SHIFT

--- Sjoerd Hooft's InFormation Technology ---

User Tools

Site Tools


Sidebar

Recently Changed Pages:

View All Pages


View All Tags


LinkedIn




WIKI Disclaimer: As with most other things on the Internet, the content on this wiki is not supported. It was contributed by me and is published “as is”. It has worked for me, and might work for you.
Also note that any view or statement expressed anywhere on this site are strictly mine and not the opinions or views of my employer.


Pages with comments

View All Comments

aixrootpassword

AIX Root Password Policy

In AIX 6.1 and AIX Post Install we set up a standard password policy for users. However, in AIX LDAP authentication on eDirectory we setup user authentication through ldap, which means accounts are managed in a ldap-based directory (like eDirectory or Active Directory). That means the password policy only applies to local user accounts (as for services) and root. The last is especially important because root only gets used in emergencies or when something does not work with Sudo.

Password Policy Settings

These are the password related settings in /etc/security/user as set in AIX 6.1 and AIX Post Install:

        pwdwarntime = 7
        histexpire = 26
        histsize = 4
        minage = 1
        maxage = 13
        maxexpired = -1
        minalpha = 5
        minother = 3
        minlen = 8
        mindiff = 1
        maxrepeats = 2
        dictionlist =
        pwdchecks =

Official Explanation

And this what these settings mean:

pwdwarntime Defines the number of days before the system issues a warning that a password change is required. The value is a decimal integer string. A zero or negative value indicates that no message is issued. The value must be less than the difference of the maxage and minage attributes. Values greater than this difference are ignored, and a message is issued when the minage value is reached.
histexpire Designates the period of time (in weeks) that a user cannot reuse a password. The value is a decimal integer string. The default is 0, indicating that no time limit is set.
histsize Designates the number of previous passwords a user cannot reuse. The value is a decimal integer string. The default is 0.
minage Defines the minimum age (in weeks) a password must be before it can be changed. The value is a decimal integer string. The default is a value of 0, indicating no minimum age.
maxage Defines the maximum age (in weeks) of a password. The password must be changed by this time. The value is a decimal integer string. The default is a value of 0, indicating no maximum age.
maxexpired Defines the maximum time (in weeks) beyond the maxage value that a user can change an expired password. After this defined time, only an administrative user can change the password. The value is a decimal integer string. The default is -1, indicating no restriction is set. If the maxexpired attribute is 0, the password expires when the maxage value is met. If the maxage attribute is 0, the maxexpired attribute is ignored.
minalpha Defines the minimum number of alphabetic characters that must be in a new password. The value is a decimal integer string. The default is a value of 0, indicating no minimum number.
minother Defines the minimum number of non-alphabetic characters that must be in a new password. The value is a decimal integer string. The default is a value of 0, indicating no minimum number.
minlen Defines the minimum length of a password. The value is a decimal integer string. The default is a value of 0, indicating no minimum length. The maximum value allowed is 8. This attribute is determined by the minalpha attribute value added to the minother attribute value. If the sum of these values is greater than the minlen attribute value, the minimum length is set to the result.
mindiff Defines the minimum number of characters required in a new password that were not in the old password. The value is a decimal integer string. The default is a value of 0, indicating no minimum number.
maxrepeats Defines the maximum number of times a character can be repeated in a new password. Since a value of 0 is meaningless, the default value of 8 indicates that there is no maximum number. The value is a decimal integer string.
dictionlist Defines the password dictionaries used by the composition restrictions when checking new passwords. The password dictionaries are a list of comma-separated, absolute path names that are evaluated from left to right. All dictionary files and directories must be write-protected from all users except root. The dictionary files are formatted one word per line. The word begins in the first column and terminates with a new-line character. Only 7-bit ASCII words are supported for passwords. If text processing is installed on your system, the recommended dictionary file is the /usr/share/dict/words file.
pwdchecks Defines the password restriction methods enforced on new passwords. The value is a list of comma-separated method names and is evaluated from left to right. A method name is either an absolute path name or a path name relative to /usr/lib of an executable load module.

New Defaults

We've found it better to work with a procedure password policy instead of a password policy enforced by the system. Our security officer determines when it's time to change the root passwords and to what. So the system enforced password policy had to change to:

        pwdwarntime = 7
        histexpire = 26
        histsize = 4
        minage = 1
        maxage = 52
        maxexpired = -1
        minalpha = 5
        minother = 1
        minlen = 8
        mindiff = 1
        maxrepeats = 2
        dictionlist =
        pwdchecks =

Change Root Password

So, let's assume it's time to change the password of root… but the system hasn't always been under your control. You fear that with changing the password you could lose functionality because scripts might stop functioning. To prevent this you should do a search on the file system looking for the password phrase, as well as for the encrypted password phrase:

Search for old passwd in scripts/files etc:

root@system:/>grep -Rlw '<clear text passwd>' *

Search for encrypted string as found in /etc/security/passwd:

root@system:/>grep -Rlw 'DRptal2fPz78L' *

These searches will provide you with a list of filenames where the string was found.

You could leave a comment if you were logged in.
aixrootpassword.txt · Last modified: 2021/09/24 00:24 (external edit)