85
Prior to AIX 5.3 TL7 and AIX 6.1, there was an 8 character limit on AIX user passwords. If you need passwords of greater than 8 characters then you must enable one of the supplied Loadable Password Algorithms (LPAs). The following table lists the available algorithms and the limitations of each:
For example, to enable the MD5 algorithm I can modify /etc/security/login.cfg file with the chsec command as follows:
# chsec -f /etc/security/login.cfg -s usw -a pwd_algorithm=smd5
# tail -2 /etc/security/login.cfg
pwd_algorithm = smd5
This algorithm (smd5) will allow a password limit of 255 characters. Each of the available algorithms is listed in the /etc/security/pwdalg.cfg file.
# head -50 /etc/security/pwdalg.cfg
*******************************************************************************
*
* Loadable Password Algorithm (LPA)
*
* The format of a LPA stanza is:
*
* lpa:
* lpa_module = /any/program
* lpa_options = options_list
*
* lpa Corresponds to a password hashing algorithm that can be
* specified in the "usw" stanza of /etc/security/login.cfg
* as the system-wide password hashing algorithm.
*
* lpa_module Specifies the path of the password hashing load module.
* In the above example, /any/program is the path to the load
* module that is used to do the password hashing in 32 bit
* mode. The load module that is used to run in 64 bit mode
* is /any/program_64.
*
* lpa_options Is an optional attribute that provides a means of
* communicating run-time configuration options to the load
* module. The value is a comma separated list of items.
* Please refer to the documentation for the load module for
* appropriate values.
*
*******************************************************************************
*
* /usr/lib/security/smd5 is a password hashing load module using
* the MD5 algorithm.
*
* It supports password length up to 255 characters.
*
* To generate smd5 password hash compatible to standard salted MD5,
* add the following option line for smd5 stanza.
* lpa_options = std_hash=true
*
* Note : password hash generated with this option won't be compatible with
* hash generated without this option.
*
*******************************************************************************
smd5:
lpa_module = /usr/lib/security/smd5
*******************************************************************************
*
* /usr/lib/security/ssha is a password hashing load module using SHA and
* SHA2 algorithms. It supports password length up to 255 characters.
*
* This LPA accepts three options. The options are separated by commas.
...etc...
Once you’ve enabled the LPA of your choice, and you set/change a users’ password, you’ll notice that the /etc/security/passwd stanza for that user will look different when compared to the stanzas of users that have not had their password set/changed using the new LPA:
fred:
password = E7nOaTrrz9Q16
lastupdate = 1330986703
flags = ADMCHG
joe:
password = {smd5}z9JrHDJB$Oq/cZXr0jUyAWvfFyjt161
lastupdate = 1330987903
flags = ADMCHG
In the example above, user joe’s password has been set using the smd5 algorithm.
For those of you who run PowerHA (HACMP) and are thinking about using one of the LPAs with the clpasswd utility, you may want to review this APAR first:
IZ40362: HACMP PASSWD UTILITY FAILS WHEN LONG PASSWD ALGORITHM IS ENABLED
https://www-304.ibm.com/support/docview.wss?uid=isg1IZ40362
The APAR states “HACMP cluster-wide C-SPOC password administration does not support use of the feature allowing passwords longer than 8 characters which became available with the Loadable Password Algorithm as part of AIX 53 TL 7.”
The last time I tested this with PowerHA, the problem was that the password entry in /etc/security/passwd was corrupted/truncated when a users password was changed using the clpasswd utility.
For example, if the passwd utility is linked to clpasswd and I changed a users password, the password field appeared to be corrupted/truncated and the user could not log in successfully:
# ls -l /usr/bin/passwd
lrwxrwxrwx 1 root system 39 Dec 22 11:30 /usr/bin/passwd -> /usr/es/sbin/cluster/utilities/clpasswd
# passwd tom
Changing password for "tom"
tom's New password:
Enter the new password again:
# grep -p tom passwd
tom:
password = {smd5}FU2MWa.N.
lastupdate = 1229910298
flags =
Login no good!
tom@aix16's password:
Access denied
But if we use the original passwd command (stored in /usr/es/sbin/cluster/etc/clpasswd), the users password is changed successfully and the user can log in OK.
root@aix16 /usr/es/sbin/cluster/etc/clpasswd # ./usr_bin_passwd.orig tom
Changing password for "tom"
tom's New password:
Enter the new password again:
root@aix16 /usr/es/sbin/cluster/etc/clpasswd # grep -p tom /etc/security/passwd
tom:
password = {smd5}PcBK/5QW$RE09Q0xz4TGQFp98KjxSs.
lastupdate = 1229910818
flags = ADMCHG
Login OK!
$ id
uid=10003(tom) gid=1(staff)
usr_bin_passwd.orig password = {smd5}HcMHTTu3$BWkU8JVCWgT8szAN8TGCF1
clpasswd password = {smd5}6z61fiIn/070
I’ve not tried this again recently but I am curious if the same behaviour can be expected on a PowerHA system today. When I first encountered this problem (in 2008) I opened a PMR for the issue. In that call I was told that the “clpasswd utility is corrupting the encrypted password when distributing to the nodes, so that a login fails”. I’ll configure a HA cluster soon and try it again with PowerHA 6.1 and AIX 6.1 and report back with the results.
UPDATE: I built a HA 6.1 cluster (on AIX 6.1) this afternoon in my lab and tested this successfully. Based on the tests I’ve performed so far, it appears that this limitation no longer exists. Thanks to hafeedbk@us.ibm.com for the help on this one.
The following IBM tech note has more information on the available Loadable Password Algorithms and support for longer than 8 character passwords on AIX:
AIX support for passwords greater than 8 characters
