Password Policy

powerAIX · July 30, 2014, 1:14pm

I need help. I have set a password policy. But I want to dis allow setting user name as password.
My policy is as below...

min length =8
min diff=2
min alpha=2
max repeats=2
dictionary= /usr/share/dict/words

Still user can set his username as password (i.e. Jackie1234).

ibmtech · July 30, 2014, 1:45pm

Ok, add minother and minupperalpha , minother will require the user to add a special character and minupperalpha as you can guess needs an upper case alphabet.

powerAIX · July 30, 2014, 2:10pm

Its aix 6.1 and min upperalpha is not there. But anyways this does not resolves my query.

ibmtech · July 30, 2014, 2:49pm

Hmmm,
I doubt that. I don't have any box running 6.1.

If you configure those, the user cannot use the exact username as password, unless root is forcing it.

in2nix4life · July 30, 2014, 2:50pm

Here's a hack that may help.

TEST
As root, create a file, let's call it pdictlst, and make sure only root has read\write permissions.

Add a user's username to the file and save it.

Use the chuser command to set the password dictionary for that user to this file:

chuser dictionlist=/path/to/pdictlst username

As that user, attempt to change the password to the username. You should receive an error:

Passwords must not match words in the dictionary.

IMPLEMENTATION
To enable this system-wide, make a copy of the default dictionary file /usr/share/dict/words. Add all the usernames to this file, then run the following command:

chuser dictionlist=/path/to/words

Now the dictionary password check will check both dictionary words and usernames. If the words file is not installed, I believe it is in the bos.data fileset.

Hope this helps.

zaxxon · July 31, 2014, 2:31am

That's a cool thing, but if the users come via LDAP you will have to draw a list of user names at least maybe once a day to update that dict file.

in2nix4life · July 31, 2014, 8:48am

True, but like the majority of postings on here, we never seem to get the entire picture. Just the bits and pieces...

powerAIX · August 1, 2014, 2:45pm

Thanks all for these replies. I have checked it and it works. But only thing is every time we need to enter the User name in this dict file. There are so many users in system and now applying this to working systems will be hectic. Is there any work around.

rbatte1 · August 4, 2014, 6:34am

Regarding post 6, I suppose if users are LDAP authenticated, then it is out of the unix system's control, whatever flavour they are. You would need to ensure that whatever LDAP server you use, that the rules can be applied there too.

Robin

bakunin · August 4, 2014, 11:09am

Exactly. You can use a local pasword verification mechanism too (in addition, respectively), but usually the ultimate verification is on the LDAP server. In most cases this means some PAM-modules one of which should deny passwords which are equal to user names.

It is also possible to get the user information via LDAP and verify the passwords via Kerberos (actually this is what "Active Directory" does). In this case you need to configure the Kerberos server with the respective rule.

I hope this helps.

bakunin

akitafan · August 4, 2014, 10:37pm

Why not just add $USER to the dictionary file.

powerAIX · August 5, 2014, 2:23am

I have added $USER to dict file but its not working.