The following information details the differences between managing passwords in AIX systems and 4.3 BSD systems.
When you use the AIX /bin/passwd command as the root user, you are prompted for the current root user password. An example of using the AIX /bin/passwd command follows:
# passwd cslater Changing password for "cslater" Enter root's Password or cslater's Old password: cslater's New password: Re-enter cslater's new password: #
The 4.3 BSD version does not prompt for the current root user password. An example of the 4.3 BSD version follows:
# passwd cslater New password: Retype new password: #
You can import a 4.3 BSD password file by first copying it to the /etc/passwd file and entering:
pwdck -y ALL
Then the /etc/security/limits file must be updated with a null stanza for any new users. The usrck command does this, but using the usrck command can cause problems unless the /etc/group file is imported with the /etc/passwd file.
Note: If the /etc/security/limits file is modified, the stack must not exceed 65,536 bytes. If it does, running the usrck command may cause problems. Change the stack size to 65,536 and run usrck command again.
You should also run the grpck and usrck command to verify group and user attributes.
In AIX, the lsuser, mkuser, chuser, and rmuser commands are provided for managing passwords. All of these commands can be used by running Web-based System Manager or SMIT. However, all of these commands deal with only one user at a time.
Note: Using an editor to change several user name entries at one time requires editing of several files at once, because passwords are stored in /etc/security/passwd file, authorization information is stored in the /etc/security/user file, and the remaining user data is stored in the /etc/passwd file.
AIX does not support the vipw command but does support the mkpasswd command. However, you can still administer passwords on an AIX system in a 4.3 BSD manner. Use the following procedure:
chmod 000 /etc/shadow
----------------------------------------------------- ---- #!/bin/bsh # # vipw for AIX V3. Uses pwdck for now. May use usrck someday # PATH=/bin:/usr/bin:/etc:/usr/ucb # Add to this if your editor is # some place else if [ -f /etc/ptmp ] ; then echo "/etc/ptmp exists. Is someone else using vipw?" exit 1 fi if [ ! -f /`which "$EDITOR" | awk '{ print $1 }'` ] ; then EDITOR=vi fi cp /etc/shadow /etc/ptmp if (cmp /etc/shadow /etc/ptmp) ; then $EDITOR /etc/ptmp else echo cannot copy shadow to ptmp exit 1 fi if (egrep "^root:" /etc/ptmp >/dev/null) ; then cp /etc/ptmp /etc/shadow ; cp /etc/ptmp /etc/passwd chmod 000 /etc/passwd /etc/shadow pwdck -y ALL 2>1 >/dev/null # return code 114 may change rc=$? if [ $rc -eq 114 ]; then chmod 644 /etc/passwd rm -f /etc/passwd.dir /etc/passwd.pag mkpasswd /etc/passwd # update /etc/security/limits, or ftp # will fail else pwdck -y ALL fi else echo bad entry for root in ptmp fi rm /etc/ptmp -----------------------------------------------------------
mkpasswd /etc/passwdto update the /etc/passwd.dir and /etc/passwd.pag files.
Attention: Initialization of the IFS variable and the trap statements guard against some of the common methods used to exploit security holes inherent in the setuid feature. However, the vipw and passwd shell scripts are intended for relatively open environments where compatibility is an important consideration. If you want a more secure environment, use only the standard AIX commands.
----------------------------------------------------- #!/bin/ksh # # matches changes to /etc/security/passwd file with changes to #/etc/shadow # IFS=" " PATH=/bin trap "exit 2" 1 2 3 4 5 6 7 8 10 12 13 14 15 16 17 18 21 22 \ 23 24 25 27 28 29 30 31 32 33 34 35 36 60 61 62 if [ -n "$1" ]; then USERNAME=$1 else USERNAME=$LOGNAME fi if [ -f /etc/ptmp ]; then echo password file busy exit 1 fi trap "rm /etc/ptmp; exit 3" 1 2 3 4 5 6 7 8 10 12 13 \ 14 15 16 17 18 21 22 23 24 25 27 28 29 30 31 \ 32 33 34 35 36 60 61 62 if (cp /etc/security/passwd /etc/ptmp) ; then chmod 000 /etc/ptmp else rm -f /etc/ptmp exit 1 fi if ( /bin/passwd $USERNAME ) ; then PW=` awk ' BEGIN { RS = "" } $1 == user { print $4 } ' user="$USERNAME:" \ /etc/security/passwd ` else rm -f /etc/ptmp exit 1 fi rm -f /etc/ptmp awk -F: '$1 == user { print $1":"pw":"$3 ":"$4":"$5":"$6":"$7 } $1 != user { print $0 }' user="$USERNAME" pw="$PW" \ /etc/shadow > /etc/ptmp chmod 000 /etc/ptmp mv -f /etc/ptmp /etc/shadow ---------------------------------------------------------
chmod 4711 /usr/ucb/passwd