AIX User Security Best Practices

Changing the system password hashing algorithm

To change the system wide password algorithm takes only one command:

chsec -f /etc/security/login.cfg -s usw -a pwd_algorithm=ssha512

This can also be changed in SMIT under Security, Passwords, System Password Policy. Additional hashing algorithms can be found in /etc/security/pwdalg.cfg.

What's even better is that AIX supports changing the password hashing algorithm on the fly! Each user password stored has a prefixed tag which indicates the algorithm used, so if the default password hashing algorithm is changed it will only apply to new or changed passwords. Old passwords are still valid.

For example, here's sample users from /etc/security/passwd showing different password algorithms:

fred:
        password = E7nOaTrrz9F16
        lastupdate = 1330986703
        flags = ADMCHG

joe:
        password = {smd5}z9JrJDJB$Oq/cZXr0jUyAWvfFyjt161
        lastupdate = 1330987903
        flags = ADMCHG

Joe's password is encrypted with MD5, while Fred is using the original crypt. Both can login normally, and if the system default algorithm was updated to MD5 then next time Fred changes his password it will use the new algorithm.

Generating secure passwords on AIX

While looking at making passwords longer than 8 characters, there are ways to generate more secure passwords at the AIX command line. The easiest method is using OpenSSL. Below I'm setting the length to 32 characters, but different lengths can be used:

root@localhost:/ > openssl rand -base64 32
x9BX7VdKojh7tCXPJ3Sbs2/qfPXIpHZ6OT7QkDsNg88=

You can optionally leave the '=' on the end when copying and pasting that password. More characters are better, but there's the argument that the last character should be variable too. I omit the '='.

It's fast to set a user's password using the passwd command, but remember that on the next login they must reset the password again unless you remove the ADMCHG flag using pwdadm:

pwdadm -c username

Given the length of these passwords consider using a password manager.

Create an administrative account

Common security best practices are to never login directly as root. Always connect as an unprivileged user and then become root. This is to minimize the risk to the system when doing operations that don't require root privileges.

I recommend creating an administrative account. I use "admin" as a generic account, but there's no problem having a personal account.

For my "admin" account, I create a dedicated group "admin". There should be no shared file permissions. I also prefer to start administrative ID's at the 500 range, including the UID and GID:

mkgroup id=500 admin

mkuser id=500 admin=false pgrp=admin su=false home=/home/admin shell=/usr/bin/ksh93 admin

Here I've created an "admin" group with GID 500, and an account with a primary group of "admin" and UID 500. Other users cannot su to this admin user, and it's not an administrative account for RBAC. I suggest using ksh93 as a shell, and I specify the home directory because you should consider whether you want admin to sign into /home. Maybe your cluster doesn't always have /home mounted, and another location is more appropriate?

Make sure to lockdown the admin home directory afterward:

chown admin.admin /home/admin

chmod 700 /home/admin

The default permissions are too lenient:

root@localhost:/etc/ssh # ls -ld /home/admin
drwxr-xr-x    2 admin    staff           256 Dec 21 12:24 /home/admin
root@localhost:/etc/ssh # chown admin.admin /home/admin
root@localhost:/etc/ssh # chmod 700 /home/admin
root@localhost:/etc/ssh # ls -ld /home/admin
drwx------    2 admin    admin           256 Dec 21 12:24 /home/admin

Then set admin to have a long securely generated password!