USER ADMINISTRATION
Few Restrictions on the User Name:
1. User names cannot start with a
- dash or minus sign(-)
- plus sign (+)
- At symbol (@)
- Tilde (~)
- colon (:)
- single or double quotation marks( ' or ")
- hash symbol (#)
- comma (')
- equal sign
- Back or forward Slashes ( \ or /)
- Question mark (?)
- Back quote (`)
- White space (space or tab)
3. User names cannot be names ALL or default. Becoz those names are reserved for the AIX OS.
4. User names can have max. 8 characters in AIX V 5.2 or earlier. Starting with AIX 5.3, you can have a
max. of 255 characters. You can change this setting by using the below command,# chdev -l sys0 -a max_logname=255
To view the setting, use any of the below commands
# lsdev -l sys0 -a max_logname
# getconf LOGIN_NAME_MAX
/etc/passwd :
Contains the basic user configuration details like user name, password flag, uid, gid, gecos (description), home directory, shell.
/etc/security/.profile :
/etc/security/limits :
It contains all the resource limits (ulimits) for the users.
Here are the various ulimit values ...
fsize, fsize_hard - Soft and hard limit for the size of a file a user can create
core, core_hard - Soft and hard limit for the Size of core file a user can createcpu, cpu_hard - Soft and hard limit for the amount of system time allowed
data, data_hard - Soft and hard limit for the size of the process data segment
stack, stack_hard - Soft and hard limit for the size of the process stack segment
rss, rss_hard - Soft and hard limit for the physical memory allowed
nofiles, nofiles_hard - Soft and hard limit for the number of open file descriptors at one time
nproc, nproc_hard - Soft and hard limit for the number of running processes at one time
/etc/security/passwd :
This file contains the user's password information such as password, lastupdate and flags.
Here are the various flags user
ADMIN - It can be set so that only the root user can change the user's password.
ADMCHG - It can be set so that the user is prompted to change his or her password on the next login/su.
NOCHECK - It can be set so that any additional restrictions in /etc/security/user are ignored.
/etc/security/user : This file contains very very important settings for every user.
Here are the parameters configured in the file for each and every user :
account_locked - To lock the user account. This can takes values TRUE or FALSE
admin - To specify whether the user is admin or not. It can take calues TRUE or FALSE
expires - It is configured to set the expiration date for the user beyond which the user will be locked. It can take values in the format MMDDHHYY.
histexpire - To specify the # of weeks the user can't reuse a password. It can takes values between 0-260
histsize - To specify the # of passwords previously used that can't be reused. It can take values between 0-50
login - To specify whether a user can log in or not. It can take values TRUE or FALSE.
maxage - To specify the # of weeks a password is valid. It can take values between 0-52.
minage - To specify the # of weeks a user must wait before changing his or her password. It can take values between 0-52.
rlogin - To specify whether a user can be accessed remotely via telnet,ssh, ftp. It can take values TRUE or FALSE.
su - To specify whether other user can use su to access this account. It can take values TRUE or FALSE.
/etc/security/login.cfg : This file contains the message that is displayed whenever you login to the system.
You can always change it using chsec command or by editing this file directly in vi editor.
Here are the few attributes of a user which you may be interested.
id - User Identification Number is a unique i dfor every user. root user's id is always 0.
pgrp - Primary Group of a user
groups - Secondary Groups of a user. An user can belong to maximum 128 groups in AIX 5.3 and 6.1.
home - Home directory to store the user's files
shell - Shell that runs when the user login
gecos - Description or some comments about the user
There are 6 main commands used in the administration of user :
mkuser - Add a user
chuser - Change an attribtue of a user
lsuser - List the attribtues of a user
rmuser - Remove a user
passwd - To set password for a user and for various other purposes
These words can also be used as fastpaths for smitty.
For example, # smitty mkuser will open a form to create a user.
For doing the whole user administration, you can use
# smitty user and go thru the menu items for various operations.
Now let us see the commands to administrate users ...
To create a user called 'jack' with default settings and allocate the next available uid :
# mkuser jack
To create a user with home dir as /opt/$username, primay group as 'dba' :
# mkuser home=/opt/jack pgrp=dba jack
To know about the user :
# finger jack
To change the primary group for a user :
# chuser pgrp=oracle jack
To list the attributes of a user in stanza structure :
# lsuser -f jack
To list the attributes of a user delimited by comma :
# lsuser -c jack
To list home and shell attributes for the users jack and tom :
# lsuser -a shell home jack,tom
To set the password for a newly created user :
# passwd jack
To clear the flag ADMCHK for jack :
# pwdadm -c jack
If you dont do this after setting a password for jack, he will be prompted to change his password on the first login.
To change the gecoz for a user :
# passwd -f jack
To change the shell for a user :
# passwd -s jack
To list the last password update date/time and the flags for a user :
# passwd -q jack
To set the ADMIN flag for a user :
# passwd -f ADMIN jack
ADMIN flag ensures that only the root user can change the password for Jack.
To remove the user :
# rmuser jack
Note: rmsuer doesn't remove the home directory for a user.
You have to remove it may be after the backup.
To remove the user along with his password information :
# rmuser -p jack
To list the currently logged in users :
# who
Note: This command will show the contents of /etc/utmp which is a binary file.
To list the login and logout information for the machine :
# last
Note: This command will show the contents of /var/adm/wtmp file, which is a binary file. Over a period of time, this file will occupy the /var file system a lot. Hence nullify the file once in a 6 months or depending upon the # of login/logout actions in the system.
To clear(nullify) the wtmp file, you can use any of the below commands
# cp /dev/null /var/adm/wtmp
# > /var/adm/wtmp
To change the default message(herald) that is shown after user login :
# chsec -f /etc/security/login.cfg -a default -herald
As a user, you have to protect (lock) your terminal whenever you go for a coffee break.
# lock -> To lock your telnet or ssh terminal
If you use XWindowsm you can use the below command
# xlock
20. Sometimes you may want to login as root to execute some admin commands. For this you dont have to logout from current user and login as root.You can use su command to swtich user and execute the commands and say 'exit' to come out of the su window.
To su to root, you can use any of the below commands
# su - root
# su -
To su to other user called tom,
# su - tom
These su operations are logged into /var/adm/sulog file. You have to nullify this file on certain period of time to make some space in /var file system.
How to disable direct root login via telnet and ssh ?
To disable direct root login thru telnet or ssh, you have to set 'rlogin' attribtue for root user to false.
You can use the below command to do so.
# chuser rlogin=false root
How to enforce automatic logoff after certain timeout period ?
To enforce automatic logoff after timeout period of 10 minutes, enter the following line in /etc/security/.profile after the AIX installation.
TMOUT=600 ; TIMEOUT=600 ; export readonly TMOUT TIMEOUT
I will update this blog whenever I come across other commands.
We will talk about group administration in the next part.
Thanks for visiting.
- Raja
12 comments:
Hi.. I'm Rumesh.. I'm learning AIX for past couple of months..
i think all d information in this blog is useful for beginners & im following this blog..
Thank'u'
Rajarathinam Sivasankaran
Hi,
Where can we get some useful videos for AIX ???
can you give some link ???
Thanks in advance....
DAMU
HI
i have a few doubts. how to grant root privilage to the ordinary user.
thanks in advance.
mohanram
mohanram634@gmail.com
@ RAGAZA
You can add the user into SYSTEM group so that he can become a admin user. Or you can specify "-a" flag while creating the user, so that he will be created as an admin user.
Practically we can create duplicated root users, by creating users with UID=0. But this not a recommended way.
@DAMU - You can see few aix videos in my blog or in my youtube site http://youtube/toughindian
Please add the command to check failed logins.
who -a /etc/security/failedlogin
This blog is simply superb. Almost all the topics have been covered.
Thank you so much.
Regards,
Bala.
hi raj
can you tell me how to reset the root password in AIX
i forgot the root password
Thanks
Mahesh
@ Mahesh,
You need to boot from CD/DVD/NIM and follow the below steps
Maintenance
Start Limited Shell
getrootfs hdisk0
vi /etc/security/passwd
then remove the password entry for root.
Now you can reboot your server and login as root with no password.
Don't forget to set a new pasword for root before logging out.
Will it work Vi editor on Maintenance Mode with out setting up any terminal
Hi
I have small question for vi editor will it work on Maintenance mode.. Because i tried to edit on /etc/filesystems .. but it won't work for me .. After setting up terminal as well
This should work.
export TERM=vt100
Hi Raja
Do you provide job support and training on AIX
Regards
justin
usa
Post a Comment