Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations gkittelson on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
AIX Password Policy
- Thread starter 110877
- Start date
take a look at the files in /etc/security. The specific file you want is "user". The top section will have comments on the various variables and what they mean. You can set up everytyhing in the default stanza. You can also set up specific users to have settings that are different from the default stanza by making the appropriate changes in the stanza under their username.
Add a little color to your PUTTY terminal: faq52-6627
Add a little color to your PUTTY terminal: faq52-6627
- Thread starter
- #3
Hi Sbrews,
Yes I have look in the file in /etc/security/user the only thing the came close is the option minlen and minother. Would this give me the desire password policy?
Here is the option is /etc/security/user
--------------------------------------------------------
* minlen Defines the minimum length of a password. The default is 0.
* Range: 0 to 8.
*
* Note: The minimum length of a password is determined by minlen and/or
* 'minalpha + minother', whichever is greater. 'minalpha + minother'
* should never be greater than 8. If 'minalpha + minother' is greater
* than 8, then minother is reduced to '8 - minalpha'.
*
* minother Defines the minimum number of non-alphabetic characters in a
* password. The default is 0. Range: 0 to 8.
----------------------------------------------------------
the option minother would give the non-alphabetic in the password. but what about the upper and low case characters?
Many thanks,
110877
Yes I have look in the file in /etc/security/user the only thing the came close is the option minlen and minother. Would this give me the desire password policy?
Here is the option is /etc/security/user
--------------------------------------------------------
* minlen Defines the minimum length of a password. The default is 0.
* Range: 0 to 8.
*
* Note: The minimum length of a password is determined by minlen and/or
* 'minalpha + minother', whichever is greater. 'minalpha + minother'
* should never be greater than 8. If 'minalpha + minother' is greater
* than 8, then minother is reduced to '8 - minalpha'.
*
* minother Defines the minimum number of non-alphabetic characters in a
* password. The default is 0. Range: 0 to 8.
----------------------------------------------------------
the option minother would give the non-alphabetic in the password. but what about the upper and low case characters?
Many thanks,
110877
Excuse the rather pompous tone - it's cut and pasted from my documentation (Yes, I write it!)
Password Security Methods for AIX
Table of Contents
1. BACKGROUND 3
1.1 SCOPE 3
1.2 PURPOSE 3
2. INTRODUCTION 3
3. IMPLEMENTATION 3
3.1 WRITING AND COMPILING THE METHOD 3
3.2 INSTALLING THE COMPILED CODE 3
3.3 ACTIVATING THE CODE 4
APPENDIX A 5
1. Background
1.1 Scope
This document is written for AIX system administrators and security personnel with interests in upgrading AIX password security.
1.2 Purpose
This document describes a method of enhancing AIX password checking so that password 'rules' may be set to any local requirements. It is based on the AIX documentation for pwdrestrict_method.
2. Introduction
AIX 'out of the box' provides a certain amount of vetting for users passwords. These include password age, minimum length, and reusability. However it does not include any method of checking for password content.
Current requirements are that a password should contain a mixture of
• Upper case letters (A-Z) – this maps to the isupper 'C' macro.
• Lower case letters (a-z) – this maps to the islower 'C' macro
• Numbers (0-9) – this maps to the isdigit 'C' macro.
• Special characters (!"£$%^& etc) – this maps to ispunct 'C' macro
3. Implementation
3.1 Writing And Compiling The Method
The requirements for the 'C' code for the method are given under the IBM documentation for pwdrestrict_method. The key point to note is that although the subroutine is defined as int pwdrestrict_method (…) the actual name can be anything except 'main'.
Once written the code should be compiled using
cc –e <entry point> -o <output file> <input file>. for example if the subroutine is called pwd_method , the source file is called pwd_source.c and the output file is called pwd_file then the compile command would be
cc –e pwd_method –o pwd_file pwd_source.c
The code currently used, sbs_method.c, is given in appendix A.
3.2 Installing the Compiled Code
Once compiled the code should be copied to /usr/lib and suitably write protected.
3.3 Activating the Code
To activate the code edit /etc/security/user and add ( or amend ) the line pwdchecks= to point to the file containing the method. For example, using the example given above, the line should read
pwdchecks = pwd_file
Appendix A
Ceci n'est pas une signature
Columb Healy
Password Security Methods for AIX
Table of Contents
1. BACKGROUND 3
1.1 SCOPE 3
1.2 PURPOSE 3
2. INTRODUCTION 3
3. IMPLEMENTATION 3
3.1 WRITING AND COMPILING THE METHOD 3
3.2 INSTALLING THE COMPILED CODE 3
3.3 ACTIVATING THE CODE 4
APPENDIX A 5
1. Background
1.1 Scope
This document is written for AIX system administrators and security personnel with interests in upgrading AIX password security.
1.2 Purpose
This document describes a method of enhancing AIX password checking so that password 'rules' may be set to any local requirements. It is based on the AIX documentation for pwdrestrict_method.
2. Introduction
AIX 'out of the box' provides a certain amount of vetting for users passwords. These include password age, minimum length, and reusability. However it does not include any method of checking for password content.
Current requirements are that a password should contain a mixture of
• Upper case letters (A-Z) – this maps to the isupper 'C' macro.
• Lower case letters (a-z) – this maps to the islower 'C' macro
• Numbers (0-9) – this maps to the isdigit 'C' macro.
• Special characters (!"£$%^& etc) – this maps to ispunct 'C' macro
3. Implementation
3.1 Writing And Compiling The Method
The requirements for the 'C' code for the method are given under the IBM documentation for pwdrestrict_method. The key point to note is that although the subroutine is defined as int pwdrestrict_method (…) the actual name can be anything except 'main'.
Once written the code should be compiled using
cc –e <entry point> -o <output file> <input file>. for example if the subroutine is called pwd_method , the source file is called pwd_source.c and the output file is called pwd_file then the compile command would be
cc –e pwd_method –o pwd_file pwd_source.c
The code currently used, sbs_method.c, is given in appendix A.
3.2 Installing the Compiled Code
Once compiled the code should be copied to /usr/lib and suitably write protected.
3.3 Activating the Code
To activate the code edit /etc/security/user and add ( or amend ) the line pwdchecks= to point to the file containing the method. For example, using the example given above, the line should read
pwdchecks = pwd_file
Appendix A
Code:
#include <ctype.h>
int sbs_entry ( char *UserName, char *NewPasswd, char *OldPasswd, char **Message
)
{
int Upper = 0, Lower = 0, Number = 0, Punct = 0;
int iReturn = 0;
for ( ; *NewPasswd; NewPasswd++ )
{
if ( isupper ( *NewPasswd ) )
Upper++;
else if ( islower ( *NewPasswd ) )
Lower++;
else if ( isdigit ( *NewPasswd ) )
Number++;
else if ( ispunct ( *NewPasswd ) )
Punct++;
}
if ( ! Upper )
{
if ( ( *Message = (char *)malloc (64) ) == NULL )
iReturn = -1;
else
{
sprintf ( *Message, "Password must contain at least one upper case character
\n" );
iReturn = 1;
}
}
else if ( ! Lower )
{
if ( ( *Message = (char *)malloc (64) ) == NULL )
iReturn = -1;
else
{
sprintf ( *Message, "Password must contain at least one lower case character
\n" );
iReturn = 1;
}
}
else if ( ! Number )
{
if ( ( *Message = (char *)malloc (64) ) == NULL )
iReturn = -1;
else
{
sprintf ( *Message, "Password must contain at least one numeric character\n"
);
iReturn = 1;
}
}
else if ( ! Punct )
{
if ( ( *Message = (char *)malloc (64) ) == NULL )
iReturn = -1;
else
{
sprintf ( *Message, "Password must contain at least one special character\n"
);
iReturn = 1;
}
}
return iReturn;
}Ceci n'est pas une signature
Columb Healy
- Status
Similar threads
- Locked
- Question