Passwords for BSD 4.3 System Managers

The following information details the differences between managing passwords in AIX systems and 4.3 BSD systems.

Setting a User Password

When you use the AIX /bin/passwd command as the root user, you are prompted for the current root user password. An example of using the AIX /bin/passwd command follows:

# passwd cslater 
Changing password for "cslater" 
Enter root's Password or 
cslater's Old password: 
cslater's New password: 
Re-enter cslater's 
new password: 
#

The 4.3 BSD version does not prompt for the current root user password. An example of the 4.3 BSD version follows:

# passwd cslater 
New password: 
Retype new password: 
#

Importing a 4.3 BSD Password File

You can import a 4.3 BSD password file by first copying it to the /etc/passwd file and entering:

pwdck -y ALL 

Then the /etc/security/limits file must be updated with a null stanza for any new users. The usrck command does this, but using the usrck command can cause problems unless the /etc/group file is imported with the /etc/passwd file.

Note: If the /etc/security/limits file is modified, the stack must not exceed 65,536 bytes. If it does, running the usrck command may cause problems. Change the stack size to 65,536 and run usrck command again.

You should also run the grpck and usrck command to verify group and user attributes.

Editing the Password File

In AIX, the lsuser, mkuser, chuser, and rmuser commands are provided for managing passwords. All of these commands can be used by running Web-based System Manager or SMIT. However, all of these commands deal with only one user at a time.

Note: Using an editor to change several user name entries at one time requires editing of several files at once, because passwords are stored in /etc/security/passwd file, authorization information is stored in the /etc/security/user file, and the remaining user data is stored in the /etc/passwd file.

AIX does not support the vipw command but does support the mkpasswd command. However, you can still administer passwords on an AIX system in a 4.3 BSD manner. Use the following procedure:

1. Put a 4.3 BSD password file in the /etc/shadow file.
2. Change the permissions to the file by entering:

   chmod 000 /etc/shadow

3. Place the following vipw shell script in the /etc directory:

   -----------------------------------------------------
   ---- 
   #!/bin/bsh
   #
   # vipw for AIX V3. Uses pwdck for now. May use usrck someday
   #
   PATH=/bin:/usr/bin:/etc:/usr/ucb # Add to this if your editor is
                                    # some place else 
   if [ -f /etc/ptmp ] ; then
                    echo "/etc/ptmp exists. Is someone else using vipw?"
           exit 1
   fi 
   if [ ! -f /`which "$EDITOR" | awk '{ print $1 }'` ] ; then
           EDITOR=vi
   fi
   cp /etc/shadow /etc/ptmp
   if (cmp /etc/shadow /etc/ptmp) ; then
           $EDITOR /etc/ptmp 
   else
           echo cannot copy shadow to ptmp 
           exit 1
   fi
   if (egrep "^root:" /etc/ptmp >/dev/null) ; then
           cp /etc/ptmp /etc/shadow ; cp /etc/ptmp /etc/passwd 
           chmod 000 /etc/passwd /etc/shadow 
           pwdck -y ALL 2>1 >/dev/null # return code 114 may change 
                   rc=$? 
           if [ $rc -eq 114 ]; then
                   chmod 644 /etc/passwd 
                           rm -f /etc/passwd.dir /etc/passwd.pag 
                   mkpasswd /etc/passwd 
                           # update /etc/security/limits, or ftp
                           # will fail
                   else
                            pwdck -y ALL
                   fi 
   else
           echo bad entry for root in ptmp
   fi
   rm /etc/ptmp
   -----------------------------------------------------------

4. If you use the vipw shell script or the mkpasswd command, be aware that Web-based System Manager, SMIT, and the mkuser, chuser, and rmuser commands, do not use the mkpasswd command. You must run:

   mkpasswd /etc/passwd

   to update the /etc/passwd.dir and /etc/passwd.pag files.

   Attention: Initialization of the IFS variable and the trap statements guard against some of the common methods used to exploit security holes inherent in the setuid feature. However, the vipw and passwd shell scripts are intended for relatively open environments where compatibility is an important consideration. If you want a more secure environment, use only the standard AIX commands.

5. Put the following passwd shell script in the /usr/ucb directory:

   ----------------------------------------------------- 
   #!/bin/ksh
   #
   # matches changes to /etc/security/passwd file with changes to
   #/etc/shadow
   #
   IFS=" "
   PATH=/bin
   trap "exit 2" 1 2 3 4 5 6 7 8 10 12 13 14 15 16 17 18 21 22 \
           23 24 25 27 28 29 30 31 32 33 34 35 36 60 61 62
   if [ -n "$1" ]; then
           USERNAME=$1
   else
           USERNAME=$LOGNAME
   fi
   if [ -f /etc/ptmp ]; then
           echo password file busy
           exit 1
   fi
           trap "rm /etc/ptmp; exit 3" 1 2 3 4 5 6 7 8 10 12 13 \
                   14 15 16 17 18 21 22 23 24 25 27 28 29 30 31 \
                   32 33 34 35 36 60 61 62
   if (cp /etc/security/passwd /etc/ptmp) ; then
           chmod 000 /etc/ptmp else
           rm -f /etc/ptmp exit 1
   fi
   if ( /bin/passwd $USERNAME ) ; then
           PW=` awk ' BEGIN { RS = "" }
                   $1 == user { print $4 } ' user="$USERNAME:" \
   /etc/security/passwd `
   else
           rm -f /etc/ptmp
           exit 1
   fi
   rm -f /etc/ptmp
   awk -F: '$1 == user { print $1":"pw":"$3 ":"$4":"$5":"$6":"$7 }
           $1 != user { print $0 }' user="$USERNAME" pw="$PW" \
                   /etc/shadow > /etc/ptmp 
   chmod 000 /etc/ptmp
   mv -f /etc/ptmp /etc/shadow
   ---------------------------------------------------------

6. Change the permissions to the passwd script by entering:

   chmod 4711 /usr/ucb/passwd

7. Ensure that each user's PATH environmental variable specifies that the /usr/ucb directory be searched prior to the /bin directory.