Re: lock user account on aix 4.3.3

From: ian Laing (ian.laing_at_btinternet.com)
Date: 02/25/04 

Date: Wed, 25 Feb 2004 22:25:06 +0000 (UTC)

Hi Darren,

"Darren Tucker" <dtucker@dodgy.net.au> wrote in message
news:c1h03p$q3q$1@gate.dodgy.net.au...
> In article <a7Q_b.399108$na.765106@attbi_s04>,
> Vadim Getmanshchuk <someonet@somewhere.com> wrote:
> >Anybody knows how to let ssh know about password change? It either lets
you
> >in or doesn't :(
>
> If it's OpenSSH, 3.8p1 was released [checks watch] oh, about 8 hours ago.
> The first thing on the "Changes since OpenSSH 3.7.1" list is:
>
> * sshd(8) now supports forced changes of expired passwords via
> /usr/bin/passwd or keyboard-interactive authentication.
>
> Note for AIX: sshd will now deny password access to accounts with
> passwords expired longer than their maxexpired attribute. For
> details, see the AIX section in README.platform.
>
Hmmmm, this could be a bit of a problem for us, but I hope not.

I actually removed all our normal users passwords - no valid "certificate"
no logon even when ssh/PuTTY drops back to keyboard-interactive prompt ;-o.
Most user accounts can't therefore (even if the daemons are running) use
ftp, telnet, rsh, rexec nothing they _have_ to use ssh, scp, sftp, PuTTY,
winSCP etc

Since the passwd command prompts for the current password, no user can grant
themselves a password either.

We actually have relatively few users (30-40) who need access to the AIX
command line and only sysadmins have passwords, plus obviously root and a
few selected "group" accounts like oracle (but group accounts too are
moving to being restricted to using sudo scripts to do the su into the
account, so even group accounts don't generally need passwords)

Without having to download/test the new release, have you any idea how and
if we'll be affected by these changes should we upgrade - I am assuming if a
user has _no_ password then it's never expired and so we are unaffected?

I'll accept RTFM as an answer.

Cheerio,
ian Laing

Relevant Pages

  • Re: lock user account on aix 4.3.3
    ... >> passwords expired longer than their maxexpired attribute. ... >Most user accounts can't therefore use ... Note that this behaviour is different to my previous password expiry ... >We actually have relatively few users who need access to the AIX ...
    (comp.unix.aix)
  • Kerberos Auth to WIN2003 KDC problem
    ... I have a machine running AIX 5300-05. ... Windows 2003 credentials except for two. ... I had to create "traditional" user accounts for two users that had ... VPN could not login even ...
    (comp.unix.aix)
  • Re: users sorted by login date
    ... > Does anybody knows a tool which could give me the list of the accounts ... > lsuser ALL command seems cumbersome to exploit while gecos field may ... The script I posted does not work on AIX 4, but IT DOES work on AIX 5. ...
    (comp.unix.aix)
  • Services for Unix (SFU)
    ... Directory account? ... to sync Active Directory user accounts with AIX user ...
    (microsoft.public.windows.server.general)
  • Re: Mass change passwords on service and scheduled tasks
    ... Policy #2: We will force a password change of maintanence accounts that do ... Then SOX auditors would expect you to follow these policies. ...
    (microsoft.public.win2000.networking)