AIX User Security Best Practices
Did you know that the original AIX crypt implementation [1] only allows 8 character passwords? That's really unacceptable by today's standards. AIX now supports several modern hashing algorithms for password storage and default crypt should no longer be used.
I recommend using SHA512, which is the strongest currently supported. With SHA512 password hashing, passwords up to 255 characters long are supported. That means your important root password should now be 32 characters long or more!
Changing the system password hashing algorithm
To change the system wide password algorithm takes only one command:
chsec -f /etc/security/login.cfg -s usw -a pwd_algorithm=ssha512
This can also be changed in SMIT under Security, Passwords, System
Password Policy. Additional hashing algorithms can be found in
/etc/security/pwdalg.cfg
.
What's even better is that AIX supports changing the password hashing algorithm on the fly! Each user password stored has a prefixed tag which indicates the algorithm used, so if the default password hashing algorithm is changed it will only apply to new or changed passwords. Old passwords are still valid.
For example, here's sample users from /etc/security/passwd
showing
different password algorithms:
fred: password = E7nOaTrrz9F16 lastupdate = 1330986703 flags = ADMCHG joe: password = {smd5}z9JrJDJB$Oq/cZXr0jUyAWvfFyjt161 lastupdate = 1330987903 flags = ADMCHG
Joe's password is encrypted with MD5, while Fred is using the original crypt. Both can login normally, and if the system default algorithm was updated to MD5 then next time Fred changes his password it will use the new algorithm.
Generating secure passwords on AIX
While looking at making passwords longer than 8 characters, there are ways to generate more secure passwords at the AIX command line. The easiest method is using OpenSSL. Below I'm setting the length to 32 characters, but different lengths can be used:
root@localhost:/ > openssl rand -base64 32 x9BX7VdKojh7tCXPJ3Sbs2/qfPXIpHZ6OT7QkDsNg88=
You can optionally leave the '=' on the end when copying and pasting that password. More characters are better, but there's the argument that the last character should be variable too. I omit the '='.
It's fast to set a user's password using the passwd
command, but
remember that on the next login they must reset the password again
unless you remove the ADMCHG flag using pwdadm
:
pwdadm -c username
Given the length of these passwords consider using a password manager.
Create an administrative account
Common security best practices are to never login directly as root. Always connect as an unprivileged user and then become root. This is to minimize the risk to the system when doing operations that don't require root privileges.
I recommend creating an administrative account. I use "admin" as a generic account, but there's no problem having a personal account.
For my "admin" account, I create a dedicated group "admin". There should be no shared file permissions. I also prefer to start administrative ID's at the 500 range, including the UID and GID:
mkgroup id=500 admin mkuser id=500 admin=false pgrp=admin su=false home=/home/admin shell=/usr/bin/ksh93 admin
Here I've created an "admin" group with GID 500, and an account with a
primary group of "admin" and UID 500. Other users cannot su
to this
admin user, and it's not an administrative account for RBAC. I suggest
using ksh93 as a shell, and I specify the home directory because you
should consider whether you want admin to sign into /home. Maybe your
cluster doesn't always have /home mounted, and another location is
more appropriate?
Make sure to lockdown the admin home directory afterward:
chown admin.admin /home/admin chmod 700 /home/admin
The default permissions are too lenient:
root@localhost:/etc/ssh # ls -ld /home/admin drwxr-xr-x 2 admin staff 256 Dec 21 12:24 /home/admin root@localhost:/etc/ssh # chown admin.admin /home/admin root@localhost:/etc/ssh # chmod 700 /home/admin root@localhost:/etc/ssh # ls -ld /home/admin drwx------ 2 admin admin 256 Dec 21 12:24 /home/admin
Then set admin to have a long securely generated password!