Question & Answer
Question
What is the procedure for configuring passwords greater than 8 characters? Are there any other password encryption methods available to use in AIX? What are the new attributes you can use to restrict passwords?
Answer
Loadable Password Algorithms
In AIX 5.2 and 5.3 (pre TL7), there was an 8 character password limitation when using the one-way hash function crypt().
AIX 5.3 TL7 and AIX 6.1 introduce Loadable Password Algorithm (LPA). Each supported password encryption algorithm is implemented as a LPA module that is loaded at runtime when the algorithm is needed. The supported LPAs, and its attributes, are defined in system configuration file /etc/security/pwdalg.cfg.
Comparison of Password Algorithms
Below is a comparison chart of features between the algorithms.
NOTE: Without the pwd_algorithm entry in /etc/security/login.cfg, the default value is "crypt" which is the legacy crypt() function.
Once the system password algorithm has been changed it will be used the next time a user changes his/her password. Until then they will continue to use their original password and hashing algorithm.
Example Application
Applying one of the new passwd hashing algorithms
To select a different LPA, the system administrator can either use the chsec command to change it in the /etc/security/login.cfg file.
The SMIT menus can also be used, following
# smitty -> Security & Users -> Passwords -> System Password Policy
or the shortcut
# smitty sys_pwd
and set this value:
* Password Algorithm [ssha512] +
ESC-4 or F4 on that item will give you a list of the available password algorithms.
Using the chsec command
Use the following chsec command to set "smd5" LPA as the system wide
password encryption module:
# chsec -f /etc/security/login.cfg -s usw -a pwd_algorithm=smd5
When using the chsec command to modify the pwd_algorithm attribute, the command checks the /etc/security/pwdalg.cfg to verify the chosen LPA. The command fails if the check is failed.
New Password Attributes
New values for attributes related to passwd length have also been changed. The
following attributes in the /etc/security/user configuration file are effected:
maxrepeats - Defines the maximum number of times a given character can appear in a password.
PREV range 0 - 8, Default is 8,
NEW range 0 - PW_PASSLEN, Default is PW_PASSLEN
minalpha - Defines the minimum number of alphabetic characters in a password.
PREV range 0 - 8, Default is 8
NEW range 0 - PW_PASSLEN, Default is 0
minlen - Defines the minimum length of a password.
PREV range 0 - 8. Default is 8
NEW range 0 - PW_PASSLEN. Default is 0.
minother - Defines the minimum number of non-alphabetic characters in a password.
PREV range 0 - 8. Default is 8
NEW range 0 - PW_PASSLEN. Default is 0
mindiff - Defines the minimum number of characters in the new password that were not in
the old password.
PREV range 0 - 8. Default is 8
NEW range 0 - PW_PASSLEN. Default is 0
These attributes can be set in the same SMIT screen as the password algorithm above.
KEYWORDS: MD5 SHA1 SHA256 SHA512 Blowfish smd5 ssha1 ssha256 crypt
Was this topic helpful?
Document Information
Modified date:
17 June 2018
UID
isg3T1010741