How To
Summary
Step-by-step instructions to change the maximum length of user name, group name, or password.
Objective
Demonstrate how to review or change the following:
Steps
User and Group Name Maximum Length
The default user name and group name maximum allowed length is 9 characters ( 8 characters and a terminating NULL character).
The variables are stored as follows:
Kernel: LOGIN_NAME_MAX
ODM: max_logname
The parameter value in the kernel is the value the system uses while running. The parameter value in the ODM database is the value the system uses after the next restart.
Change the User and Group Name Maximum Length
1) Review the user and group name limits.
Use the getconf command to retrieve the user and group name length limit in the kernel.
|
#getconf LOGIN_NAME_MAX
9
|
Use the lsattr command to retrieve the user and group name length limit from the ODM database.
|
# lsattr -El sys0 -a max_logname
max_logname 9 Maximum login name length at boot time True |
You can change the value in the ODM database using the chdev command.
- The change takes effect after the next system restart.
- The maximum allowed value for max_logname is 256.
2) Change the limit.
Note: If max_logname=XX, the maximum length for user or group names is XX-1 characters.
For example, to change the user or group name limit to 63,
|
# chdev -lsys0 -a max_logname=64
sys0 changed
|
3) Reboot the system.
4) Log in, and verify the maximum allowed length for user and group names.
Use the getconf command to retrieve the user and group name length limit in the kernel.
|
#getconf LOGIN_NAME_MAX
64
|
Use the lsattr command to retrieve the user and group name length limit from the ODM database.
|
# lsattr -El sys0 -a max_logname
max_logname 64 Maximum login name length at boot time True |
Password Maximum Length
The default maximum number of bytes in a password (excluding the null terminator) is 255.
The variables are stored as follows:
Kernel: PASS_MAX 255
The PASS_MAX defines the system maximum length. The maximum length used by the password algorithm depends on the function.
- The default AIX authentication uses the crypt function to authenticate users.
- The crypt function only uses the first 8 characters of a password.
- All Loadable Password Algorithms (LPAs) support passwords longer than eight characters.
- LPAs are defined in /etc/security/pwdalg.cfg.
- smd5: 255
- ssha: 255
- sblowfish: 72
- LPAs are defined in /etc/security/pwdalg.cfg.
- The ssha256 and ssha512 methods are common requirements for many security standards since they provide more security than default crypt.
The system-wide password algorithm (pwd_algorithm) is defined in /etc/security/login.cfg.
A valid value for this attribute is a name of an LPA stanza from /etc/security/pwdalg.cfg.
Change the Password Maximum Length
1) Review the password limits
|
# getconf PASS_MAX
255
|
|
# lssec -f /etc/security/login.cfg -s usw -a pwd_algorithm
usw pwd_algorithm= |
The system maximum length is 255, however the default password algorithm is "crypt", which only uses the first 8 characters of a password.
To increase the password size, you must change the LPA to increase the limit.
2) Change the limit.
|
# chsec -f /etc/security/login.cfg -s usw -a "pwd_algorithm=ssha256"
|
3) Verify the change.
|
# lssec -f /etc/security/login.cfg -s usw -a pwd_algorithm
usw pwd_algorithm=ssha256 |
Note: The pwd_algorithm change does not require a reboot of the system, but it does not re-hash existing passwords. The next password change for any user will use the new method.
4) Modify user password requirements.
Reference the /etc/security/user file or documentation for full details.
|
minlen: Defines the minimum length of a password. The value is a decimal integer string. The default is a value of 0, indicates no minimum length. The maximum value allowed is PW_PASSLEN attribute.
PW_PASSLEN: Defined in /usr/include/userpw.h. The value of the PW_PASSLEN attribute is determined by the system-wide password algorithm that is defined in /etc/security/login.cfg .
The minimum length of a password is determined by the minlen attribute and should never be greater than the PW_PASSLEN attribute
|
Note: If pwd_algorithm is not defined, or if it is set to DES/crypt style hashing, you may see the following errors, even if the password meets the criteria defined in /etc/security/user:
|
/home/userA $: passwd
/home/userA $: userA's New password: My 15Char#ExPa$ 3004-602 The required password characteristics are:
a maximum of 8 repeated characters. a minimum of 4 alphabetic characters. a minimum of 4 lower case alphabetic characters. a minimum of 0 upper case alphabetic characters. a minimum of 2 non-alphabetic characters. a minimum of 2 digits. a minimum of 15 characters in length. 3004-603 Your password must have: a minimum of 15 characters in length. |
| SUPPORT |
|---|
|
If you require more assistance, use the following step-by-step instructions to contact IBM to open a case for software with an active and valid support contract. 1. Document (or collect screen captures of) all symptoms, errors, and messages related to your issue. 2. Capture any logs or data relevant to the situation. 3. Contact IBM to open a case: -For electronic support, see the IBM Support Community: 4. Provide a clear, concise description of the issue. - For more information, see: Working with IBM AIX Support: Describing the problem. 5. If the system is accessible, collect a system snap, and upload all of the details and data for your case. - For more information, see: Working with IBM AIX Support: Collecting snap data |
Related Information
Document Location
Worldwide
[{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SWG10","label":"AIX"},"Component":"","Platform":[{"code":"PF002","label":"AIX"}],"Version":"All Versions","Edition":"","Line of Business":{"code":"LOB08","label":"Cognitive Systems"}}]
Was this topic helpful?
Document Information
Modified date:
05 May 2022
UID
ibm10960582