[ Bottom of Page | Previous Page | Next Page | Contents | Index | Library Home | Legal | Search ]

Security Guide


Guessing passwords is one of the most common attack methods that a system experiences. Therefore, controlling and monitoring your password-restriction policy is essential. AIX provides mechanisms to help you enforce a stronger password policy, such as establishing values for the following:

This section discusses how AIX stores and handles passwords, and how you can establish a strong password policy. Topics in this section include:

What is a Good Password?

Good passwords are effective first lines of defense against unauthorized entry into a system if they are the following:

In addition to these mechanisms, you can further enforce stricter rules by restricting passwords so that they cannot include standard UNIX words, which can be guessed. This feature uses the dictionlist, which requires that you first have the bos.data and bos.txt file sets installed.

To implement the previously defined dictionlist, edit the following line in the /etc/security/users file:

dictionlist = /usr/share/dict/words

The /usr/share/dict/words file uses the dictionlist to prevent standard UNIX words from being used as passwords.

The /etc/passwd File

Traditionally, the /etc/passwd file is used to keep track of every registered user that has access to a system. The /etc/passwd file is a colon-separated file that contains the following information:

Here is an example of a /etc/passwd file:

nuucp:*:6:5:uucp login user:/var/spool/uucppublic:/usr/sbin/uucp/uucico
jdoe:*:202:1:John Doe:/home/jdoe:/usr/bin/ksh 

AIX does not store encrypted passwords in the /etc/password file the way UNIX systems do, but in the /etc/security/password file by default, which is only readable by the superuser. The password filed in /etc/passwd is used by AIX to signify if there is a password or whether the account is blocked.

The /etc/passwd file is owned by the root user and must be readable by all the users, but only the root user has writable permissions, which is shown as -rw-r--r--. If a userid has a password, then the password field will have an ! (exclamation point). If the userid does not have a password, then the password field will have an * (asterisk). The encrypted passwords are stored in the /etc/security/passwd file. The example below contains the last four entries in the /etc/security/passwd file based on the entries from the /etc/passwd file shown above.

        password = *
        password = * 
        password = * 

        password = eacVScDKri4s6 
        lastupdate = 1026394230 
        flags = ADMCHG                   

Notice that the userid jdoe does not have an entry in the /etc/security/passwd file because it does not have a password set in the /etc/passwd file.

The consistency of the /etc/passwd file can be checked using the pwdck command. The pwdck command verifies the correctness of the password information in the user database files by checking the definitions for all of the users or for specified users.

The /etc/passwd File and Network Environments

Traditionally, in a networked environment a user must have had an account on each system to gain access to that system. That typically meant that the user would have an entry in each of the /etc/passwd files on each system. However, in a distributed environment there is no easy way to ensure that every system had the same /etc/passwd file. To solve this problem, several methods have been developed to make the information in the /etc/passwd file available over the network, including the following:

Both of these topics are discussed in the NIS chapter.

Hiding User Names and Passwords

To achieve a higher level of security, ensure that user IDs and passwords are not visible within the system. The .netrc files contain user IDs and passwords. This file is not protected by encryption or encoding, thus its contents are clearly shown as plain text. To find these files, run the following command:

# find `awk -F: '{print $6}' /etc/passwd` -name .netrc -ls

After you locate these files, delete them. A more effective way to save passwords is by setting up Kerberos.

Setting Recommended Password Options

Proper password management can only be accomplished through user education. But to provide some additional security, the operating system provides configurable password restrictions. These allow the administrator to constrain the passwords chosen by users and to force passwords to be changed regularly. Password options and extended user attributes are located in the /etc/security/user file. This is an ASCII file that contains attribute stanzas for users. These restrictions are enforced whenever a new password is defined for a user. All password restrictions are defined per user. By keeping restrictions in the default stanza of the /etc/security/user file, the same restrictions are enforced on all users. To maintain password security, all passwords must be similarly protected.

The operating system also provides a method for administrators to extend the password restrictions. Using the pwdchecks attribute of the /etc/security/user file, an administrator can add new subroutines (known as methods) to the password restrictions code. Thus, local site policies can be added to and enforced by the operating system. See Extending Password Restrictions for more information.

Apply password restrictions sensibly. Attempts to be too restrictive, such as limiting the password space, which makes guessing the password easier, or forcing the user to select passwords that are difficult to remember, which might then be written down, can jeopardize password security. Ultimately, password security rests with the user. Simple password restrictions, coupled with sensible guidelines and an occasional audit to see if current passwords are unique, are the best policy.

The following table lists recommended values for some security attributes related to user passwords in the /etc/security/user file.

Table 8. Recommended security attribute values for user passwords.
Attribute Description Recommended Value Default Value Maximum Value
dictionlist Verifies passwords do not include standard UNIX words. /usr/share/dict/words NANote 1 NA
histexpire Number of weeks before password can be reused. 26 0 260Note 2
histsize Number of password iterations allowed. 20 0 50
maxage Maximum number of weeks before password must be changed. 8 0 52
maxexpired Maximum number of weeks beyond maxage that an expired password can be changed by the user. (Root is exempt.) 2 -1 52
maxrepeats Maximum number of characters that can be repeated in passwords. 2 8 8
minage Minimum number of weeks before a password can be changed. This should not be set to a non zero value unless administrators are always easy to reach to reset an accidentally compromised password that was recently changed. 0 0 52
minalpha Minimum number of alphabetic characters required on passwords. 2 0 8
mindiff Minimum number of unique characters that passwords must contain. 4 0 8
minlen Minimum length of password. 6 (8 for root user) 0 8
minother Minimum number of non-alphabetic characters required on passwords. 2 0 8
pwdwarntime Number of days before the system issues a warning that a password change is required. 5 NA NA
pwdchecks This entry can be used to augment the passwd command with a custom code that checks the password quality. For more information. see Extending Password Restrictions . NA NA
  1. NA means Not Applicable.
  2. A maximum of 50 passwords are retained.

For a Controlled Access Protection Profile and Evaluation Assurance Level 4+ (CAPP/EAL4+) system, use the values recommended in User and Port Configuration.

If text processing is installed on the system, the administrator can use the /usr/share/dict/words file as a dictionlist dictionary file. In such a case, the administrator can set the minother attribute to 0. Because most words in the dictionary file do not contain characters that fall into the minother attribute category, setting the minother attribute to 1 or more eliminates the need for the vast majority of words in this dictionary file.

The minimum length of a password on the system is set by the value of the minlen attribute or the value of the minalpha attribute plus the value of the minother attribute, whichever is greater. The maximum length of a password is eight characters. The value of the minalpha attribute plus the value of the minother attribute must never be greater than eight. If the value of the minalpha plus the value of the minother attribute is greater than eight, then the value of the minother attribute is reduced to eight minus the value of the minalpha attribute.

If the values of both the histexpire attribute and the histsize attribute are set, the system retains the number of passwords required to satisfy both conditions up to the system limit of 50 passwords per user. Null passwords are not retained.

You can edit the /etc/security/user file to include any defaults you want to use to administer user passwords. Alternatively, you can change attribute values using the chuser command.

Other commands that can be used with this file are the mkuser, lsuser, and rmuser. The mkuser command creates an entry for each new user in the /etc/security/user file and initializes its attributes with the attributes defined in the /usr/lib/security/mkuser.default file. To display the attributes and their values, use the lsuser command. To remove a user, use the rmuser command.

Extending Password Restrictions

The rules used by the password program to accept or reject passwords (the password composition restrictions) can be extended by system administrators to provide site-specific restrictions. Restrictions are extended by adding subroutines, known as methods, which are called during a password change. The pwdchecks attribute in the /etc/security/user file specifies the methods called.

The AIX 5L Version 5.2 Technical Reference contains a description of the pwdrestrict_method, the subroutine interface to which specified password restriction methods must conform. To correctly extend the password composition restrictions, the system administrator must program this interface when writing a password restriction method. Use caution in extending the password composition restrictions. These extensions directly affect the login command, the passwd command, the su command, and other programs. The security of the system could easily be subverted by malicious or defective code. Only use code that you trust.

[ Top of Page | Previous Page | Next Page | Contents | Index | Library Home | Legal | Search ]