====== Password policy on AIX ======
Get current default password policy
[root@aix001] /root> cat /etc/security/user | sed 's/\*//g' | grep -p "default:"
default:
admin = false
login = true
su = true
daemon = true
rlogin = true
sugroups = ALL
admgroups =
ttys = ALL
auth1 = SYSTEM
auth2 = NONE
tpath = nosak
umask = 022
expires = 0
SYSTEM = "compat"
logintimes =
pwdwarntime = 0
account_locked = false
loginretries = 0
histexpire = 13
histsize = 8
minage = 0
maxage = 0
maxexpired = -1
minalpha = 2
minother = 0
minlen = 11
mindiff = 0
maxrepeats = 0
dictionlist =
pwdchecks =
default_roles =
core_compress = on
core_path = on
core_naming = on
core_pathname = /var/core
minloweralpha = 1
minupperalpha = 1
mindigit = 0
minspecialchar = 0
Before changing global settings for all user, make a backup of the files:
/etc/security/user
/etc/security/login.cfg
Recommended settings
chsec -f /etc/security/user -s default -a mindiff=0
chsec -f /etc/security/user -s default -a minage=1
chsec -f /etc/security/user -s default -a maxage=13
chsec -f /etc/security/user -s default -a minlen=8
chsec -f /etc/security/user -s default -a minalpha=2
chsec -f /etc/security/user -s default -a minother=1
chsec -f /etc/security/user -s default -a maxrepeats=0
chsec -f /etc/security/user -s default -a histexpire=13
chsec -f /etc/security/user -s default -a minloweralpha=1
chsec -f /etc/security/user -s default -a minupperalpha=1
chsec -f /etc/security/user -s default -a mindigit=0
chsec -f /etc/security/user -s default -a minspecialchar=0
chsec -f /etc/security/user -s default -a histsize=8
chsec -f /etc/security/user -s default -a maxexpired=3
chsec -f /etc/security/user -s default -a loginretries=5
chsec -f /etc/security/login.cfg -s default -a logininterval=300
chsec -f /etc/security/login.cfg -s default -a logindisable=10
chsec -f /etc/security/login.cfg -s default -a loginreenable=360
chsec -f /etc/security/login.cfg -s default -a logindelay=10
chsec -f /etc/security/login.cfg -s usw -a logintimeout=30
chsec -f /etc/security/login.cfg -s usw -a pwd_algorithm=ssha512
For changing particular settings, for example prevent root user password expiration
chuser -R files maxage=0 root
chuser -R files maxexpired=-1 root
Now you can list changes for root:
[root@aix01] /root/scripts> lsuser -f root
root:
id=0
pgrp=system
groups=system,bin,sys,security,cron,audit,lp
home=/root
shell=/usr/bin/ksh93
auditclasses=general
login=true
su=true
rlogin=true
daemon=true
admin=true
sugroups=ALL
admgroups=apache,nagios
tpath=nosak
ttys=ALL
expires=0
auth1=SYSTEM
auth2=NONE
umask=22
registry=files
SYSTEM=compat
logintimes=
loginretries=0
pwdwarntime=0
account_locked=false
minage=0
maxage=0
maxexpired=-1
...
List default values
[root@nim01]/root# lssec -f /etc/security/login.cfg -s usw -a ALL
usw program= messages= retry= timeout= retry_delay= auth_type=STD_AUTH shells=/bin/sh,/bin/bsh,/bin/csh,/bin/ksh,/bin/tsh,/bin/ksh93,/usr/bin/sh,/usr/bin/bsh,/usr/bin/csh,/usr/bin/ksh,/usr/bin/tsh,/usr/bin/ksh93,/usr/bin/rksh,/usr/bin/rksh93,/usr/sbin/uucp/uucico,/usr/sbin/sliplogin,/usr/sbin/snappd maxlogins=32767 logintimeout=60 options= dist_uniqid= searchorderflag= maxroles=8 pwd_algorithm=ssha512 sec_trace_level= sec_trace_area= mkhomeatlogin= authcontroldomain= unix_passwd_compat= sulogfulldate= efssharedkeys= rotate_failedlogin=
[root@nim01]/root# lssec -f /etc/security/user -s default -a ALL
default login=true su=true rlogin=true daemon=true admin=false sugroups=ALL admgroups= tpath=nosak ttys=ALL expires=0 auth1=SYSTEM auth2=NONE umask=22 logintimes= loginretries=0 pwdwarntime=0 account_locked=false SYSTEM="compat" registry= minage=0 maxage=0 maxexpired=-1 minalpha=0 minloweralpha=0 minupperalpha=0 minother=0 mindigit=0 minspecialchar=0 mindiff=0 maxrepeats=8 minlen=0 histexpire=0 histsize=0 pwdchecks= dictionlist= dce_export= maxulogs= uactivity= utocount= capabilities= auth_name= auth_domain= hostsallowedlogin= hostsdeniedlogin= rcmds= core_compress=on core_path=on core_pathname=/var/core core_naming=on core_name= default_roles= domains=
To check password expiration do:
[root@nim01]/root# logins -ao
root:0:system:0::-7:0
daemon:1:staff:1::-7:10170
bin:2:bin:2::-7:10170
sys:3:sys:3::-7:10170