How to Manage Password Aging in Solaris, AIX, and Linux

LogoIts possible that sometime in your short, meaningless life, you may need to create an account that has a password that is set to never expire. This is somethimes the case with headless accounts and specialty accounts such as the type you might have to setup for monitoring or security scanning. You might also find yourself setting up shared headless accounts that have locked passwords in order to block direct logins. This second scenario can be especially troublesome when this is some sort of application or database user with cron jobs, as even an account without a password and expire and lock. If this occurs all of a users cron jobs will fail. All because the account expired.

So today we are going to configure a user password not to expire.

Lets start with Solaris. First lets unlock the account just in case.

passwd -d username

Now you can turn off password aging for a user with the command below.

passwd -x -1 username

You can then verify your config with the following.

passwd -s dmadmin

The output of the command above should look similar to what I have below. In this example our user id is myuser.

#passwd -s myuser
myuser  PS

Compare what you see above to the output below for our example myuser1, which includes the date that the password was last changed, the minimum number of days between password changes, the maximum number of days required between password changes, and the number of days of warning a user is given before a password expires. Standard system password aging and expiration still applies.

#passwd -s myuser1
myuser1  PS    09/30/13     7    28     7

Now lets move on to Linux. First lets ulock. Then we will configure the password to not expire. Then we can verify our work with the chage -l command.

passwd -u username
chage -m 0 -M 99999 -I -1 -E -1 username
change -l username

So now lets take a visit to AIX land. Remember to not stay long. Again, its always best to make sure that the current password is not locked. Then we configure the password to not expire. Finally we step back and admire our work.

chuser account_locked=false username
chuser maxage=0 username
lsuser -f USERNAME | fgrep expires

Related articles

SuperUser in Linux
How to Unlock an account in Linux
How to Reset a Password on Unix
Much Todo About Linux/RHEL Passwords
Enycrypting Passwords Via SSL for Redhat Kickstart Configuration Files
How to disable an user account in Linux
Advertisements

Enycrypting Passwords Via SSL for Redhat Kickstart Configuration Files

MummyHello again earthlings. The fatmin returns once again to dispense a bit of wisdom. This handy one-liner is a command that for the life of me I cannot remember.

Our story begings when building your kickstart config and post-install config files you are going to need to set the password for at least one user (being root). If you are like me your configs add all sorts of users. As you know you cannot just stick the password for these users into your config files in plain text, rather you need to encrypt them via ssl.

The command to do so is below.

openssl passwd -1

At this point you will be prompted to enter the users password — twice. Then the command will spit out your ssl encrypted password which you can then shove into your config files.

Related articles

Really Awesome Network Config Differ Tricks we use to forget
Strategies to establish secure password storage systems
HomeLab: Simple SSH Setup on a Cisco Router
Re: Sound Wallet – Audio Cold Storage – Your private key as .wav, CD, or a Record