Administering user accounts

Controlling password selection

Password selection constraints give the administrator these capabilities:

Allowing accounts without passwords

In the Account Manager, select a user name, then select Password Restrictions from the Users menu, then select Selection.

To permit a user to log in without a password, set Password Required to No. Accounts without passwords are a major security risk. To use the system default value, set it to Default.

To change the system default value, use this command line:

usermod -D -x "{passwdNullAllowed value}"

where value is either 1 (no password required) or 0 (a password is required).

You can change the value for an individual user with the usermod(ADM) command by omiting the -D option and appending the user name to the above command.

WARNING: Removing the requirement for passwords does not delete existing passwords. The administrator must change each password as described in ``Setting or changing a user password'' and set the password to blank, or use the passwd(C) command line.

Preventing users from changing their passwords

In the Account Manager, select a user name, then select Password Restrictions from the Users menu, then select Selection.

Set User can choose own to No. Users will then have to get passwords from the accounts administrator when their passwords expire, or the password generator will create them. To use the system default value, set it to Default.

To change the system default value, use this command line:

usermod -D -x "{passwdChooseOwn value}"

where value is either 1 (users can choose their own password) or 0 (a password is supplied by the administrator or the password generator).

You can change the value for an individual user with the usermod(ADM) command by omiting the -D option and appending the user name to the above command.

Allowing users to generate passwords

In the Account Manager, select a user name, then select Password Restrictions from the Users menu, then select Selection.

You can choose to have the system generate passwords automatically for users. This guards against users picking ``obvious'' passwords that a knowledgeable intruder could guess, given some personal facts about the user.

To permit users to generate (but not choose) a new password, set User can run generator to Yes. To use the system default value, set it to Default.

To change the system default value, use this command line:

usermod -D -x "{passwdRunGenerator value}"

where value is either 1 (the user can run the generator) or 0 (the user cannot).

You can change the value for an individual user with the usermod(ADM) command by omiting the -D option and appending the user name to the above command.

Restricting password obviousness

An important part of password control is ensuring that passwords are difficult to guess without being too complex to remember. You can prevent users from using passwords that are too easy to guess, like dictionary words or system names.

In the Account Manager, select a user name, then select Password Restrictions from the Users menu, then select Selection.

Set Check for Obviousness to Yes to run complex checks on passwords. The meaning of Yes and No varies with the security profile level chosen. To use the system default value, set it to Default. The meaning can also be set independent of the security profile as described in ``Customizing password checking''.

To change the system default value, use this command line:

usermod -D -x "{passwdCheckedForObviousness value}"

where value is either 1 (use complex checks) or 0 (use less restrictive checks).

You can change the value for an individual user with the usermod(ADM) command by omiting the -D option and appending the user name to the above command.

Password checking by security profile

Security Check for Obviousness

Defaults No Yes

Low - -

Traditional System V System V-plus

Improved/High goodpw weak goodpw strong

Security	Check for Obviousness
Defaults	No	Yes
Low	-	-
Traditional	System V	System V-plus
Improved/High	goodpw weak	goodpw strong

System V (traditional UNIX System V checking) checks that a password:

is not a rotation of login name (moving characters from beginning to end of the word and vice versa)
contains at least 2 alphabetic and 1 non-alphabetic characters
contains at least 3 characters different from old password
has a minimum length defined by PASSLENGTH in /etc/default/passwd or, if PASSLENGTH is undefined or set to an asterisk (*), pass a special length check based on the delay between login attempts and the password lifetime for that user

System V-plus (System V with additions) checks that a password is:

not a palindrome
not a group or user name

goodpw weak checks that a password does:

not contain the strings ``SCO'', ``XENIX'', or ``UNIX'' (defined in /usr/lib/goodpw/reject)
not contain a user, group, machine, or alias name
pass special length checks based on character mixes (these override the set minimum length and are defined in /usr/lib/goodpw/match):
- If a password consists of all alphabetic characters of the same case, it must have a length of at least 6.
- If the password consists of two types of alphanumeric characters, it must have a length of at least 5.
- If the password consists only of non-alphanumerics (symbols), or a mixture of uppercase, lowercase and numerics, it must have a length of at least 4.

goodpw strong (goodpw weak plus additional checks) checks that a password:

does not contain a dictionary word
is not a rotation of a user, group, machine, alias name, or dictionary word

The goodpw(ADM) checks are defined in the /etc/default/goodpw file and supplemented or modified by files in the /usr/lib/goodpw directory. Refer to ``Customizing password checking'' for more information.

NOTE: Obviousness checking will prevent certain penetrations based on dictionary checking, but such repeated break-in attempts are better controlled with login limits -- see ``Setting login restrictions on terminals''. Obviousness checks increase the time required to change a password.

For information on using the command line interface, see the usermod(ADM) manual page.

Customizing password checking

The goodpw(ADM) utility also allows you to customize password checking. The file /etc/default/goodpw contains the password control settings. These settings allow you to specify if passwords are checked against dictionary words, word rotations, and user, group, and system names.

NOTE: Password checking can also be set by editing /etc/default/passwd and changing the value of GOODPW as follows:

YES use goodpw
NO use standard UNIX system checking
NONE perform no password checking

You can also define regular expressions (character combinations and arrangements) that all passwords must match (or not match) with the files /usr/lib/goodpw/match and /usr/lib/goodpw/reject, respectively. See goodpw(ADM) for more information.

Setting password length

Password length is controlled by three parameters:

minimum length
maximum generated length -- the limit on passwords created by the password generator
number of significant segments -- see ``Password compatibility across UNIX systems''

The maximum length of non-generated passwords is 80 characters.

To reconfigure the minimum length, change the value of PASSLENGTH in /etc/default/passwd. If PASSLENGTH is removed from the file or is set to an asterisk (PASSLENGTH=*), the value is calculated by the system; see ``Restricting password obviousness'' for more information.

You can configure the generated length for individual users with the Account Manager. Select a user name, then select Password Restrictions from the Users menu, then select Selection.

To change the system default value, use this command line:

usermod -D -x "{passwdGeneratedLength value}"

where value has a maximum value of 80.

You can change the value for an individual user with the usermod(ADM) command by omiting the -D option and appending the user name to the above command.