Topic
5 replies Latest Post - ‏2013-03-20T20:56:13Z by ColombianJoker
SystemAdmin
SystemAdmin
6907 Posts
ACCEPTED ANSWER

Pinned topic minlen Question for all existing users

‏2013-03-20T13:58:33Z |
I just want to make sure I understand the minlen setting on AIX. I inherited a server that is several years old running AIX 5.3. First is there any way to set all existing users to have their password set with a minlen of 8 without updating every single user? I suspect I have to change it for each individual user, this server has several hundred users that need to have their password minlen increased. Secondly, when this is changed for a user, does it enforce the rule the next time they reset their passwords or does it immediately force them to change their password on next login?

Thanks in advance.
Updated on 2013-03-20T20:56:13Z at 2013-03-20T20:56:13Z by ColombianJoker
  • alethad
    alethad
    286 Posts
    ACCEPTED ANSWER

    Re: minlen Question for all existing users

    ‏2013-03-20T16:46:16Z  in response to SystemAdmin
    I would recommend looking at the pwdadm command along with a couple of the other commands used for changing user's passwords. But you are going to have to write scripts to be able to do this for multiple users. I don't know a way around that unless someone else might.

    How many users have a greater than 8 minlen? 8 is the default unless you are on AIX5.3TL7 or later which did allow you to set it longer.

    Also test this first thoroughly before putting it out into your production system.
    Good Luck.

    You've got to continue to grow, or you're just like last night's cornbread -- stale & dry Loretta Lynn alethad
    • SystemAdmin
      SystemAdmin
      6907 Posts
      ACCEPTED ANSWER

      Re: minlen Question for all existing users

      ‏2013-03-20T18:19:35Z  in response to alethad
      Actually all the users, hundreds had a minlen of 6 and we wanted to change it to 8. I used a Perl one liner to change just the minlen = 6 line to minlen = 8 on the /etc/security/users file for each user. After backing it up of course. This looks as if it worked.. Before I made my own one command to change all the users to minlen = 8 I wanted to find out if AIX had someway to do it for me. I thought perhaps there was something in smitty, but this was just as easy. Thanks for the reply.
      • alethad
        alethad
        286 Posts
        ACCEPTED ANSWER

        Re: minlen Question for all existing users

        ‏2013-03-20T18:51:23Z  in response to SystemAdmin
        Yeah nothing in smitty for blanket changes on that many users at one time. You have to script it.

        Glad it worked out for you.

        You've got to continue to grow, or you're just like last night's cornbread -- stale & dry Loretta Lynn alethad
        • ColombianJoker
          ColombianJoker
          68 Posts
          ACCEPTED ANSWER

          Re: minlen Question for all existing users

          ‏2013-03-20T20:54:03Z  in response to alethad
          Hello, AIX uses the values for the default stanza in configuration files whenever an user have not their own values. If you remove minlen=x from an user stanza, then it will use the value from default for these users.

          Try
          grep -p USERNAME: /etc/security/user
          It will show the attributes for user USERNAME
          Use
          lsuser -a minlen USERNAME
          To get the value AIX is using for that user
          Then try
          chsec -f /etc/security/user -s USERNAME -a minlen=
          for some user USERNAME and it will remove that value
          Try
          lsuser -a minlen USERNAME
          and it will show you the value is using, from the default stanza.
          • ColombianJoker
            ColombianJoker
            68 Posts
            ACCEPTED ANSWER

            Re: minlen Question for all existing users

            ‏2013-03-20T20:56:13Z  in response to ColombianJoker
            You can automate:
            for USER in $(lsuser -a ALL)
            do
            chsec -f /etc/security/user -s $USER -a minlen=
            done

            And it will remove the minlen attribute for each user

            You will need to use usrck and pwdck after these changes to be sure all users are forced to change their passwords to some valid value.