aix ibm disabled accounts

pma111
pma111 used Ask the Experts™
on
does AIX IBM have the same equivalent as a disabled account on a server, i.e. those that cant be used to login to the server. If yes, can you elaborate how you can determine if the accounts are live or disabled/cant be used for login
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Most Valuable Expert 2013
Top Expert 2013
Commented:
Hi,

it's very similar to other Unix/Linux implementations.

There is the /etc/passwd file and there is the file /etc/security/passwd which is the equivalent to /etc/shadow on other systems.

If the second colon-separated field of an entry in /etc/passwd contains an asterisk ("*")
this indicates an invalid password and the concerned user cannot log in.

If the same field contains an exclamation point ("!") this indicates that there is an entry in /etc/security password for that user.

This file contains the encrypted passwords (and the last update timestamps plus several flags).
Here, too, the password can be "*" which means that the user cannot log in.

Besides that we have an "account_locked" attribute in AIX. Such attributes are stored in /etc/security/user, can be viewed with "lsuser <username>" and can be set with "chuser <attribute>=<value> <username>".

Finally, we can set an account "expiration" date in /etc/security/user past which the user cannot log in anymore. This can also be viewed with "lsuser" and set with "chuser".
You can forcibly expire an acoount by setting the expiration date to "0101000070" (MMDDHHMMYY format).
wmp

Author

Commented:
Thanks, if the user is locked, but has a weak password, is there any risk whatsoever, if that account can be used to access the server?
Most Valuable Expert 2013
Top Expert 2013

Commented:
Locked accounts can neither be used for login nor for ssh/ftp/rsh/rcp and so on.

The only exception is that root (and only root) can "su" to this user, whether it's locked or not.

Since root doesn't need a password for "su" the password is irrelevant in any case, and there's no risk if it's "weak".

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial