Guessing passwords is one of the most common attack methods that a system experiences. Therefore, controlling and monitoring your password-restriction policy is essential. AIX provides mechanisms to help you enforce a stronger password policy, such as establishing values for the following:
This section discusses how AIX stores and handles passwords, and how you can establish a strong password policy. Topics in this section include:
Good passwords are effective first lines of defense against unauthorized entry into a system if they are the following:
In addition to these mechanisms, you can further enforce stricter rules by restricting passwords so that they cannot include standard UNIX words, which can be guessed. This feature uses the dictionlist, which requires that you first have the bos.data and bos.txt file sets installed.
To implement the previously defined dictionlist, edit the following line in the /etc/security/users file:
dictionlist = /usr/share/dict/words
The /usr/share/dict/words file uses the dictionlist to prevent standard UNIX words from being used as passwords.
Traditionally, the /etc/passwd file is used to keep track of every registered user that has access to a system. The /etc/passwd file is a colon-separated file that contains the following information:
Here is an example of a /etc/passwd file:
root:!:0:0::/:/usr/bin/ksh daemon:!:1:1::/etc: bin:!:2:2::/bin: sys:!:3:3::/usr/sys: adm:!:4:4::/var/adm: uucp:!:5:5::/usr/lib/uucp: guest:!:100:100::/home/guest: nobody:!:4294967294:4294967294::/: lpd:!:9:4294967294::/: lp:*:11:11::/var/spool/lp:/bin/false invscout:*:200:1::/var/adm/invscout:/usr/bin/ksh nuucp:*:6:5:uucp login user:/var/spool/uucppublic:/usr/sbin/uucp/uucico imnadm:*:188:188::/home/imnadm:/usr/bin/ksh paul:!:201:1::/home/paul:/usr/bin/ksh jdoe:*:202:1:John Doe:/home/jdoe:/usr/bin/ksh
AIX does not store encrypted passwords in the /etc/password file the way UNIX systems do, but in the /etc/security/password file by default, which is only readable by the superuser. The password filed in /etc/passwd is used by AIX to signify if there is a password or whether the account is blocked.
The /etc/passwd file is owned by the root user and must be readable by all the users, but only the root user has writable permissions, which is shown as -rw-r--r--. If a userid has a password, then the password field will have an ! (exclamation point). If the userid does not have a password, then the password field will have an * (asterisk). The encrypted passwords are stored in the /etc/security/passwd file. The example below contains the last four entries in the /etc/security/passwd file based on the entries from the /etc/passwd file shown above.
guest: password = * nobody: password = * lpd: password = * paul: password = eacVScDKri4s6 lastupdate = 1026394230 flags = ADMCHG
Notice that the userid jdoe does not have an entry in the /etc/security/passwd file because it does not have a password set in the /etc/passwd file.
The consistency of the /etc/passwd file can be checked using the pwdck command. The pwdck command verifies the correctness of the password information in the user database files by checking the definitions for all of the users or for specified users.
Traditionally, in a networked environment a user must have had an account on each system to gain access to that system. That typically meant that the user would have an entry in each of the /etc/passwd files on each system. However, in a distributed environment there is no easy way to ensure that every system had the same /etc/passwd file. To solve this problem, several methods have been developed to make the information in the /etc/passwd file available over the network, including the following:
Both of these topics are discussed in the NIS chapter.
To achieve a higher level of security, ensure that user IDs and passwords are not visible within the system. The .netrc files contain user IDs and passwords. This file is not protected by encryption or encoding, thus its contents are clearly shown as plain text. To find these files, run the following command:
# find `awk -F: '{print $6}' /etc/passwd` -name .netrc -ls
After you locate these files, delete them. A more effective way to save passwords is by setting up Kerberos.
Proper password management can only be accomplished through user education. But to provide some additional security, the operating system provides configurable password restrictions. These allow the administrator to constrain the passwords chosen by users and to force passwords to be changed regularly. Password options and extended user attributes are located in the /etc/security/user file. This is an ASCII file that contains attribute stanzas for users. These restrictions are enforced whenever a new password is defined for a user. All password restrictions are defined per user. By keeping restrictions in the default stanza of the /etc/security/user file, the same restrictions are enforced on all users. To maintain password security, all passwords must be similarly protected.
The operating system also provides a method for administrators to extend the password restrictions. Using the pwdchecks attribute of the /etc/security/user file, an administrator can add new subroutines (known as methods) to the password restrictions code. Thus, local site policies can be added to and enforced by the operating system. See Extending Password Restrictions for more information.
Apply password restrictions sensibly. Attempts to be too restrictive, such as limiting the password space, which makes guessing the password easier, or forcing the user to select passwords that are difficult to remember, which might then be written down, can jeopardize password security. Ultimately, password security rests with the user. Simple password restrictions, coupled with sensible guidelines and an occasional audit to see if current passwords are unique, are the best policy.
The following table lists recommended values for some security attributes related to user passwords in the /etc/security/user file.
Attribute | Description | Recommended Value | Default Value | Maximum Value |
---|---|---|---|---|
dictionlist | Verifies passwords do not include standard UNIX words. | /usr/share/dict/words | NANote 1 | NA |
histexpire | Number of weeks before password can be reused. | 26 | 0 | 260Note 2 |
histsize | Number of password iterations allowed. | 20 | 0 | 50 |
maxage | Maximum number of weeks before password must be changed. | 8 | 0 | 52 |
maxexpired | Maximum number of weeks beyond maxage that an expired password can be changed by the user. (Root is exempt.) | 2 | -1 | 52 |
maxrepeats | Maximum number of characters that can be repeated in passwords. | 2 | 8 | 8 |
minage | Minimum number of weeks before a password can be changed. This should not be set to a non zero value unless administrators are always easy to reach to reset an accidentally compromised password that was recently changed. | 0 | 0 | 52 |
minalpha | Minimum number of alphabetic characters required on passwords. | 2 | 0 | 8 |
mindiff | Minimum number of unique characters that passwords must contain. | 4 | 0 | 8 |
minlen | Minimum length of password. | 6 (8 for root user) | 0 | 8 |
minother | Minimum number of non-alphabetic characters required on passwords. | 2 | 0 | 8 |
pwdwarntime | Number of days before the system issues a warning that a password change is required. | 5 | NA | NA |
pwdchecks | This entry can be used to augment the passwd command with a custom code that checks the password quality. | For more information. see Extending Password Restrictions . | NA | NA |
For a Controlled Access Protection Profile and Evaluation Assurance Level 4+ (CAPP/EAL4+) system, use the values recommended in User and Port Configuration.
If text processing is installed on the system, the administrator can use the /usr/share/dict/words file as a dictionlist dictionary file. In such a case, the administrator can set the minother attribute to 0. Because most words in the dictionary file do not contain characters that fall into the minother attribute category, setting the minother attribute to 1 or more eliminates the need for the vast majority of words in this dictionary file.
The minimum length of a password on the system is set by the value of the minlen attribute or the value of the minalpha attribute plus the value of the minother attribute, whichever is greater. The maximum length of a password is eight characters. The value of the minalpha attribute plus the value of the minother attribute must never be greater than eight. If the value of the minalpha plus the value of the minother attribute is greater than eight, then the value of the minother attribute is reduced to eight minus the value of the minalpha attribute.
If the values of both the histexpire attribute and the histsize attribute are set, the system retains the number of passwords required to satisfy both conditions up to the system limit of 50 passwords per user. Null passwords are not retained.
You can edit the /etc/security/user file to include any defaults you want to use to administer user passwords. Alternatively, you can change attribute values using the chuser command.
Other commands that can be used with this file are the mkuser, lsuser, and rmuser. The mkuser command creates an entry for each new user in the /etc/security/user file and initializes its attributes with the attributes defined in the /usr/lib/security/mkuser.default file. To display the attributes and their values, use the lsuser command. To remove a user, use the rmuser command.
The rules used by the password program to accept or reject passwords (the password composition restrictions) can be extended by system administrators to provide site-specific restrictions. Restrictions are extended by adding subroutines, known as methods, which are called during a password change. The pwdchecks attribute in the /etc/security/user file specifies the methods called.
The AIX 5L Version 5.2 Technical Reference contains a description of the pwdrestrict_method, the subroutine interface to which specified password restriction methods must conform. To correctly extend the password composition restrictions, the system administrator must program this interface when writing a password restriction method. Use caution in extending the password composition restrictions. These extensions directly affect the login command, the passwd command, the su command, and other programs. The security of the system could easily be subverted by malicious or defective code. Only use code that you trust.