you will have to notify the users of the password change!

Stay Safe!

Ensuring that your users have strong passwords is truly one of the easiest steps toward system integrity. Take advantage of these techniques and sleep better tonight knowing that you've just made your company's system and data more secure.

pseries, ibm, power systems

BLOG COMMENTS POWERED BY DISQUS

LATEST COMMENTS

MC Press Online

MC Press Online

Support MC Press Online

$0.00 Raised:
$

MC-STORE.COM