AIX, Security, System Admin↑ Fix user accounts
Security guidelines nowadays can be annoying. Within many companies people have to comply with strict security in regards to password expiration settings, password complexity and system security settings. All these settings and regulations more than often result in people getting locked out from their accounts on AIX systems, and also getting frustrated at the same time.
To help your users, you can't go change default security settings on the AIX systems. Your auditor will make sure you won't do that. But instead, there are some "tricks" you can use, to ensure that a user account is (and stays) available to your end user. We've put all those tricks together in one simple script, that can fix a user account, and we called it fixuser.ksh. It will fix 99% of all user related login issues.
You can run this script as often as you like and for any user that you like. It will help you to ensure that a user account is not locked, that AIX won't bug the user to change their password, that the user doesn't have a failed login count (from typing too many passwords), and a bunch of other stuff that usually will keep your users from logging in and getting pesky "Access Denied" messages.
The script will not alter any default security settings, and it can easily be adjusted to run for several user accounts, or can be run from a crontab so user accounts stay enabled for your users. The script is a win-win situation for everyone: Your auditor is happy, because security settings are strict on your system; Your users are happy for being able to just login without any hassle; And the sys admin will be happy for not having to resolve login issues manually anymore.
The script can be run by entering a specific user account:
# fixuser.ksh username
The script:
#!/usr/bin/ksh
fixit()
{
myid=${1}
# Unlock account
printf "Unlocking account for ${user}..."
chuser account_locked=false ${user}
echo " Done."
# Reset failed login count
printf "Reset failed login count for ${user}..."
chuser unsuccessful_login_count=0 ${user}
echo " Done."
# Reset expiration date
printf "Reset expiration date for ${user}..."
chuser expires=0 ${user}
echo " Done."
# Allow the user to login
printf "Enable login for ${user}..."
chuser login=true ${user}
echo " Done."
# Allow the user to login remotely
printf "Enable remote login for ${user}..."
chuser rlogin=true ${user}
echo " Done."
# Reset maxage
printf "Reset the maxage for ${user}..."
m=`lssec -f /etc/security/user -s default -a maxage | cut -f2 -d=`
chuser maxage=${m} ${user}
echo " Done."
# Clear password change requirement
printf "Clear password change requirement for ${user}..."
pwdadm -c ${user}
echo " Done."
# Reset password last update
printf "Reset the password last update for ${user}..."
let sinceepoch=`perl -e 'printf(time)' | awk '{print $1}'`
n=`lssec -f /etc/security/user -s default -a minage | cut -f2 -d=`
let myminsecs="${n}*7*24*60*60"
let myminsecs="${myminsecs}+1000"
let newdate="${sinceepoch}-${myminsecs}"
chsec -f /etc/security/passwd -s ${user} -a lastupdate=${newdate}
echo " Done."
}
unset user
if [ ! -z "${1}" ] ; then
user=${1}
fi
# If a username is provided, fix that user account
unset myid
myid=`id ${user} 2>/dev/null`
if [ ! -z "${myid}" ] ; then
echo "Fixing account ${user}..."
fixit ${user}
printf "Remove password history..."
cp /dev/null /etc/security/pwdhist.pag 2>/dev/null
cp /dev/null /etc/security/pwdhist.dir 2>/dev/null
echo " Done."
else
echo "User ${user} does not exist."
fi
Subscribe to Article
Print Article
Email Article to Friend
Export to PDF
Export to MS Word