SHIFT

--- Sjoerd Hooft's InFormation Technology ---

User Tools

Site Tools


aixrootpassword
Differences

This shows you the differences between two versions of the page.

Link to this comparison view

aixrootpassword [2013/02/25 20:27] (current)
sjoerd created
Line 1: Line 1:
 += AIX Root Password Policy =
  
 +In [[aix61]] and [[aixpostinstall]] we set up a standard password policy for users. However, in [[aixldapedirectory]] we setup user authentication through ldap, which means accounts are managed in a ldap-based directory (like eDirectory or Active Directory). That means the password policy only applies to local user accounts (as for services) and root. The last is especially important because root only gets used in emergencies or when something does not work with [[sudo]]. ​
 +
 += Password Policy Settings =
 +These are the password related settings in /​etc/​security/​user as set in [[aix61]] and [[aixpostinstall]]:​
 +<​code>​
 +        pwdwarntime = 7
 +        histexpire = 26
 +        histsize = 4
 +        minage = 1
 +        maxage = 13
 +        maxexpired = -1
 +        minalpha = 5
 +        minother = 3
 +        minlen = 8
 +        mindiff = 1
 +        maxrepeats = 2
 +        dictionlist =
 +        pwdchecks =
 +</​code>​
 +
 +== Official Explanation =
 +And this what these settings mean:
 +|pwdwarntime |Defines the number of days before the system issues a warning that a password change is required. The value is a decimal integer string. A zero or negative value indicates that no message is issued. The value must be less than the difference of the maxage and minage attributes. Values greater than this difference are ignored, and a message is issued when the minage value is reached. |
 +|histexpire |Designates the period of time (in weeks) that a user cannot reuse a password. The value is a decimal integer string. The default is 0, indicating that no time limit is set. |
 +|histsize |Designates the number of previous passwords a user cannot reuse. The value is a decimal integer string. The default is 0. |
 +|minage |Defines the minimum age (in weeks) a password must be before it can be changed. The value is a decimal integer string. The default is a value of 0, indicating no minimum age. |
 +|maxage |Defines the maximum age (in weeks) of a password. The password must be changed by this time. The value is a decimal integer string. The default is a value of 0, indicating no maximum age. |
 +|maxexpired |Defines the maximum time (in weeks) beyond the maxage value that a user can change an expired password. After this defined time, only an administrative user can change the password. The value is a decimal integer string. The default is -1, indicating no restriction is set. If the maxexpired attribute is 0, the password expires when the maxage value is met. If the maxage attribute is 0, the maxexpired attribute is ignored. |
 +|minalpha |Defines the minimum number of alphabetic characters that must be in a new password. The value is a decimal integer string. The default is a value of 0, indicating no minimum number. |
 +|minother |Defines the minimum number of non-alphabetic characters that must be in a new password. The value is a decimal integer string. The default is a value of 0, indicating no minimum number. |
 +|minlen |Defines the minimum length of a password. The value is a decimal integer string. The default is a value of 0, indicating no minimum length. The maximum value allowed is 8. This attribute is determined by the minalpha attribute value added to the minother attribute value. If the sum of these values is greater than the minlen attribute value, the minimum length is set to the result. |
 +|mindiff |Defines the minimum number of characters required in a new password that were not in the old password. The value is a decimal integer string. The default is a value of 0, indicating no minimum number. |
 +|maxrepeats |Defines the maximum number of times a character can be repeated in a new password. Since a value of 0 is meaningless,​ the default value of 8 indicates that there is no maximum number. The value is a decimal integer string. |
 +|dictionlist |Defines the password dictionaries used by the composition restrictions when checking new passwords. The password dictionaries are a list of comma-separated,​ absolute path names that are evaluated from left to right. All dictionary files and directories must be write-protected from all users except root. The dictionary files are formatted one word per line. The word begins in the first column and terminates with a new-line character. Only 7-bit ASCII words are supported for passwords. If text processing is installed on your system, the recommended dictionary file is the /​usr/​share/​dict/​words file. |
 +|pwdchecks |Defines the password restriction methods enforced on new passwords. The value is a list of comma-separated method names and is evaluated from left to right. A method name is either an absolute path name or a path name relative to /usr/lib of an executable load module. |
 +
 += New Defaults =
 +We've found it better to work with a procedure password policy instead of a password policy enforced by the system. Our security officer determines when it's time to change the root passwords and to what. So the system enforced password policy had to change to:
 +<​code>​
 +        pwdwarntime = 7
 +        histexpire = 26
 +        histsize = 4
 +        minage = 1
 +        maxage = 52
 +        maxexpired = -1
 +        minalpha = 5
 +        minother = 1
 +        minlen = 8
 +        mindiff = 1
 +        maxrepeats = 2
 +        dictionlist =
 +        pwdchecks =
 +</​code>​
 +
 += Change Root Password =
 +So, let's assume it's time to change the password of root... but the system hasn't always been under your control. You fear that with changing the password you could lose functionality because scripts might stop functioning. To prevent this you should do a search on the file system looking for the password phrase, as well as for the encrypted password phrase:
 +
 +**Search for old passwd in scripts/​files etc:**
 +<code bash>
 +root@system:/>​grep -Rlw '<​clear text passwd>'​ *
 +</​code>​
 +
 +**Search for encrypted string as found in /​etc/​security/​passwd:​**
 +<code bash>
 +root@system:/>​grep -Rlw '​DRptal2fPz78L'​ *
 +</​code>​
 +
 +These searches will provide you with a list of filenames where the string was found.
 +{{tag>​aix security}}
aixrootpassword.txt ยท Last modified: 2013/02/25 20:27 by sjoerd