AIX 5L用户名-密码长度全接触(转载)
在AIX 5.3以前的版本中用户名最多可有8 个字符; 在AIX 5.3 中用户名最多可有255个字符。 若要使系统支持的用户名长度超过8个以上字符时, 需要在系统中修改 max_logname 参数,然后重新启动系统才会生效。
例如:
# mkuser slson1234567890
3004-694 Error adding \"slson1234567890\" : Name is too long.
# lsattr -El sys0 -a max_logname
max_logname 9 Maximum login name length at boot time True
# chdev -l sys0 -a max_logname=21b
sys0 changed
# lsattr -El sys0 -a max_logname
max_logname 21 Maximum login name length at boot time True
# shutdown -Fr
# mkuser slson1234567890
注意:当用户名长度增加后,应避免再次缩短用户名长度。因为定义的那些超长用户名会在新的设置中失效,系统不能识别,就无法 login 到系统中。
虽然可以设置更长的密码,但是AIX 5L只检查前8位密码,一直以来这都是AIX的一个限制。
直到 AIX 5L V5.3 TL7 和 AIX V6.1,引入了 LPA( Loadable Password Algorithm ) ,消除了密码只有8位字符有效的限制,密码长度的最大值根据各种LPA算法的不同而不同,最大可以达到255位。
在5307以上系统设置系统加密算法可以实现超过8位的密码长度:
系统管理员可使用 chsec 命令来设置系统密码算法,或使用编辑器(例如 vi)来手动修改 /etc/security/login.cfg 文件中的 pwd_algorithm 属性。建议使用 chsec 命令 来设置系统密码算法,因为 chsec 命令将自动检查指定 LPA 的定义。下面使用SMD5算法为例。
1.使用 chsec 命令可将 smd5 LPA 设置为系统范围的密码加密模块(立即生效),命令如下:
#chsec -f /etc/security/login.cfg -s usw -a pwd_algorithm=smd5
当使用 chsec 命令来修改 pwd_algorithm 属性时,chsec 命令将检查 /etc/security/pwdalg.cfg 文件以验证指定 LPA。如果该检查失败,那么 chsec 命令也将失败。
2.也可以使用编辑器直接修改 /etc/security/login.cfg 文件,在此文件中添加 pwd_algorithm = smd5,确保所指定的LPA值是在 /etc/security/pwdalg.cfg 文件中定义的某个节的名称,此文件包含所有可支持的加密算法。
定义加密算法完毕后,可以按常规修改密码长度。
收起NOTE: Without the pwd_algorithm entry in /etc/security/login, the default value is \"crypt\" which is the legacy crypt() function.
Once the system password algorithm has been changed it will be used the next time a user changes his/her password. Until then they will continue to use their original password and hashing algorithm.
Example Application
Applying one of the new passwd hashing algorithms
To select a different LPA, the system administrator can either use the chsec command or manually edit the /etc/security/login.cfg file.
Using the chsec command
Use the following chsec command to set \"smd5\" LPA as the system wide
password encryption module:
# chsec -f /etc/security/login.cfg -s usw -a pwd_algorithm=smd5
When using the chsec command to modify the pwd_algorithm attribute, the command checks the /etc/security/pwdalg.cfg to verify the chosen LPA. The command fails if the check is failed.
Using an editor
When administrator manually changes the pwd_algorithm attribute value in
/etc/security/login.cfg using an editor, please make sure that the chosen value is a name of a stanza that is defined in /etc/security/pwdalg.cfg file.
New Password Attributes
New values for attributes related to passwd length have also been changed. The
following attributes in the /etc/security/user configuration file are effected:
maxrepeats - Defines the maximum number of times a given character can appear in a password.
PREV range 0 - 8, Default is 8,
NEW range 0 - PW_PASSLEN, Default is PW_PASSLEN
minalpha - Defines the minimum number of alphabetic characters in a password.
PREV range 0 - 8, Default is 8
NEW range 0 - PW_PASSLEN, Default is 0
minlen - Defines the minimum length of a password.
PREV range 0 - 8. Default is 8
NEW range 0 - PW_PASSLEN. Default is 0.
minother - Defines the minimum number of non-alphabetic characters in a password.
PREV range 0 - 8. Default is 8
NEW range 0 - PW_PASSLEN. Default is 0
mindiff - Defines the minimum number of characters in the new password that were not in
the old password.
PREV range 0 - 8. Default is 8
NEW range 0 - PW_PASSLEN. Default is 0
收起