global password settings

zuessh · October 16, 2007, 8:27am

Hello, we are making password setting changes effective for all users on an AIX 5.2 system. Specifically requiring users to use at least one special character in their password. Is there a way to make this change effective for all users in one place, ie the /etc/security/users file? I made the change in the users file and then went into smit users and viewed the setting for the user, but the change was not their. Any suggestions on the best way to accomplish this? Thanks

bakunin · October 16, 2007, 10:04am

I'm not quite sure, what you want to do, but i suppose, you want to enforce certain rules for passwords. This is done individually by using the "chuser" command, where some restrictions can be forced onto individual users:

chuser <...some clauses> username

clauses could be:

minlen=<int> => minimum length of password in characters
minalpha=<int> => minimum number of alphanumeric characters in pw
minother=<int> => minimum number of other (non-alpha) chars in pw
maxrepeats=<int> => maximum number of consecutive identical chars
mindiff=<int> => minimum of different characters

and so on... There are also possible restrictions on how many passwords mut be used before a pw could be reused, a maximum age for passwords and the like. Issue "man chuser" for a detailed explanation of which clauses there are and what they do.

All these password-related clauses modify a file named /etc/security/user, where these changes are stored. You can edit this file with any ASCII-editor (its a stanza file) and change the "default"-stanza to modify the systemwide restrictions instead of modifying it for each user separately. Individual user settings override these settings.

Example:

chuser minlen=8 minother=1 john

will change the properties of the user john so that john will have to use passwords at least 8 characters long and with at least 1 non-alpha character in it. "abcd!efg" would be such a password, "abcde123" would not.

bakunin

dam294 · October 16, 2007, 10:08am

Hi,

You are on the right track with /etc/security/user. However, I don't think you should modify this file by hand.

You could user the "chuser" command in a "for" loop to accomplish what you're trying to do. You can either create a list of users to be changed in a file, or in my case since all of my userid's start with e0 I just created my list as part of the for loop.

Here's the for loop I used.

for user in `cat /etc/security/user | grep ^e0 | awk -F":" '{ print $1 }'`
do
chuser minother=1 $user
done

bakunin · October 16, 2007, 10:18am

And what would be the reason for not modifying the file directly? User information is not being stored in the ODM and chuser does nothing else than modifying this file.

It is, quite to the contrary, ADVISABLE to change the file directly, especially the default-stanza, because this will make sure newly added users will have the same restrictions as the old ones. Otherwise you will have to run your command over and over again.

Btw. to build a list of users do NOT grep the /etc/security/users file but use the "lsuser" command. For example, to get a list of all users with their userid issue:

lsuser -ac id ALL | grep -v '^#'

bakunin

asch337 · October 26, 2007, 4:07pm

If you don't want to edit /etc/security/user directly, you can use the following:

chsec -f /etc/security/user -s default -a minother=1