User authentication

Identification and authentication are used to establish a user's identity.

Each user is required to log in to the system. The user supplies the user name of an account and a password if the account has one (in a secure system, all accounts must either have passwords or be invalidated). If the password is correct, the user is logged in to that account; the user acquires the access rights and privileges of the account. The /etc/passwd and /etc/security/passwd files maintain user passwords.

By default users are defined in the Files registry. This means that user account and group information is stored in the flat-ASCII files. With the introduction of plug-in load modules, users can be defined in other registries too. For example, when the LDAP plug-in module is used for user administration, then the user definitions are stored in the LDAP repository. In this case there will be no entry for users in the /etc/security/user file (there is an exception to this for the user attributes SYSTEM and registry). When a compound load module (i.e. load modules with an authentication and database part) is used for user administration, the database half determines how AIX® user account information is administrated, and the authentication half describes the authentication and password related administration. The authentication half may also describe authentication-specific user account administration attributes by implementing certain load module interfaces (newuser, getentry, putentry etc).

The method of authentication is controlled by the SYSTEM and registry attributes that are defined in the /etc/security/user file. A system administrator can define the authcontroldomain attribute to the /etc/security/login.cfg file to force the SYSTEM and registry attributes to be retrieved from the authcontroldomain. For instance, authcontroldomain=LDAP forces the system to look for user's SYSTEM and registry from LDAP to determine the authentication method that was used for the user. There is an exception for locally defined users where the authcontroldomain setting is ignored , and the SYSTEM and registry are always retrieved from /etc/security/user file.

The acceptable token for the authcontroldomain attribute is files or a stanza name from the /usr/lib/security/methods.cfg file.

The value of the SYSTEM attribute is defined through a grammar. By using this grammar, the system administrators can combine one or more methods to authenticate a particular user to the system. The well known method tokens are compat, DCE, files and NONE.

The system default is compat. The default SYSTEM=compat tells the system to use the local database for authentication and, if no resolution is found, the Network Information Services (NIS) database is tried. The files token specifies that only local files are to be used during authentication, whereas SYSTEM=DCE results in a DCE authentication flow.

The NONE token turns off method authentication. To turn off all authentication, the NONE token must appear in the SYSTEM and auth1 lines of the user's stanza.

You can specify two or more methods and combine them with the logical constructors AND and OR. For instance SYSTEM=DCE OR compat indicates that the user is allowed to login if either DCE or local authentication (crypt()) succeeds in this given order.

In a similar fashion a system administrator can use authentication load module names for the SYSTEM attribute. For instance when SYSTEM attribute is set to SYSTEM=KRB5files OR compat, the AIX host will first try a Kerberos flow for authentication and if it fails, then it will try standard AIX authentication.

SYSTEM and registry attributes are always stored on the local file system in the /etc/security/user file. If an AIX user is defined in LDAP and the SYSTEM and registry attributes are set accordingly, then the user will have an entry in the /etc/security/user file.

The SYSTEM and registry attributes of a user can be changed using the chuser command.

Acceptable tokens for the SYSTEM attribute can be defined in the /usr/lib/security/methods.cfg file.

Alternative methods of authentication are integrated into the system by means of the SYSTEM attribute that appears in /etc/security/user. For instance, the Distributed Computing Environment (DCE) requires password authentication but validates these passwords in a manner different from the encryption model used in etc/passwd and /etc/security/passwd. Users who authenticate by means of DCE can have their stanza in /etc/security/user set to SYSTEM=DCE.

Other SYSTEM attribute values are compat, files, and NONE. The compat token is used when name resolution (and subsequent authentication) follows the local database, and if no resolution is found, the Network Information Services (NIS) database is tried. The files token specifies that only local files are to be used during authentication. Finally, the NONE token turns off method authentication. To turn off all authentication, the NONE token must appear in the SYSTEM and auth1 lines of the user's stanza.

Other acceptable tokens for the SYSTEM attribute can be defined in /usr/lib/security/methods.cfg.

See Operating system and device management for more information on protecting passwords.