La commande 'pwdadm' permet de gérer les mots de passe des utilisateurs
Par exemple, la commande 'pwdadm -c username' permet d'effacer les différents drapeaux positionnés pour l'utilisateur 'username'.
La syntaxe officielle de la version 7.1 est donnée ci-dessous :
pwdadm Command
Purpose
Administers users' passwords.
Syntax
pwdadm [ -R load_module] [ -f Flags | -q | -c ] User
Description
The pwdadm command administers users' passwords. The root user or a member of the security group can supply or change the password of the user
specified by the User parameter. The invoker of the command must provide a password when queried before being allowed to change the other
user's password. When the command executes, it sets the ADMCHG attribute. This forces the user to change the password the next time a su
command is given for the user.
Note: The behavior described for this command is for a local user. For users defined in a remote domain, attributes will be retrieved and
stored in the remote domain rather than in the local files.
Root users and members of the security group should not change their personal password with this command. The ADMCHG attribute would require
them to change their password again the next time a login command or an su command is given for the user. Only the root user or a user with
PasswdAdmin authorization can change password information for administrative users, who have the admin attribute set to true in the
/etc/security/user file.
Only the root user, a member of the security group, or a user with PasswdManage authorization can supply or change the password of the user
specified by the User parameter.
When this command is executed, the password field for the user in the /etc/passwd file is set to ! (exclamation point), indicating that an
encrypted version of the password is in the /etc/security/passwd file. The ADMCHG attribute is set when the root user or a member of the
security group changes a user's password with the pwdadm command.
A new password must be defined according to the rules in the /etc/security/user file, unless the -f NOCHECK flag is included. Only 7-bit
characters are supported in passwords. By including the -f flag with the pwdadm command, the root user or a member of the security group can
set attributes that change the password rules. If there is no password entry in the /etc/security/passwd file when the -f flag is used, the
password field in the /etc/passwd file is set to ! (exclamation point) and an * (asterisk) appears in the password= field to indicate that no
password has been set.
The -q flag permits the root user or members of the security group to query password information. Only the status of the lastupdate attribute
and the flags attribute appear. The encrypted password remains hidden.
The -c flag clears all password flags for the user.
Flags
Item
Description
-c
Clears all password flags for the user.
-f Flags
Specifies the flags attribute of a password. The Flags variable must be from the following list of comma-separated attributes:
NOCHECK
Signifies that new passwords need not follow the guidelines established in the /etc/security/user file for password composition.
ADMIN
Specifies that password information may be changed only by the root user. Only the root user can enable or disable this attribute.
ADMCHG
Resets the ADMCHG attribute without changing the user's password. This forces the user to change passwords the next time a login
command or an su command is given for the user. The attribute is cleared when the user specified by the User parameter resets the
password.
-q
Queries the status of the password. The values of the lastupdate attribute and the flags attribute appear.
-R load_module
Specifies the loadable I&A module that is used to change the user's attributes.
Security
Access Control: Only the root user and members of the security group should have execute (x) access to this command. The command should have
the trusted computing base attribute and be setuid to the root user to have write (w) access to the /etc/passwd file, the /etc/security/passwd
file, and other user database files.
Files Accessed:
Mode
File
rw
/etc/passwd
rw
/etc/security/passwd
r
/etc/security/user
Auditing Events:
Event
Information
PASSWORD_Change
user
PASSWORD_Flags
user, flags
Attention RBAC users and Trusted AIX users: This command can perform privileged operations. Only privileged users can run privileged
operations. For more information about authorizations and privileges, see Privileged Command Database in Security. For a list of privileges
and the authorizations associated with this command, see the lssecattr command or the getcmdattr subcommand.
Examples
1 To set a password for user susan, a member of the security group enters:
pwdadm susan
When prompted, the user who invoked the command is prompted for a password before Susan's password can be changed.
2 To query the password status for user susan, a member of the security group enters:
pwdadm -q susan
This command displays values for the lastupdate attribute and the flags attribute. The following example shows what appears when the
NOCHECK and ADMCHG flags attributes are in effect:
susan:
lastupdate=
flags= NOCHECK,ADMCHG
Files
Item
Description
/usr/bin/pwdadm
Contains the pwdadm command.
/etc/security/passwd
Contains password information.
html