Originally posted by: jcoop01

Hello,

I am trying to implement a password policy that will include minimum length, upper case and lower case as well as non consecutive alphanumeric characters in AIX 6.1. So far we've been shocked to find that this is not something that can be done in AIX - how can this be.

If this can't be done, how easy is it to set up LDAP authentication with Global one.

Thanks

J. Cooper

Originally posted by: SystemAdmin

no need to be shocked. it can be done. maybe not by you.

Originally posted by: jcoop01

Delgado,

Do you have a solution you can share? Thanks for any help AIX Guru.

J

Originally posted by: orphy

Have you looked at this? If not, go through the attributes to see if they fit all your requirements. If not, you should be able to utilize the SYSTEM attribute to do whatever you want.

http://publib.boulder.ibm.com/infocenter/aix/v6r1/index.jsp?topic=%2Fcom.ibm.aix.files%2Fdoc%2Faixfiles%2Fpasswd_security.htm
Orphy

Originally posted by: SteveButton

The link you posted takes you to the page for /etc/security/passwd but you need to click on the page above (in the menu down the left side) which is passwd_policy

Originally posted by: MatthewBourne

This is interesting. I'm hoping someone will tell me what I missed in my extensive research into AIX password policy changes between AIX6 (as used by the original poster) and AIX7. According to the Differences Guide:

"The following security attributes are used in this regard:
minloweralpha Defines the minimum number of lower case alphabetic
characters that must be in a new password. The value is a
decimal integer string. The default is a value of 0, indicating
no minimum number. The allowed range is from 0 to
PW_PASSLEN.
minupperalpha Defines the minimum number of upper case alphabetic
characters that must be in a new password. The value is a
decimal integer string. The default is a value of 0, indicating
358 IBM AIX Version 7.1 Differences Guide
no minimum number. The allowed range is from 0 to
PW_PASSLEN.
mindigit Defines the minimum number of digits that must be in a new
password. The value is a decimal integer string. The default
is a value of 0, indicating no minimum number. The allowed
range is from 0 to PW_PASSLEN.
minspecialchar Defines the minimum number of special characters that must
be in a new password. The value is a decimal integer string.
The default is a value of 0, indicating no minimum number.
The allowed range is from 0 to PW_PASSLEN."

How do you read this? I see some new attributes available for password policy in AIX7 that were not available in AIX6. So, whereas before we only had access to "minalpha" and "minother", meaning we could set a minimum number of characters that must be letters, and a minimum number of characters that must not be letters, now in AIX7 we can be much more picky, requiring minimum counts of upper and lower case letters, digits, and non-alphanumeric characters.

I'd be inclined to stick my neck out and agree with the point made at the start. If you want fine-grained control over case, numerics, and special chars - then you need AIX7. Unless, of course, these enhancements have been delivered in one of the later TL's for AIX6?

Delgado?

Originally posted by: SystemAdmin

In addition to the minalpha, minother, minlen, mindiff and maxrepeats; the ability to write your own password checking routine and implement it via pwdchecks means that you can decide exactly how complicated a password should be.

Unfortunately, you may find that the IBM supplied examples of how to write a pwdcheck routine are ideal for AIX 5, but are not as simple on AIX 6. Routines which worked for AIX 5 may core dump on AIX 6.