I have a specific use case: for the deployment of a standard AIX Golden Image via mksysb, I have been requested to set the root user password to NULL with forced change on first login. Currently the admins need to remember when the Golden Image mksysb was created to calculate the root user password for console access.
I would like to include this logic into the script that generates the golden image mksysb:
Am I the golden image [Y|N]?
If [Y], set root password to NULL and force change on first login
Generate mksysb
If [Y], change root password back (I have a working process for this part and I don't want some charlatan sticking a back door into my GI )
Why not fix a known password to your team for the GI thats asks you to change root pass word after recovery? ( I usually used to have one that is changed per Year: as I used to archive all good GI... In case I were arked to put a box say, in OS cofiguration as of Jul 2009...)
You create the golden image presumably via some NIM-procedure. My suggestion is to have a post-install customization script which sets the root password to blank and raises the ADMCHG flag so that the next root logging on is required to set the PW.
It being weekend I have no AIX system at hand to test it, but that should work:
chpasswd < $(print - "root:")
See the man page for the chpasswd command for details.
On another thought you may want to include such a post-install step into the regular NIM-setup of new systems so that - regardless of what golden image was delivered - the root password is always set to a constant value which you can tell the administrators. In regular intervals (like once a year, ...) you just change this post-install-script so that ALL newly iinstalled systems are set to this new password initially.