Monday, 17 June 2013

AIX User Explained

In AIX user account is created using smitty and/or command line. This process is influenced by contents of files located in directories /etc/etc/security and /usr/lib/security.
The /usr/lib/security/mkuser.default defines the basics defaults like group membership, home directory and shell. If you do not supply this information during user creation, it will be resolved using the contents of this file. So for
example, if your users “home” directories will not be located in the /home but in /ClusterHome, and they belong to the group called myGroup then you should modify the “user” stanza in the/usr/lib/security/mkuser.default as follows:

user:
pgrp = myGroup
groups = staff
shell = /usr/bin/ksh
home = /CluserHome/$USER
/usr/lib/security/mkuser.sys sets attributes of user home directory and the contents of its startup script (~/.profile in the case of ksh/sh). This file also creates the users “.profile” using the file /etc/security/.profile as the template.
As its name implies the /etc/security/limits sets the limits on the amount of various system resources user is allowed to use. For example, here you set the maximum size of user created files (fsize), CPU (cpu), number of files (nofiles) or the core size (core). The value of “-1” indicated the “unlimited”. For example, the “default” stanza of this file may show the following values:
default:
fsize = -1
core = 2097151
cpu = -1
data = -1
rss = -1
stack = -1
nofiles = -1
The above restricts only the core size to 2097151 blocks, all the remaining parameters are set to “unlimited”. Please note, that each user may have his/hers stanza, which values are different then the ones contains in the “default” stanza. In such case, the user values take precedence.
User passwords used to be stored in the /etc/passwd. After a while, “UNIXEs” removed the encrypted password field from the /etc/password and placed it in the special file called/etc/shadow which is readable only by root. AIX went one-step further; all “sensitive” user information is kept in files in directory /etc/security. Password details, like the password itself, the time of its last change, need to change it at the next login, etc are stored in file/etc/security/passwd. Details controlling aspect of password management like for example, frequency of password change, the password length, the minimum number of digits and so forth are defined in /etc/security/user. This file just like /etc/security/limitshas the default stanza that contains definition of attributes that apply to users for which these attributes were not individually set, for example:
default:
admin = false No administrative privileges
login = true Yes, user can login directly
su = true Yes, user can ‘su’ to another account
daemon = true Yes, user can execute programs via SRC
rlogin = true Yes, user can login remotely
sugroups = ALL Any groups can ‘su’ to this account
admgroups = User administers no other groups
ttys = ALL Which terminals can access the user account
auth1 = SYSTEM The first authentication method
auth2 = NONE The second authentication method
tpath = nosak Defines the user’s trusted path characteristics
umask = 022 Definition of permissions for the created objects
expires = 0 Date of account expiration (0 = never expires)
SYSTEM = "compat" Authentication methods
logintimes = Times the user can login
pwdwarntime = 14 The number of days, user will be forced to change password
account_locked = false Can user login or not?
loginretries = 5 How many invalid login attempts will lock out the account
histexpire = 0 The number of weeks, user will not be able to reuse the password
histsize = 5 The number of previous passwords that cannot be reused
minage = 1 The minimum number of weeks between password changes
maxage = 13 The maximum age of password in weeks
maxexpired = 1 The number of weeks after maxage that user can still change his/her passwordLiczba tygodni po maxage w której użytkownik może zmienić hasło
minalpha = 1 The minimum number of alpha characters
minother = 1 The minimum number of no alpha characters
minlen = 8 The minimum length of a password
mindiff = 3 The minimum number of different characters in the new passwordMinimalnej ilości różnych charakterów pomiędzy hasłami
maxrepeats = 8 The maximum number of times a character can be repeated ( 8 = unlimited) Charakter nie może się powtarzać więcej niż ta wartość
dictionlist = The path to the dictionary files
pwdchecks = Location of external password validation engine
The file /etc/security/passwd has stanza for every user defined on the system. Its entries include the encrypted password, time of its last change, and flags. The content of the flags filed may for example indicate that the user will have to change it at the next login (flags = ADMCHG).
The Files Controlling User Environment and his Experience:
/etc/security/environ     Contains the environment attributes for users.
/etc/security/lastlog     Contains the last login attributes for users.
/etc/security/limits     Contains process resource limits for users.
/etc/security/user     Contains extended attributes for users.
/usr/lib/security/mkuser.default     Contains the default attributes for new users.
/usr/lib/security/mkuser.sys     Customizes new user accounts.
/etc/passwd     Contains the basic attributes of users.
/etc/security/passwd     Contains password information.
/etc/security/login.cfg     Contains system default login parameters.
/etc/utmp     Contains a record of users logged into the system.
/var/adm/wtmp     Contains connect-time accounting records.
/etc/security/failedlogin     Records all failed login attempts.
/etc/motd     Contains the message to be displayed every time a user logs in to the system.
/etc/environment     Specifies the basic environment for all processes.
/etc/profile     Specifies additional environment settings for all users.
$HOME/.profile     Specifies environment settings for a specific user.
/etc/group     Contains the basic attributes of groups.
/etc/security/group     Contains the extended attributes of groups.
All user related activities (create/edit/delete) can be performed using “smitt/smitty” or via a command line.
Commands to Administer Users:
mkuser    Creates a new user account.
passwd     Creates or changes the password of a user.
chuser     Changes user attributes.
lsuser     Displays user account attributes. Wyświetla cechy użytkownika
rmuser     Removes a user account. Usuwa użytkownika
chsec     Changes the attributes in the security stanza files.
login     Initiates a user session.
who     Identifies the users currently logged in.
dtconfig     Enables or disables the desktop autostart feature.
User creation
Before you create the first user, modify at least these three files: /etc/security/.profile,/usr/lib/security/mkuser.default and /usr/lib/security/mkuser.sys. Now, you will not need to specify location of user’s home directory, his shell, .profile, etc. All these values will be taken from the entries in these files. Next, create the required group or groups. To create user account with a command study the following example :
mkuser id=30189 pgrp=secret gecos='Unix Admin' surya
The last command will create a user named ‘surya’ with its numerical identification (UID) defined as 20189. This user is the member of the ‘secret’ group. The gecos field describes the account in more memorable details. Note, that the shell and the location of the user home directory has not been given – these values will be provided from the file mentioned above. If the UID was not given it will be automatically calculated using the first not assigned value. Creating a user account, you should always specify its UID. Many administrators do not start general UID’s bellow 3000 – this is a good practice, which helps to distinguish between the ‘system’ and the ‘general’ accounts.
Few things happen as the result of the last command. First, the user definition will be added to the /etc/passwd, the user list associated with his group will be modified in the/etc/group/etc/security/user will be modified to include a short stanza:
surya:
admin = false
If you look at the user entry in /etc/passwd you will notice the ‘*’ in it second field indicating that the password has not been set – user will not be allowed to login!
surya:*:30189:3333:Unix Admin:/home/surya:/usr/bin/ksh
Each line of /etc/passwd describes a single user. The order in which this information is presented is always the same: login:uid:gid:gecos:home:shell, where ‘gid’ is the group identification number from the /etc/group.
To assign a password to the ‘surya’ account execute as root:
Unixmantra:/root>passwd surya
Changing password for "surya"
surya's New password: 
Enter the new password again:
You will have to enter the password two times – to make sure you remember it well. As the result of your action the * will be replaced by the ! [lang-en]and the user stanza in the/etc/security/passwd will be created:
UnixMantra:/root> grep -wp surya /etc/security/passwd
surya: 
password = V20k5RyLcrXmI
lastupdate = 1249390681
flags = ADMCHG
The ‘ADMCHG’ indicates that the user will be required to change his/her password at the first login attempt.
If you do not want a user to be required to change password at the first login then you have to reset the user flags attribute in /etc/security/passwd.

This is done executing the command pwdadmin –c login_name.
UnixMantra:/root> pwdamd –c surya
UnixMantra:/root> grep -wp surya /etc/security/passwd
surya: 
password = V20k5RyLcrXmI
lastupdate = 1249390681
flags =
To list the attributes of a user account execute the [lang-en] lsuser user_name.
UnixMantra:/root> lsuser surya
surya id=30189 pgrp=secret groups=secret home=/home/surya shell=/usr/bin/ksh gecos=Unix Admin login=true su=true rlogin=true daemon=true admin=false sugroups=ALL admgroups= tpath=nosak ttys=ALL expires=0 auth1=SYSTEM auth2=NONE umask=22 registry=files SYSTEM=compat logintimes= loginretries=5 pwdwarntime=14 account_locked=false minage=1 maxage=13 maxexpired=1 minalpha=1 minother=1 mindiff=3 maxrepeats=8 minlen=8 histexpire=0 histsize=5 pwdchecks= dictionlist= fsize=-1 cpu=-1 data=262144 stack=65536 core=2097151 rss=65536 nofiles=2000 roles=
To change user attributes:
Each user environment consists of three elements: general information, access security elements and the password. The output of the lsuser command starts with the general information like uid, group membership, home directory, shell and gecos. The ‘login’ field marks the start of the access security elements. These are the attributes delivered mostly from the file /etc/security/user. Finally, there is the password associated with the user account. The values of the general attributes can be changed executing the chusercommand. The security attributes are manipulated with the chsec command but most administrators will use the chuser command for this purpose as it requires less typing and no file names.
Changing user attributes can be demonstrated with the case when user is not longer allowed to login into a host because he exceeded the number of the allowed failed login attempts (unsuccessful_login_count). Let list our user
UnixMantra:/root>lsuser surya
surya id=30189 pgrp=staff groups=staff home=/home/surya shell=/usr/bin/ksh gecos=Unix Admin login=true su=true rlogin=true daemon=true admin=false sugroups=ALL admgroups= tpath=nosak ttys=ALL expires=0 auth1=SYSTEM auth2=NONE umask=22 registry=files SYSTEM=compat logintimes= loginretries=5 pwdwarntime=14 account_locked=false minage=1 maxage=13 maxexpired=1 minalpha=1 minother=1 mindiff=3 maxrepeats=8 minlen=8 histexpire=0 histsize=5 pwdchecks= dictionlist= fsize=-1 cpu=-1 data=262144 stack=65536 core=2097151 rss=65536 nofiles=2000 time_last_login=1249392187 time_last_unsuccessful_login=1249392203 tty_last_login=/dev/pts/30 tty_last_unsuccessful_login=ssh host_last_login=000e7f6d9087.um.com host_last_unsuccessful_login=000e7f6d9087.um.com unsuccessful_login_count=6 roles=
Look at loginretries=5 and unsuccessful_login_count=6. The second number exceeds the first one – the user is allowed five logins and if one by one they are not correct the user is locked out and he will not be able to login until you set theunsuccessful_login_count=0 and reset his password executing the passwd command.
UnixMantra:/root>chuser unsuccessful_login_count=0 surya
Be aware, that changing an individual user attributes modifies his stanzas in appropriate files in /etc and /etc/security. [lang-en]In the last case, the loginretries = 5 value is set in the default stanza of the /etc/security/user. After you, execute:
UnixMantra:/root>chuser loginretries=15 surya
UnixMantra:/root>grep -wp surya /etc/security/user
surya:
admin = false
loginretries = 15
epctrns1:/root>
The attribute entry in the user stanza replaces the value of the corresponding attribute set in the default stanza.
I recommend that you do not make a habit and manually changing user attributes editing the appropriate files.
Login issues
Occasionally, a user or users will experience difficulties trying to login into a host. Rarely, it could mean that too many users belongs to a single group (I have heard about but I have never experienced it). Usually it is the result of a discrepancy between the contents of the files in /etc /etc/security. The command pwdck can be executed against a single or all users. This command can fix and resolve all discrepancies or it can just report their nature.
[/alng_en]So far, we have discussed the parameters controlling access and login experience of an individual user. Of course, for some machines the default stanza in one or more files in /etc/security can do it for all users. There are other aspects of user login sessions that cannot be treated individually. They are the “legal” shells, the allowed number of simultaneous logins, the length of time the system will wait for the password entry, the type of the authorization method (PAM or the Standard Unix one) and a quite of few more. Study the contents of the file /etc/security/login.cfg. It may help you secure your system.

0 blogger-disqus:

Post a comment