AIX 5L SysAdmin I: (Unit 13 – Part 2) – AIX 5.1 Security and User Administration

Login Sequence
getty – started by int port settings in CCM
login – settings in /etc/security/login.cfg
User enters login name
User enters password
Verify user namd and password – /etc/passwd, /etc/security/passwd
Invalid – Log entry in /etc/security/failedlogin
Setup environment – /etc/environment, /etc/security/environ,
/etc/security/limits, etc/security/user
Display /etc/motd? – $HOME/hushlogin
/etc/environment, etc/.profile, $HOME/.profile

User Initialization Process:
1. /etc/environment – Establishes base environment sets HOME, LANG, TZ, and NLSPATH (Don’t modify)
2. /etc/profile – Shell script run at all logins sets TERM, MAILMSG, and MAIL (effects every user on the system)
3. $HOME/.profile – User’s personal file to customize their environment

Security and Users:
# smit security
# smit users

List All Users
lsusers [-c | -f] [-a attribute ..]{ALL | username ..}
# lsusers -a id home ALL

Add a User to the System
# smit mkuser

Change/Show Characteristics of a User
# smit chuser

Remove a User from the System
–> The “rmuser” command or SMIT can be used to delete a user from the system.
# rmuser -p wltest
-p – removes everything from the password files

–> The user’s home directory is not deleted, therefore you must manually clean up the user directories (remembering to backup important files first!)
# rm -r /home/wltest

Note: Once a user is remove from the system the files in his /home/user directory show a uid# instead of the user name. A new user that is to inherit the previous users files can be assigned the same uid$.

A new user ID cannot be used until a password is assigned.
There are two commands available for changing the password.
passwd [ username ] – (root or username only)
Note: SMIT uses the passwd command
pwdadm username – (root or user in security group)
Note: Instead of asking for the users old password which you don’t know, it asks for your password and then for that users new password.

Regaining root’s Password:
1. Boot from CD-ROM or a bootable tape (Product CD, or mksysb tape)
2. Select option 3 from the Installation and Maintenance menu: Start Maintenance Mode for System Recovery
3. Follow the options to activate the root volume group and obtain a shell
4. Once a shell is available, execute the passwd command to change root’s password.
# sync ; sync – running it twice to flush the buffer to disk
Reboot the system

SMIT Groups
# smit groups

lsgroup [-c | -f] [ -a attribute] {ALL | groupname}
lsgroup ALL

Add Groups
smit mkgroup

Change/Remove Groups
smit chgroup

Message of the Day
–> The file /etc/motd contains text that will be displayed everytime a user logs in.
–> This file should only contain information necessary for the users to see
–> If the $HOME/.hushlogin file exists in a user’s home directory, then the contents of the /etc/motd file will not be displayed to that user.

lsuser ALL – List all users on the system
lsuser -f ALL – Show the users stanza
lsuser -c ALL – ???
cat /etc/passwd – * means the password is not set, ! means it is set
pwdadm usera – Setup usera password
smit users
pg /etc/group
newgrp budget – change primary group to budget
chmod g+w report
newgrp – will change it back
vi /etc/security/.profile – Default profile copied for all users created
pg /etc/security/password
vi /etc/motd – message of the day file
touch /home/usera/.hushlogin – suppress the message of the day
cd /var/news
vi newsitem
news – displays the newsitem
wall the system will be shutdown in 30 minutes

Q: What is the difference between /usr/lib/security/mkuser.defaults and the default stanzas in /etc/security/user?
A: The ?default? stanza in /etc/security/user is used by all accounts on the system.? If an individual user is configured with a different characteristic, it will be recorded in that user?s stanza in /etc/security/user which will override the defaults.? Unless there is a overriding value in a stanza, the ?default? stanza is used to set all characteristics.? Making a change to the default stanza will, generally speaking, effect all user accounts on the system and those you will add in the future. The file usr/lib/security/mkuser.defaults is read only when a new account is created.? The values in this file are used to build a user?s stanza in /etc/security/user; therefore allowing that user to override certain default characteristics.? If you needed to create many users that needed a different set of characteristics than the defaults set in /etc/security/user, then mkuser.defaults becomes handy.
Q: When I remove a user, how can remove all of their files at the same time?
A: You can?t.? However, you can use the find command to locate all files owned by that account and, if necessary, remove them.?? Try using ?find / -user username -ok rm {} \; ?.? This will find all of the user?s files and prompt you to remove them.

Q: I thought a group administrator could add user accounts to his group?
A: They can.? However, the user must already be a valid account on the machine.? Being a group administrator does not give the authority to make new user accounts.? This is reserved for root and members of the security group.

Leave a Reply

Your email address will not be published. Required fields are marked *