Topic
  • 5 replies
  • Latest Post - ‏2013-03-20T20:56:13Z by ColombianJoker
SystemAdmin
SystemAdmin
6902 Posts

Pinned topic minlen Question for all existing users

‏2013-03-20T13:58:33Z |
I just want to make sure I understand the minlen setting on AIX. I inherited a server that is several years old running AIX 5.3. First is there any way to set all existing users to have their password set with a minlen of 8 without updating every single user? I suspect I have to change it for each individual user, this server has several hundred users that need to have their password minlen increased. Secondly, when this is changed for a user, does it enforce the rule the next time they reset their passwords or does it immediately force them to change their password on next login?

Thanks in advance.
Updated on 2013-03-20T20:56:13Z at 2013-03-20T20:56:13Z by ColombianJoker
  • alethad
    alethad
    286 Posts

    Re: minlen Question for all existing users

    ‏2013-03-20T16:46:16Z  
    I would recommend looking at the pwdadm command along with a couple of the other commands used for changing user's passwords. But you are going to have to write scripts to be able to do this for multiple users. I don't know a way around that unless someone else might.

    How many users have a greater than 8 minlen? 8 is the default unless you are on AIX5.3TL7 or later which did allow you to set it longer.

    Also test this first thoroughly before putting it out into your production system.
    Good Luck.

    You've got to continue to grow, or you're just like last night's cornbread -- stale & dry Loretta Lynn alethad
  • SystemAdmin
    SystemAdmin
    6902 Posts

    Re: minlen Question for all existing users

    ‏2013-03-20T18:19:35Z  
    • alethad
    • ‏2013-03-20T16:46:16Z
    I would recommend looking at the pwdadm command along with a couple of the other commands used for changing user's passwords. But you are going to have to write scripts to be able to do this for multiple users. I don't know a way around that unless someone else might.

    How many users have a greater than 8 minlen? 8 is the default unless you are on AIX5.3TL7 or later which did allow you to set it longer.

    Also test this first thoroughly before putting it out into your production system.
    Good Luck.

    You've got to continue to grow, or you're just like last night's cornbread -- stale & dry Loretta Lynn alethad
    Actually all the users, hundreds had a minlen of 6 and we wanted to change it to 8. I used a Perl one liner to change just the minlen = 6 line to minlen = 8 on the /etc/security/users file for each user. After backing it up of course. This looks as if it worked.. Before I made my own one command to change all the users to minlen = 8 I wanted to find out if AIX had someway to do it for me. I thought perhaps there was something in smitty, but this was just as easy. Thanks for the reply.
  • alethad
    alethad
    286 Posts

    Re: minlen Question for all existing users

    ‏2013-03-20T18:51:23Z  
    Actually all the users, hundreds had a minlen of 6 and we wanted to change it to 8. I used a Perl one liner to change just the minlen = 6 line to minlen = 8 on the /etc/security/users file for each user. After backing it up of course. This looks as if it worked.. Before I made my own one command to change all the users to minlen = 8 I wanted to find out if AIX had someway to do it for me. I thought perhaps there was something in smitty, but this was just as easy. Thanks for the reply.
    Yeah nothing in smitty for blanket changes on that many users at one time. You have to script it.

    Glad it worked out for you.

    You've got to continue to grow, or you're just like last night's cornbread -- stale & dry Loretta Lynn alethad
  • ColombianJoker
    ColombianJoker
    68 Posts

    Re: minlen Question for all existing users

    ‏2013-03-20T20:54:03Z  
    • alethad
    • ‏2013-03-20T18:51:23Z
    Yeah nothing in smitty for blanket changes on that many users at one time. You have to script it.

    Glad it worked out for you.

    You've got to continue to grow, or you're just like last night's cornbread -- stale & dry Loretta Lynn alethad
    Hello, AIX uses the values for the default stanza in configuration files whenever an user have not their own values. If you remove minlen=x from an user stanza, then it will use the value from default for these users.

    Try
    grep -p USERNAME: /etc/security/user
    It will show the attributes for user USERNAME
    Use
    lsuser -a minlen USERNAME
    To get the value AIX is using for that user
    Then try
    chsec -f /etc/security/user -s USERNAME -a minlen=
    for some user USERNAME and it will remove that value
    Try
    lsuser -a minlen USERNAME
    and it will show you the value is using, from the default stanza.
  • ColombianJoker
    ColombianJoker
    68 Posts

    Re: minlen Question for all existing users

    ‏2013-03-20T20:56:13Z  
    Hello, AIX uses the values for the default stanza in configuration files whenever an user have not their own values. If you remove minlen=x from an user stanza, then it will use the value from default for these users.

    Try
    grep -p USERNAME: /etc/security/user
    It will show the attributes for user USERNAME
    Use
    lsuser -a minlen USERNAME
    To get the value AIX is using for that user
    Then try
    chsec -f /etc/security/user -s USERNAME -a minlen=
    for some user USERNAME and it will remove that value
    Try
    lsuser -a minlen USERNAME
    and it will show you the value is using, from the default stanza.
    You can automate:
    for USER in $(lsuser -a ALL)
    do
    chsec -f /etc/security/user -s $USER -a minlen=
    done

    And it will remove the minlen attribute for each user

    You will need to use usrck and pwdck after these changes to be sure all users are forced to change their passwords to some valid value.