Generally in AIX based server ‘smit’ (System Management Interface Tool) tool is used for showing and changing the characteristic of root user. But sometimes in remote access (e.g. Split IP/VNC/VPN) it is not very easy to use smit (System Management Interface Tool) tool remotely. Below are the some useful commands that can be used for seeing and changing the characteristics of root password.
- To check the various parameters of root password below is the command :
# lsuser -f root
e.g.
# lsuser -f root
root:
id=0
pgrp=system
groups=system,bin,sys,security,cron,audit
home=/home/root
shell=/bin/fash
login=true
su=true
rlogin=true
daemon=true
admin=true
sugroups=ALL
admgroups=
tpath=nosak
ttys=ALL
expires=0
auth1=SYSTEM
auth2=NONE
umask=22
registry=files
SYSTEM=compat
logintimes=
loginretries=0
pwdwarntime=7
account_locked=false
minage=0
maxage=4
maxexpired=-1
minalpha=1
minother=1
mindiff=0
maxrepeats=0
minlen=6
histexpire=0
histsize=0
pwdchecks=
dictionlist=
dce_export=false
fsize=2097151
cpu=-1
data=262144
stack=65536
core=2097151
rss=65536
nofiles=2000
usrenv=TMOUT=600,TIMEOUT=10
time_last_login=1259300096
time_last_unsuccessful_login=1259269654
tty_last_login=/dev/pts/0
tty_last_unsuccessful_login=/dev/pts/0
host_last_login=47.129.231.121
host_last_unsuccessful_login=47.130.48.72
unsuccessful_login_count=0
roles=
- To disable password aging, we can change ‘maxage’ parameter for root password to ‘0’ using command prompt.
# chuser maxage=0 root
- To allow immediate re-use of a password, we can change ‘NUMBER OF PASSWORDS before reuse’ and ‘WEEKS before password reuse’ parameter for root password to ‘0’ using command prompt.
# chuser histexpire=0 root
# chuser histsize=0 root
- Some more parameters generally used to change using chuser command.
a) To enable user smith to access this system remotely, type:
#chuser rlogin=true smith
b) To change the expiration date for the davis user account to 8 a.m., 1
May, 1995, type:
#chuser expires=0501080095 davis
c) To add davis to the groups finance and accounting, type:
#chuser groups=finance, accounting Davis
d) To change the user davis, who was created with the LDAP load module,
to not be allowed remote access, type:
#chuser -R LDAP rlogin=false davis
Conclusion
This command is very useful to change the user parameter from command line. This command should grant execute (x) access only to the root user and the security group. This command should be installed as a program in the trusted computing base (TCB). The command should be owned by the root user with the setuid (SUID) bit set.
Reference
0 comments:
Post a Comment