Power

Hello,

I am aware about AIX system parameter below which restricts login names by default to 8 characters only. Till now I thought it´s valid only for local accounts (length at boot time). We have also LDAP accounts here which follow this rule but soon we will need create longer user names. That why we created test account which is visible normally by "lsuser" command but it´s not allowed to connect to machine.

[root:/var/log:] lsattr -El sys0 -a max_logname
max_logname 9 Maximum login name length at boot time True

Jul 26 13:12:46 XXXXXXXXXXXX auth|security:info sshd[22872428]: Login restricted for fr1082459: You entered an invalid login name or password.
Jul 26 13:12:59 XXXXXXXXXXXX auth|security:info sshd[22872428]: Login restricted for NOUSER: (none)
Jul 26 13:12:59 XXXXXXXXXXXX auth|security:info sshd[22872428]: Failed password for invalid user fr1082459 from XXXXXXXXXXXX port 58733 ssh2
Jul 26 13:13:04 XXXXXXXXXXXX auth|security:info syslog: ssh: failed login attempt for UNKNOWN_USER from XXXXXXXXXXXX

My question is if we have to setup something additional or only option is really increase "max_logname" and reboot machine

[root:/var/log:] lsuser -f fr022925
fr022925:
        id=10279
        pgrp=ibmgldap
        groups=ibmgldap
        home=/home/homeldap/fr022925
        shell=/usr/bin/ksh
        gecos=TESTUSER
        login=true
        su=true
        rlogin=true
        daemon=true
        admin=false
        sugroups=ALL
        admgroups=
        tpath=nosak
        ttys=ALL
        expires=0
        auth1=SYSTEM
        auth2=NONE
        umask=77
        registry=LDAP
        SYSTEM=files or LDAP
        logintimes=
        loginretries=5
        pwdwarntime=14
        account_locked=false
        minage=1
        maxage=13
        maxexpired=-1
        minalpha=1
        minloweralpha=0
        minupperalpha=0
        minother=1
        mindigit=0
        minspecialchar=0
        mindiff=3
        maxrepeats=2
        minlen=8
        histexpire=105
        histsize=8
        pwdchecks=
        dictionlist=/usr/share/dict/words
        default_roles=
        fsize=-1
        cpu=-1
        data=262144
        stack=65536
        core=0
        rss=-1
        nofiles=50000
        core_hard=0
        time_last_login=1690362795
        time_last_unsuccessful_login=1210080281
        tty_last_login=ssh
        tty_last_unsuccessful_login=/dev/pts/0
        host_last_login=XXXXXX
        host_last_unsuccessful_login=XXXXXX
        unsuccessful_login_count=0
        roles=

We use Centrify to interface AIX with Active Directory, so that takes the place of LDAP for us.

We found that with the default max_logname, Centrify would authenticate users with long names, but only pay attention to part of the name, so it worked pretty well for us for a long time.  SSH did not care that the name was long when Centrify authorized it for login privileges.

  Eventually we chose to increase the default so that things would just work a little better and so that we avoided conflicts when using account names which were not unique within 8 places.

LDAP is perhaps not so forgiving. It looks like the whole name is considered and AIX does not consider it valid, so SSH refuses to allow it.

 You probably need to make the change and reboot.

From our new-system build procedure :

 sudo chdev -l sys0 -a max_logname=21 # set up for long user names
       : REQUIRES A REBOOT  TO ENABLE LONG USER NAMES

Hello,

I am aware about AIX system parameter below which restricts login names by default to 8 characters only. Till now I thought it´s valid only for local accounts (length at boot time). We have also LDAP accounts here which follow this rule but soon we will need create longer user names. That why we created test account which is visible normally by "lsuser" command but it´s not allowed to connect to machine.

[root:/var/log:] lsattr -El sys0 -a max_logname
max_logname 9 Maximum login name length at boot time True

Jul 26 13:12:46 XXXXXXXXXXXX auth|security:info sshd[22872428]: Login restricted for fr1082459: You entered an invalid login name or password.
Jul 26 13:12:59 XXXXXXXXXXXX auth|security:info sshd[22872428]: Login restricted for NOUSER: (none)
Jul 26 13:12:59 XXXXXXXXXXXX auth|security:info sshd[22872428]: Failed password for invalid user fr1082459 from XXXXXXXXXXXX port 58733 ssh2
Jul 26 13:13:04 XXXXXXXXXXXX auth|security:info syslog: ssh: failed login attempt for UNKNOWN_USER from XXXXXXXXXXXX

My question is if we have to setup something additional or only option is really increase "max_logname" and reboot machine

[root:/var/log:] lsuser -f fr022925
fr022925:
        id=10279
        pgrp=ibmgldap
        groups=ibmgldap
        home=/home/homeldap/fr022925
        shell=/usr/bin/ksh
        gecos=TESTUSER
        login=true
        su=true
        rlogin=true
        daemon=true
        admin=false
        sugroups=ALL
        admgroups=
        tpath=nosak
        ttys=ALL
        expires=0
        auth1=SYSTEM
        auth2=NONE
        umask=77
        registry=LDAP
        SYSTEM=files or LDAP
        logintimes=
        loginretries=5
        pwdwarntime=14
        account_locked=false
        minage=1
        maxage=13
        maxexpired=-1
        minalpha=1
        minloweralpha=0
        minupperalpha=0
        minother=1
        mindigit=0
        minspecialchar=0
        mindiff=3
        maxrepeats=2
        minlen=8
        histexpire=105
        histsize=8
        pwdchecks=
        dictionlist=/usr/share/dict/words
        default_roles=
        fsize=-1
        cpu=-1
        data=262144
        stack=65536
        core=0
        rss=-1
        nofiles=50000
        core_hard=0
        time_last_login=1690362795
        time_last_unsuccessful_login=1210080281
        tty_last_login=ssh
        tty_last_unsuccessful_login=/dev/pts/0
        host_last_login=XXXXXX
        host_last_unsuccessful_login=XXXXXX
        unsuccessful_login_count=0
        roles=