In AIX to control password grammar (composition rules), expiration and all other not mentioned here “attributes”, both on a local or global scale is very easy. All is collected and ready to be manipulated to satisfy your fancy in a single file called
user located in directory called
This file as many other files in AIX is based on stanzas. There is the
default stanza where all attributes are set to their “default” values. This stanza is followed by any number of other stanzas, each representing a particular user whose password/login attributes differ from the ones set in the
default stanza. It is nice and easy. Does it answer all needs in this area? Maybe not, most likely not. Is it dated solution? It could be. In my opinion it is clean and efficient and if anything else is called for in addition and above what this file provides, one has to remember that AIX has PAM,yes AIX supports PAM. Having said that, I admit that I have never used PAM with AIX and have no idea do what extend PAM is supported by this operating system. What PAM stands for? PAM is short for the
Pluggable Authentication Modules.
Here comes LINUX. A few days ago, I started to think about RedHat – How to set a different set of password controls on a RedHat host with an configured and operational Active Directory authentication? What to do to apply a different set of password attributes for the local users? This post is a way to share with you what I have so far discovered. As always, let me know if you find an error, omission or a better solution to what I have shown here.
In RedHat to make sure that the local users (the ones present in the file
/etc/passwd) are authenticating by the local means and not via AD or LDAP or something else you have to check the files inside directory called
/etc/pam.d for the presence of the following entry:
account sufficient pam_localuser.so
On my host, these entry is present in a few files like
system-auth – not all of them are actually needed as for example this host does not employ any finger print recognition device to authorize the login-in user. I think, that for most cases it is enough to have this entry in both files which names start with
Next comes the grammar. To make sure that the local users passwords are sufficiently strong and they contain the correct ratio of numerals/upper/lower/special characters and so forth we look into the same directory again, but now seeking a different PAM module. This time we look for a PAM module called
pam_cracklib.so, which we find in the file called
password-auth. For example the following entry:
password required pam_cracklib.so \ dcredit=-1 ucredit=-1 lcredit=-1 minlen=8
requires a password to contain at the minimum one (1) digit (
dcredit), one (1) upper case (
ucredit) character, one (1) lower case (
lcredit) character and be not shorter than (
minlen 8 characters. Not to mention that this module will automatically check the selected password against a dictionary an if it is found to be a word …. guess what? It will be refused and the user will have to specify to select a different one.
Now, what about the previous passwords? How to prevent their repetitive usage? First, verify that this file is present:
# ls -l /etc/security/opasswd -rw-------. 1 root root 0 Apr 5 2012 /etc/security/opasswd
This file is the “keeper” of users previous passwords. The number of previous password per user stored inside this file is controlled by the value of the token called
remember – thanks the developer for using meaningful terms!!!!!!!!!! The next line shows this setting in action (an excerpt form the file
password sufficient pam_unix.so \ sha512 shadow nullok try_first_pass use_authtok \ remember=4
On this host, user is not allowed to repeat any of his four last passwords. By the way, the maximum for
remember is 400 (past passwords).
For now this is all I have, stay warm,