AIX

AIX

Connect with fellow AIX users and experts to gain knowledge, share insights, and solve problems.

 View Only

  • 1.  User migration between AIX and Linux

    Posted Tue November 26, 2024 11:49 AM
    On Tue, Nov 26, 2024 at 04:35:54PM +0000, Marek Pniok via IBM TechXchange Community wrote:
    > recently I got an idea to create a simple scripts which one of them
    > would export users from AIX and the other script would import them
    > to Linux(RHEL) to make migration of users faster.

    Why? No one moves to Linux in this community.

    *sarcasm off*

    I can see that may have some utility, and lsuser's colon output makes
    it easy.

    > Unfortunately I have run to an issue with migration of the hashed
    > passwords. Both of the systems have different default hashing. For
    > AIX we use sha256 and on the RHEL sha512. Is there some possible way
    > to do such conversion so the hash would work on both systems or did
    > someone already solved this issue in the past?

    You should compare the AIX /etc/security/passwd hash value against
    RHEL's /etc/shadow. I think they use a common format now. RHEL may not
    allow you to create new SHA256 hashes, but it may read the old. The
    start of the hash has a prefix that says the hash algorithm and
    strength, followed by salt and hash.

    You can also configure AIX on the fly to use SHA512 for password
    hashes. All that happens is on next password change it will use SHA512
    instead. The old passwords are still valid.

    It may be worth a try to just copy over a hash from AIX to RHEL and
    test.

    You cannot convert hashes without access to the original plaintext
    password.

    Further reading: https://www.ibm.com/support/pages/aix-making-sha-256-and-sha-512-passwords-compatible-other-oss

    ------------------------------------------------------------------
    Russell Adams Russell.Adams@AdamsSystems.nl
    Principal Consultant Adams Systems Consultancy
    https://adamssystems.nl/


  • 2.  RE: User migration between AIX and Linux

    Posted Tue November 26, 2024 11:51 AM

    The forum management needs to look into why replying to posts via email now creates a new thread instead of the existing one. This functionality clearly broke in the most recent update.

    Sorry for the diverging thread.



    ------------------------------
    ========================
    Russell Adams
    https://adamssystems.nl/
    ========================
    ------------------------------

    Original Message


  • 3.  RE: User migration between AIX and Linux

    Posted Fri November 29, 2024 01:16 AM

    My response was crafted with AI assistance, tailored to provide detailed and actionable guidance for your query.

    Migrating users between IBM AIX and Linux (RHEL) is a common scenario when consolidating systems or moving workloads to more commonly supported platforms. However, the issue of hashing algorithms for passwords can be tricky since AIX and Linux may use different default methods for hashing. Here's how you can address this problem effectively:

    Key Points to Consider:

    1. Password Hash Compatibility:

      • AIX typically stores password hashes in /etc/security/passwd, while RHEL uses /etc/shadow.
      • Both systems prefix password hashes with an identifier for the hash type ($5$ for SHA256, $6$ for SHA512, etc.), followed by the salt and the hash.
      • If RHEL supports the hash type used by AIX (e.g., SHA256), you can copy the hashes directly.

    2. Reconfigure AIX for SHA512:

      • You can configure AIX to use SHA512 for hashing new passwords by updating the system configuration. This ensures new password hashes are compatible with Linux systems.
      • Command: 
        

        sh  
        

        chsec -f /etc/security/login.cfg -s usw -a pwd_algorithm=sha512
      • After configuring this, users need to update their passwords for the new hash to be generated.

    3. Testing Direct Hash Porting:

      • Copy a sample hash from AIX to a user entry in RHEL's /etc/shadow and test login with the original password.
      • Ensure the RHEL PAM configuration supports the hash type from AIX.

    4. No Direct Hash Conversion:

      • It's not possible to convert hashed passwords (e.g., from SHA256 to SHA512) without knowing the original plaintext password. Instead, the users need to reset their passwords or use the existing hashes as-is.

    Automation Scripts:

    To simplify the migration process, you can create scripts to export user data from AIX and import it to RHEL.

    Example: Export Users from AIX

    This script extracts user details and hashes:

    

    bash 
    

    #!/bin/bash
# Export users from AIX

awk -F':' '{if ($3 >= 1000 && $3 <= 60000) print $1":"$2":"$3":"$4":"$5":"$6":"$7":"$8}' /etc/passwd > users_aix.txt
awk -F':' '{print $1":"$2}' /etc/security/passwd >> users_aix.txt

    Example: Import Users to RHEL

    This script creates users on RHEL with the extracted details:

    

    bash 
    

    #!/bin/bash
# Import users to RHEL

while IFS=: read -r username x uid gid gecos home shell; do
    useradd -u "$uid" -g "$gid" -c "$gecos" -d "$home" -s "$shell" "$username"
done < users_aix.txt

while IFS=: read -r username password; do
    echo "$username:$password" | chpasswd -e
done < users_aix.txt

    Caveats:

    • UID/GID Conflicts: Ensure the UID/GID ranges don't overlap with existing users on RHEL.
    • Home Directory: Verify the home directories are correctly set up and accessible.
    • Testing Environment: Always test the migration on a staging environment before production.

    Resources:

    For further details, check:

    By handling the hash compatibility and automating the process, you can achieve a smoother user migration experience.



    ------------------------------
    Saif Ali Sabri
    ------------------------------

    Original Message


  • 4.  RE: User migration between AIX and Linux

    Posted Fri November 29, 2024 01:54 AM

    Hello,

    thank you for the comment.

    I have already tried copying mine hashed password between the servers but didn't work. Also I have tried to change for mine test user the hashing from sha256 to sha512 and copy the hash but unfortunately with the same outcome. Seems like there will still be need of changing password to all users on server after making changes for example from sha256 to sha512 which complicates things.



    ------------------------------
    Marek Pniok
    ------------------------------

    Original Message


  • 5.  RE: User migration between AIX and Linux

    Posted Fri November 29, 2024 02:08 AM

    AI was used to create this answer


    Migrating user accounts, including hashed passwords, from AIX to Linux (RHEL) can indeed be challenging due to differences in how these operating systems handle password hashing. Here's how to approach the problem and address your concerns:

    Key Issues and Challenges

    1. Different Hash Algorithms:

      • AIX might use SHA256 for password hashing, while RHEL defaults to SHA512.
      • Directly copying hashes may fail if the hash formats differ or the systems interpret salts differently.

    2. Hash Prefixes and Format:

      • AIX stores hashes in /etc/security/passwd, while RHEL uses /etc/shadow.
      • RHEL uses hash prefixes like $1$ (MD5), $5$ (SHA256), and $6$ (SHA512), while AIX may use different formats.

    3. Password Conversion Limitation:

      • Hashes are one-way; without the original plaintext password, you cannot convert hashes between algorithms.

    Step-by-Step Migration Plan

    1. Test Hash Compatibility

    • Compare a Sample Hash: Copy a user's hashed password (e.g., from /etc/security/passwd) on AIX to /etc/shadow on RHEL. Test whether the RHEL system can authenticate with the copied hash.

      • Example:
        • From AIX: 
          

          makefile
          

          

          

          

          

          

          testuser:
password = {ssha256}xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
        • Place this in /etc/shadow (convert format to match RHEL if needed): 
          

          perl
          

          

          

          

          

          

          testuser:$5$xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx:18503:0:99999:7:::
      • Test logging in on RHEL as testuser.

    • If this fails, it confirms that the hash formats are incompatible.

    2. Enable SHA512 on AIX

    • Configure AIX to use SHA512 for future password hashes: 
      

      bash
      

      

      

      

      

      

      chsec -f /etc/security/login.cfg -s usw -a pwd_algorithm=sha512
    • Existing SHA256 passwords remain valid until users change them. Once changed, the system will store the new password with SHA512.

    3. Create a Migration Script

    • Automate exporting user data from AIX and importing it into Linux:
      • Export Users: Use lsuser to get user details in AIX: 
        

        bash
        

        

        

        

        

        

        lsuser -C ALL > aix_users.csv
        Format the output as needed for importing into Linux.
      • Import Users: Use a script on Linux to create accounts and reset passwords: 
        

        bash
        

        

        

        

        

        

        while IFS=, read -r username hash; do
    useradd "$username"
    echo "$username:$hash" | chpasswd -e
done < aix_users.csv

    4. Password Reset Script

    • If hash compatibility fails, a controlled password reset may be necessary:
      • Provide users with temporary passwords and prompt them to reset on first login.
      • Example password reset script: 
        

        bash
        

        

        

        

        

        

        while IFS=, read -r username; do
    useradd "$username"
    echo "$username:TemporaryPassword123" | chpasswd
    chage -d 0 "$username"
done < aix_users.csv

    5. Password Synchronization

    • Use tools like LDAP or Kerberos to centralize authentication, avoiding future migration issues. Configure both AIX and RHEL to authenticate against the same directory service.

    6. Further Reading and Tools

    Considerations for Migration

    • Security Concerns:
      • Avoid transferring plaintext passwords.
      • Use secure methods for exporting and importing user data.
    • Communication:
      • Inform users of potential disruptions and any required actions (e.g., password resets).
    • Testing:
      • Test the migration process thoroughly in a staging environment before production.

    By following this plan, you can simplify the user migration process and handle password compatibility issues effectively. If you need assistance with specific errors or script examples, let me know!



    ------------------------------
    Saif Ali Sabri
    ------------------------------

    Original Message


  • 6.  RE: User migration between AIX and Linux

    Posted Fri November 29, 2024 11:17 AM

    There is a support document for this:

    AIX: Making SHA-256 and SHA-512 passwords compatible with other OS's

    https://www.ibm.com/support/pages/aix-making-sha-256-and-sha-512-passwords-compatible-other-oss



    ------------------------------
    Alexander Pettitt
    ------------------------------

    Original Message