[[AIX Root Password Policy]]
 
Trace: » NetBackup Policy » Sendmail Security Quick Fixes » NetBackup Restore » ZCM User Sources » Wereldreis 2009 2010 » AIX Root Password Policy
Table of Contents

AIX Root Password Policy

In AIX 6.1 and AIX Post Install we set up a standard password policy for users. However, in AIX LDAP authentication on eDirectory we setup user authentication through ldap, which means accounts are managed in a ldap-based directory (like eDirectory or Active Directory). That means the password policy only applies to local user accounts (as for services) and root. The last is especially important because root only gets used in emergencies or when something does not work with Sudo.

Password Policy Settings

These are the password related settings in /etc/security/user as set in AIX 6.1 and AIX Post Install:
        pwdwarntime = 7
        histexpire = 26
        histsize = 4
        minage = 1
        maxage = 13
        maxexpired = -1
        minalpha = 5
        minother = 3
        minlen = 8
        mindiff = 1
        maxrepeats = 2
        dictionlist =
        pwdchecks =

Official Explanation

And this what these settings mean:
pwdwarntime Defines the number of days before the system issues a warning that a password change is required. The value is a decimal integer string. A zero or negative value indicates that no message is issued. The value must be less than the difference of the maxage and minage attributes. Values greater than this difference are ignored, and a message is issued when the minage value is reached.
histexpire Designates the period of time (in weeks) that a user cannot reuse a password. The value is a decimal integer string. The default is 0, indicating that no time limit is set.
histsize Designates the number of previous passwords a user cannot reuse. The value is a decimal integer string. The default is 0.
minage Defines the minimum age (in weeks) a password must be before it can be changed. The value is a decimal integer string. The default is a value of 0, indicating no minimum age.
maxage Defines the maximum age (in weeks) of a password. The password must be changed by this time. The value is a decimal integer string. The default is a value of 0, indicating no maximum age.
maxexpired Defines the maximum time (in weeks) beyond the maxage value that a user can change an expired password. After this defined time, only an administrative user can change the password. The value is a decimal integer string. The default is -1, indicating no restriction is set. If the maxexpired attribute is 0, the password expires when the maxage value is met. If the maxage attribute is 0, the maxexpired attribute is ignored.
minalpha Defines the minimum number of alphabetic characters that must be in a new password. The value is a decimal integer string. The default is a value of 0, indicating no minimum number.
minother Defines the minimum number of non-alphabetic characters that must be in a new password. The value is a decimal integer string. The default is a value of 0, indicating no minimum number.
minlen Defines the minimum length of a password. The value is a decimal integer string. The default is a value of 0, indicating no minimum length. The maximum value allowed is 8. This attribute is determined by the minalpha attribute value added to the minother attribute value. If the sum of these values is greater than the minlen attribute value, the minimum length is set to the result.
mindiff Defines the minimum number of characters required in a new password that were not in the old password. The value is a decimal integer string. The default is a value of 0, indicating no minimum number.
maxrepeats Defines the maximum number of times a character can be repeated in a new password. Since a value of 0 is meaningless, the default value of 8 indicates that there is no maximum number. The value is a decimal integer string.
dictionlist Defines the password dictionaries used by the composition restrictions when checking new passwords. The password dictionaries are a list of comma-separated, absolute path names that are evaluated from left to right. All dictionary files and directories must be write-protected from all users except root. The dictionary files are formatted one word per line. The word begins in the first column and terminates with a new-line character. Only 7-bit ASCII words are supported for passwords. If text processing is installed on your system, the recommended dictionary file is the /usr/share/dict/words file.
pwdchecks Defines the password restriction methods enforced on new passwords. The value is a list of comma-separated method names and is evaluated from left to right. A method name is either an absolute path name or a path name relative to /usr/lib of an executable load module.

New Defaults

We've found it better to work with a procedure password policy instead of a password policy enforced by the system. Our security officer determines when it's time to change the root passwords and to what. So the system enforced password policy had to change to:
        pwdwarntime = 7
        histexpire = 26
        histsize = 4
        minage = 1
        maxage = 52
        maxexpired = -1
        minalpha = 5
        minother = 1
        minlen = 8
        mindiff = 1
        maxrepeats = 2
        dictionlist =
        pwdchecks =
,

Discussion

Enter your comment:
 
aixrootpassword.txt · Last modified: 2010/06/11 12:43 by sjoerd