因安全规范要求密码必须包含数字及大小写字母,需要修改5台AIX系统的所有用户密码。每台机器上都有几十个用户,显然一个个的手动修改确认太繁琐。幸好 root 可以用 chpasswd 命令批量修改用户密码。
修改密码后,发现只有前8位生效了,原来 AIX 默认的密码算法只能识别密码的前8位。
AIX V5.3 TL7 和 AIX V6.1 以后才可以采用其他算法来支持 8 位以上的密码。
使用如下命令修改系统使用的密码算法:
chsec -f /etc/security/login.cfg -s usw -a pwd_algorithm=smd5
这个命令的含义是,修改 /etc/security/login.cfg 文件,在其 usw 节中设置 pwd_algorithm=smd5;
smd5 是 /etc/security/pwdalg.cfg 中定义的系统支持的加密算法。
修改密码算法无需重启,不影响原来用户。
下面是摘录的一段关于 LPA 的说明:
AIX 5L implemented a Loadable Password Algorithm (LPA) mechanism that can easily deploy new password encryption algorithms. The supported LPAs and their attributes are defined in the /etc/security/pwdalg.cfg system configuration file. The following example
stanza in /etc/security/pwdalg.cfg defines a LPA named ssha256:
ssha256:
lpa_module = /usr/lib/security/ssha
lpa_options = algorithm=sha256
A system administrator can set a system-wide password algorithm by selecting an LPA as the password hashing algorithm. There can only be one active system password algorithm at a time. The system password algorithm is defined by the pwd_algorithm system attribute
in the usw stanza in the /etc/security/login.cfg file.
usw:
shells = /bin/sh,/bin/bsh,/bin/csh,/bin/ksh,/bin/tsh,/bin/ksh93
maxlogins = 32767
logintimeout = 60
maxroles = 8
auth_type = STD_AUTH
pwd_algorithm = ssha256
The system password algorithm takes effect only for newly created passwords and changed passwords.