Does AIX support passwords longer than 8 characters? Yes!Prior to AIX 5.3 TL7 and AIX 6.1, there was an 8 character limit on AIX user passwords. If you need passwords of greater than 8 characters then you must enable one of the supplied Loadable Password Algorithms (LPAs). The following table lists the available algorithms and the limitations of each:
For example, to enable the MD5 algorithm
I can modify /etc
# chsec -f
/etc
# tail -2
/etc pwd_algorithm = smd5
This
algorithm (smd5) will allow a password limit of 255 characters. Each of the
available algorithms is listed in the /etc
# head
-50 /etc **** * * Loadable Password Algorithm (LPA) * * The format of a LPA stanza is: * * lpa: * lpa_module = /any/program * lpa_options = options_list * * lpa Corresponds to a password hashing algorithm that can be * specified in the "usw"
stanza of /etc * as the system-wide password hashing algorithm. * * lpa_module Specifies the path of the password hashing load module. * In the above example, /any/program is the path to the load * module that is used to do the password hashing in 32 bit * mode. The load module that is used to run in 64 bit mode * is /any/program_64. * * lpa_options Is an optional attribute that provides a means of * communicating run-time configuration options to the load * module. The value is a comma separated list of items. * Please refer to the documentation for the load module for * appropriate values. * **** * * /usr * the MD5 algorithm. * * It supports password length up to 255 characters. * * To generate smd5 password hash compatible to standard salted MD5, * add the following option line for smd5 stanza. * lpa_options = std_hash=true * * Note : password hash generated with this option won't be compatible with * hash generated without this option. * **** smd5:
lpa_module = /usr
**** * * /usr * SHA2 algorithms. It supports password length up to 255 characters. * * This LPA accepts three options. The options are separated by commas. ...etc...
Once you’ve enabled
the LPA of your choice, and you set/change a users’ password, you’ll notice
that the /etc
fred: password = E7nOaTrrz9Q16 lastupdate = 1330986703 flags = ADMCHG
joe: password = {smd lastupdate = 1330987903 flags = ADMCHG
In the example above, user joe’s password has been set using the smd5 algorithm.
For those of you who run PowerHA (HACMP) and are thinking about using one of the LPAs with the clpasswd utility, you may want to review this APAR first:
IZ40362: HACMP PASSWD UTILITY FAILS WHEN LONG PASSWD ALGORITHM IS ENABLED http
The APAR states “HACMP cluster-wide C-SPOC password administration does not support use of the feature allowing passwords longer than 8 characters which became available with the Loadable Password Algorithm as part of AIX 53 TL 7.”
The last time I tested this with PowerHA, the problem was
that the password entry in /etc
For example, if the passwd utility is linked to clpasswd and I changed a users password, the password field appeared to be corrupted/truncated and the user could not log in successfully:
# ls -l /usr/bin/passwd lrwxrwxrwx 1
root
system 39 Dec 22
11:30 /usr/bin/passwd ->
/usr
# passwd tom Changing password for "tom" tom's New password: Enter the new password again:
# grep -p tom passwd tom: password = {smd5}FU2MWa.N. lastupdate = 1229910298 flags =
Login no good! tom@aix16's password: Access denied
But if we use the original passwd command (stored in /usr
root@aix16 /usr Changing password for "tom" tom's New password: Enter the new password again:
root@aix16 /usr tom: password = {smd lastupdate = 1229910818 flags =
Login OK! $ id uid=10003(tom) gid=1(staff)
usr_ clpa
I’ve not tried this again recently but I am curious if the same behaviour can be expected on a PowerHA system today. When I first encountered this problem (in 2008) I opened a PMR for the issue. In that call I was told that the “clpasswd utility is corrupting the encrypted password when distributing to the nodes, so that a login fails”. I’ll configure a HA cluster soon and try it again with PowerHA 6.1 and AIX 6.1 and report back with the results.
UPDATE: I built a HA 6.1 cluster (on AIX 6.1) this afternoon in my lab and tested this successfully. Based on the tests I’ve performed so far, it appears that this limitation no longer exists. Thanks to hafeedbk@us.ibm.com for the help on this one.
The following IBM tech note has more information on the available Loadable Password Algorithms and support for longer than 8 character passwords on AIX:
AIX support for passwords greater than 8 characters
|