Brian Smith's AIX / UNIX / Linux / Open Source blog
|Modified on by brian_s|
AIX stores the last time a user changed their password as a "epoch" time stamp, or in other words as the number of seconds since 1970.
For example, if you want to see when the last time root changed their password you can type:
This shows that root changed their password at 1,391,663,150 seconds after 1970. In other words, this really isn't very helpful unless you take this epoch number and convert it to a real date.
Here is a one liner function that will give you a "lastpwchg" command that will show a normal date/time for a users last password change. Just type "lastpwchg" followed by the username you would like to check:
The results look like this when you run it to check a user:
If you found this useful, you might also want to check out this post: Don't let your AIX passwords expire
AIX stores password hashes under /etc/security/passwd. Each user with a password defined will have a stanza in this file that specifies what the hashed password is.
Here is an example for the root user:
If you would like to transfer a users password from one server to another, you can simply copy the users stanza out of /etc/security/passwd and put it in this same file on the other server (replacing their existing stanza). The user will now be able to login to the other server with whatever their password was set to on the original server.
However, editing /etc/security/passwd directly should make you nervous. If you make a mistake with this file you might prevent anyone from being able to login to the server.
Another option is to get the users password hash out of /etc/security/passwd and then use the "chpasswd" command to change the password on the other server. The chpasswd has a "-e" option that specifies the password is hashed/encrypted rather than cleartext. So with the example given above for the root user, if we were to run this command on the other server it would update the root accounts password to be the same as on the original server:
The "-c" option on chpasswd clears any password flags and prevents the user from being forced to change their password at next login.
WARNING: Don't run the chpasswd command line above (or the others in this article) on your server or you'll change your root password. The password hashes used in this posting are just examples and the password for them all is just the letter "a".
To make this process easier, here is a short script to automate this process:
The script will generate the "chpasswd" command line needed to duplicate the users password on other servers. The script doesn't do anything other than generating the chpasswd command line - you must then take this command line and run it on whatever server(s) you want to copy the users password hash to. If you run this script with a specific user as a argument only that user will have the command line generated. If you don't specify a user, it will generate command lines for all users on the server that have a password stanza.
Here is an example of running it and specifying a user (root in this case). As you can see it just generates a command line - you must then copy and paste this on to each server you want to duplicate the users password on to. When you run the generated command on another server it will change the users password to match whatever password was set on the original server.
If you run the script without any arguments, chpasswd command lines are generated for all users that have a password stanza:
If you would like to learn more about password hashes and how they work, check out this article over at IBM System Magazine: Improve AIX Security With Password Hashes
Here is a in-depth video showing how to reset ASMI passwords on a IBM POWER server by removing the service processor card and flipping the dip switches. Also covers how to find the IP address of the service processor using the front control panel:
Here is a method you can use to reset a lost VIO padmin password from the HMC with zero downtime on the VIO server. This is a somewhat involved process, but much easier than having to take a downtime on the VIO server to change the password. This is a very challenging task because the viosvrcmd HMC command doesn't allow the command run on the VIO server to have a pipe ("|"), or any redirection ("<", ">") and doesn't allow for interactive input. So this rules out using something like "chpasswd" to change the password.
Step 1: Find the current padmin password hash. From the HMC, type (change "-m p520 -p vio1" to your managed system / VIO server names)
Look for the padmin stanza and its password hash:
Step 2: Generate a new password hash. From a different AIX server that has openssh/openssl installed, type "openssl passwd" and type in the new password that you want to assign to the padmin account. Openssl will generate the password hash and display it on the screen.
# openssl passwd
Step 3: Replace the VIO padmin's password hash with the new password hash from the HMC using viosvrcmd/perl. Use a command similiar to this from the HMC:
command=`printf "oem_setup_env\nperl -pi -e 's/<OLD_HASH>/<NEW_HASH>/' /etc/security/passwd"`; viosvrcmd -m p520 -p vio1 -c "$command"
In our example, it would be (make sure to change "-m p520 -p vio1" to your managed system / VIO names)
Step 4: Optionally reset padmin failed login count. If you need to reset the failed login count, run this command from the HMC: (make sure to change "-m p520 -p vio1" to your managed system / VIO names)
command=`printf "oem_setup_env\nchsec -f /etc/security/lastlog -a unsuccessful_login_count=0 -s padmin"`; viosvrcmd -m p520 -p vio1 -c "$command"
Update 3/23/13 - If the old or new password hash has a slash in it ("/") then the perl line above needs to be changed.. Instead use a different delimiter such as a comma: command=`printf "oem_setup_env\nperl -pi -e 's,<OLD_HASH>,<NEW_HASH>,' /etc/security/passwd"`; viosvrcmd -m p520 -p vio1 -c "$command"