[ Previous | Next | Contents | Glossary | Home | Search ]
AIX Version 4.3 System Management Guide: Operating System and Devices

Passwords for BSD 4.3 System Managers

The following information details the differences between managing passwords in AIX systems and 4.3 BSD systems.

Setting a User Password

When you use the AIX /bin/passwd command as the root user, you are prompted for the current root user password. An example of using the AIX /bin/passwd command follows:

# passwd cslater 
Changing password for "cslater" 
Enter root's Password or 
cslater's Old password: 
cslater's New password: 
Re-enter cslater's 
new password: 
#

The 4.3 BSD version does not prompt for the current root user password. An example of the 4.3 BSD version follows:

# passwd cslater 
New password: 
Retype new password: 
#

Importing a 4.3 BSD Password File

You can import a 4.3 BSD password file by first copying it to the /etc/passwd file and entering:

pwdck -y ALL 

Then the /etc/security/limits file must be updated with a null stanza for any new users. The usrck command does this, but using the usrck command can cause problems unless the /etc/group file is imported with the /etc/passwd file.

Note: If the /etc/security/limits file is modified, the stack must not exceed 65,536 bytes. If it does, running the usrck command may cause problems. Change the stack size to 65,536 and run usrck command again.

You should also run the grpck and usrck command to verify group and user attributes.

Editing the Password File

In AIX, the lsuser, mkuser, chuser, and rmuser commands are provided for managing passwords. All of these commands can be used by running Web-based System Manager or SMIT. However, all of these commands deal with only one user at a time.

Note: Using an editor to change several user name entries at one time requires editing of several files at once, because passwords are stored in /etc/security/passwd file, authorization information is stored in the /etc/security/user file, and the remaining user data is stored in the /etc/passwd file.

AIX does not support the vipw command but does support the mkpasswd command. However, you can still administer passwords on an AIX system in a 4.3 BSD manner. Use the following procedure:

  1. Put a 4.3 BSD password file in the /etc/shadow file.
  2. Change the permissions to the file by entering:
    chmod 000 /etc/shadow
  3. Place the following vipw shell script in the /etc directory:
    -----------------------------------------------------
    ---- 
    #!/bin/bsh
    #
    # vipw for AIX V3. Uses pwdck for now. May use usrck someday
    #
    PATH=/bin:/usr/bin:/etc:/usr/ucb # Add to this if your editor is
                                     # some place else 
    if [ -f /etc/ptmp ] ; then
                     echo "/etc/ptmp exists. Is someone else using vipw?"
            exit 1
    fi 
    if [ ! -f /`which "$EDITOR" | awk '{ print $1 }'` ] ; then
            EDITOR=vi
    fi
    cp /etc/shadow /etc/ptmp
    if (cmp /etc/shadow /etc/ptmp) ; then
            $EDITOR /etc/ptmp 
    else
            echo cannot copy shadow to ptmp 
            exit 1
    fi
    if (egrep "^root:" /etc/ptmp >/dev/null) ; then
            cp /etc/ptmp /etc/shadow ; cp /etc/ptmp /etc/passwd 
            chmod 000 /etc/passwd /etc/shadow 
            pwdck -y ALL 2>1 >/dev/null # return code 114 may change 
                    rc=$? 
            if [ $rc -eq 114 ]; then
                    chmod 644 /etc/passwd 
                            rm -f /etc/passwd.dir /etc/passwd.pag 
                    mkpasswd /etc/passwd 
                            # update /etc/security/limits, or ftp
                            # will fail
                    else
                             pwdck -y ALL
                    fi 
    else
            echo bad entry for root in ptmp
    fi
    rm /etc/ptmp
    -----------------------------------------------------------
  4. If you use the vipw shell script or the mkpasswd command, be aware that Web-based System Manager, SMIT, and the mkuser, chuser, and rmuser commands, do not use the mkpasswd command. You must run:
    mkpasswd /etc/passwd
    to update the /etc/passwd.dir and /etc/passwd.pag files.

    Attention: Initialization of the IFS variable and the trap statements guard against some of the common methods used to exploit security holes inherent in the setuid feature. However, the vipw and passwd shell scripts are intended for relatively open environments where compatibility is an important consideration. If you want a more secure environment, use only the standard AIX commands.

  5. Put the following passwd shell script in the /usr/ucb directory:
    ----------------------------------------------------- 
    #!/bin/ksh
    #
    # matches changes to /etc/security/passwd file with changes to
    #/etc/shadow
    #
    IFS=" "
    PATH=/bin
    trap "exit 2" 1 2 3 4 5 6 7 8 10 12 13 14 15 16 17 18 21 22 \
            23 24 25 27 28 29 30 31 32 33 34 35 36 60 61 62
    if [ -n "$1" ]; then
            USERNAME=$1
    else
            USERNAME=$LOGNAME
    fi
    if [ -f /etc/ptmp ]; then
            echo password file busy
            exit 1
    fi
            trap "rm /etc/ptmp; exit 3" 1 2 3 4 5 6 7 8 10 12 13 \
                    14 15 16 17 18 21 22 23 24 25 27 28 29 30 31 \
                    32 33 34 35 36 60 61 62
    if (cp /etc/security/passwd /etc/ptmp) ; then
            chmod 000 /etc/ptmp else
            rm -f /etc/ptmp exit 1
    fi
    if ( /bin/passwd $USERNAME ) ; then
            PW=` awk ' BEGIN { RS = "" }
                    $1 == user { print $4 } ' user="$USERNAME:" \
    /etc/security/passwd `
    else
            rm -f /etc/ptmp
            exit 1
    fi
    rm -f /etc/ptmp
    awk -F: '$1 == user { print $1":"pw":"$3 ":"$4":"$5":"$6":"$7 }
            $1 != user { print $0 }' user="$USERNAME" pw="$PW" \
                    /etc/shadow > /etc/ptmp 
    chmod 000 /etc/ptmp
    mv -f /etc/ptmp /etc/shadow
    ---------------------------------------------------------
  6. Change the permissions to the passwd script by entering:
    chmod 4711 /usr/ucb/passwd
  7. Ensure that each user's PATH environmental variable specifies that the /usr/ucb directory be searched prior to the /bin directory.

[ Previous | Next | Contents | Glossary | Home | Search ]