|


 

‡ Users are the primary agents on the system.
‡ The user supplies the user name of an
account and a password if the account has
one
‡ The /etc/passwd and /etc/security/passwd
files maintain user passwords.
‡ Groups are collections of users who can
share access permissions for protected
resources.
‡ The creator of the group is usually the first
administrator.
Three types of groups:
|

 
‡ User groups should be made for people who
need to share files on the system, such as
people who work in the same department or
people who are working on the same project.
‡ In general, create as few user groups as
possible.
°
 

 
‡ System administrator groups correspond to
the SYSTEM group.
‡ SYSTEM group membership allows an
administrator to perform some system
maintenance tasks without having to operate
with root authority
°



 
‡ There are several system-defined groups.
‡ The STAFF group is the default group for all non
administrative users created in the system.
‡ You can change the default group by using the

command to edit the
/usr/lib/security/mkuser.default file.
‡ The SECURITY group is a system-defined group
having limited privileges for performing security
administration.
‡ An attribute is a characteristic of a user or a group
that defines the type of functions that a user or a
group can perform.
‡ These can be extraordinary privileges, restrictions,
and processing environments assigned to a user.
‡ Their attributes control their access rights,
environment, how they are authenticated, and how,
when, and where their accounts can be accessed.
The following are a few of the important commands
used for user administration:

 
Creates a new user.

  Creates or changes the password
of a user.
 
Changes user attributes (except
password).
 i 
£ists user attributes.
 
Removes a user and its attributes.
 
Changes security related stanzas.
 i
Initiates a user session.
 
Identifies the users currently logged in.
  
Enables or disables the desktop
autostart feature.
|
  

i
i

 

 

Contains the
environment attributes for users.
 

 i i
Contains the last
login attributes for users.
 

 i Contains process
resource limits for users.
 

 
Contains extended
attributes for users.
  i
 

i 
Contains the default attributes for new users.
  i
 
 
Customizes new user accounts.
 
  Contains the basic attributes
of users.
 

   Contains password
information.
 

 i
Contains
configuration information for login and user
authentication.
 
  Contains the record of users
logged into the system.
   Contains connect time
accounting records.
 

 i
i
Records all
failed login attempts.
 

Contains the message to be
displayed every
‡ time a user logs in to the system.
 



 Specifies the basic
environment for all processes.
 
 
i
Specifies additional
environment settings for all users.
 Ñ
 
i
Specifies environment
settings for specific user needs.
 

 Contains the basic attributes of
groups.
 

 
 Contains the
extended attributes of groups.
 

 



‡ This is an ASCII file that contains stanzas with the

environment attributes for users.
‡ Attributes in the form Attribute=Value
‡ The 
command creates a user stanza in
this file.
‡ The 
command can change these
attributes.
‡ The i 
command can display them.
‡ The 
command removes the entire record
for a user.
 

 i i


‡ Contains stanzas with the last login

attributes for users.
‡ Each stanza is identified by a user name and
contains attributes in the Attribute=Value
form.
 

 i

‡ Specifies the process resource limits for

each user.
 

 


‡ Contains extended user attributes identified

by a user name, followed by a colon (:), and
contains comma-separated attributes in the
Attribute=Value form.
 D 

 
i

‡ The /etc/security/user file contains many

attributes that allow you to control how users
must manage their passwords.
‡ These attributes include:
  
[efines the number of previous
passwords a user cannot reuse. The value is
a decimal integer string. The default is 0.
 
 
[efines the period of time (in
weeks) that a user cannot reuse a password.
The value is a decimal integer string. The
default is 0, indicating that no time limit is
set.
 
 
[efines the maximum time (in weeks)
beyond the maxage value that a user can change an
expired password.
² After this defined time, only an administrative user can
change the password.
² The value is a decimal integer string. The default is -1,
indicating no restriction is set.
² If the maxexpired attribute is 0, the password expires when
the maxage value is met.
² If the maxage attribute is0, the maxexpired attribute is
ignored.
 
[efines the maximum age (in weeks) of a
password. The password must be changed by this
time.
² The value is a decimal integer string. The default is a
value of 0, indicating no maximum age.
 
[efines the minimum age (in weeks) a
password must be before it can be changed.
² The value is a decimal integer string. The default is a
value of 0, indicating no minimum age.
 i
[efines the minimum length of a
password.
² The value is a decimal integer string. The default is a
value of 0, indicating no minimum length.
² The maximum value allowed is 8.
² The value of minlen is determined by the minalpha value
added to the minother value. If the result of this addition
is greater than the minlen attribute, the value is set to the
result.
 i [efines the minimum number of
alphabetic characters that must be in a new
password.
² The value is a decimal integer string. The default is a
value of 0, indicating no minimum number.
 

[efines the minimum number of non-
alphabetic characters that must be in a new
password.
² The value is a decimal integer string. The default is a
value of 0, indicating no minimum number.
 

 [efines the maximum number of times
a character can be repeated in a new password.
² Since a value of 0 is meaningless, the default value of 8
indicates that there is no maximum number. The value is a
decimal integer string.
 [efines the minimum number of characters
required in a new password that were not in the old
password.
² The value is a decimal integer string. The default is a value
of 0, indicating no minimum number.
 i
 


i
‡ The file contains the default attributes for
new users
 i
 

‡ This file is an ASCII file of runable commands
that is called by the 
command

  
‡ This is an ASCII file that contains an entry for
each user.
‡ Password attributes can contain an asterisk (*)
indicating an incorrect password
‡ or an exclamation point (!) indicating that the
password is in the /etc/security/passwd file.
‡ Under normal conditions, the field contains an
exclamation point (!).
‡ If the field has an asterisk (*) and a password is
required for user authentication, the user cannot log
in.
‡ The 
command adds new entries to the
/etc/passwd file and fills in the attribute values as
defined in the /usr/lib/security/mkuser.default file
‡ You can set the password with the  or
commands.
‡ The command and the  command
change the Gecos attribute and Shell attribute,
respectively


   
‡ Although each user name must be in the
/etc/passwd file, it is not necessary to have
each user name listed in the
/etc/security/passwd file.


 i

‡ This is an ASCII file that contains stanzas of
configuration information for login and user
authentication.
The three types of stanzas.

  [efines the login characteristics of
ports.
  
  
 [efines the
authentication methods for users.
 

 
 [efines programs
that change user attributes (usw).

    


 i
i

‡ The utmp file, the wtmp file, and the failedlogin file
contain records with user and accounting
information.
‡ When a user successfully logs in, the login program
writes entries in two files.
* The /etc/utmp file, which contains a record of users
logged into the system. The command 
processes
the /etc/utmp file, and if this file is corrupted or missing, no
output is generated from the 
command.
* The /var/adm/wtmp file (if it exists), which contains
connect-time accounting records.
‡ On an invalid login attempt, the login
program makes an entry in the
/etc/security/failedlogin file, which contains a
record of unsuccessful login attempts.



‡ The message of the day is contained in the
/etc/motd file.





‡ The /etc/environment file contains variables
specifying the basic environment for all processes.
‡ Following are a few variables that make up part of
the basic environment.
² HOME The full path name of the user login or HOME
directory. The login program sets this to the directory
specified in the /etc/passwd file.
² £ANG The locale name currently in effect. The £ANG
variable is set in the /etc/environment file at installation
time.
² N£SPATH The full path name for message catalogs.
‡ PATH The sequence of directories that commands,
such as , 
, 
, and 
 search when
looking for a command whose path name is
incomplete. The directory names are separated by
colons.
‡ £P[EST The printer to use when a print-related
command does not specify a destination printer.
‡ TERM The terminal type.
‡ E[ITOR The default editor to be used by various
commands that perform editing functions, such as

 .
‡ TZ The time zone information. The TZ environment
variable is set by the /etc/environment file.

 
i
Ñ
 
i

‡ Contains further environment variables, as well as
any commands to run, that apply to all users.
‡ Controls variables such as:
* Export variables
* File creation mask (umask)
* Terminal types
* Mail messages to indicate when new mail has arrived
‡ Use the .profile file to control personal
settings such as:
* Shells to open
* [efault editor
* [efault printer
* Prompt appearance
* Keyboard sound
 |
  
  




‡ The 
command creates a new user
account.
‡ The new accounts are disabled until the
 command is used to add
authentication information to the
/etc/security/passwd file
4
 


 

‡ The  command will create an
encrypted passwd entry in
/etc/security/passwd and change the
Password attribute of /etc/passwd from * to !
(exclamation).
‡ The  command prompts you for
your old password, if it exists and you are
not the root user.
‡ After you enter the old password, the
command prompts you twice for the new
password.
 4
 

The 
command changes attributes for
the user identified by the Name parameter.
‡ The user name must already exist as an
alphanumeric string of eight bytes or less.
 A

[o not use the 
command if
you have a Network Information Service (NIS)
database installed on your system.
[ i 
 

‡ The i 
command displays the user
account attributes.
K




The 
command removes the user
account identified by the Name parameter.
‡ If the -p flag is specified, the 

command also removes passwords and other
user authentication information
4
  




[ i 
 i i




‡ The 
command displays information
about all users currently on the local system.
D

 
i

‡ If the /etc/nologin file exists, the system
accepts the user·s name and password,
prevents the user from logging in and
displays the contents of the /etc/nologin file.
‡ The /etc/nologin file is removed when you
reboot the system.
 4
 i


ii
‡ The  command changes a user's login
shell attribute.
‡ When you run the  command, the
system displays a list of the available shells
and the current value of the shell attribute,
4 
 
ii 

‡ The following example shows the command
to change the continuation prompt to


:
p

p p

‡ The following example shows the command

to change the root prompt to K

:
p



°  4


[





‡ Use the following command to start the

desktop from an AIX command line.
p
‡ Using the  command starts the desktop
without bringing up the whole desktop
environment.
‡ You will bypass the login window when you
start the desktop, and when you exit, you will
return to a command line rather than an AIX
C[E login window.
°
4


[



 
ii 
When you manually stop the login manager, all X
servers and desktop sessions that the login
manager started are stopped.
1. Open a terminal emulator window and log in as root.
2. Obtain the process I[ of the £ogin Manager by
entering the following:

 

Ú. Stop the £ogin Manager by entering:
p 

p
4

i



4

[




 iii



 v
1. A user is able to get a login prompt for the server
but gets a failed login error message when trying to
login with an I[. Which of the following is the most
likely cause of this problem?
A. The hard drive is bad.
B. The /home file system is full.
C. The server is low on paging space.
[. The user has entered an invalid I[ or password.
2. Which of the following files contains UI[,
home directory, and shell information?
A. /etc/passwd
B. /etc/security/user
C. /etc/security/environ
[. /etc/security/passwd
  


The following answers are for the quiz

questions.
1. [
2. A
Ú. C
4. A
5. A
á