view · edit · history · print

Re: AIX 6 Security Product Comments and/or Questions

Originally posted: 2007 July 13 04:22 PM

AIX 6 implemented Loadable Password Algorithm (LPA) that supports password longer than 8 characters. The following is the section in AIX Security Guide that shows how to use the LPA modules. You can following the following steps to set the system-wide password algorithm (LPA), set/change a password using passwd command, then take a look at /etc/security/passwd to see what the new password looks like.

Loadable Password Algorithm (LPA):

AIX 5L implemented a Loadable Password Algorithm (LPA) mechanism that can easily deploy new password encryption algorithms. Each supported password encryption algorithm is implemented as a LPA load module that is loaded at runtime when the algorithm is needed. The supported LPAs and their attributes are defined in the /etc/security/pwdalg.cfg system configuration file. An administrator can set up a system-wide password encryption mechanism that uses a specific LPA to encrypt the passwords. After the system-wide password mechanism is changed, AIX 5L still supports passwords that are encrypted by the previous selected password encryption mechanisms, such as the crypt function.

All of the LPAs implemented for AIX 5L support passwords longer than eight characters. The password length limitations vary for different LPAs. The maximum password length supported by AIX 5L is 255 characters.

LPA configuration file:

The LPA configuration file is /etc/security/pwdalg.cfg. It is a stanza file that defines the attributes of the supported LPAs. The following LPA attributes are defined in the config file:

  • The path to the LPA module
  • The optional flags that is passed to the LPA module at runtime

The LPA attributes defined in the configuration file can be accessed with the getconfattr and setconfattr interfaces.

The following example stanza in /etc/security/pwdalg.cfg defines a LPA named ssha256:


  • lpa_module = /usr/lib/security/ssha
  • lpa_options = algorithm=sha256

System password algorithm:

A system administrator can set a system-wide password algorithm by selecting an LPA as the password hashing algorithm. There can only be one active system password algorithm at a time. The system password algorithm is defined by the pwd_algorithm system attribute in the usw stanza in the /etc/security/login.cfg file. The valid values for the pwd_algorithm attribute in the /etc/security/login.cfg file are LPA stanza names that are defined in the /etc/security/pwdalg.cfg file. Another valid value for the pwd_algorithm attribute is crypt, which refers to traditional crypt encryption. If the pwd_algorithm attribute is omitted from the config file, crypt is used as the default value.

The following example of the /etc/security/login.cfg file uses ssha256 LPA as the system-wide password encryption algorithm.

 shells = /bin/sh,/bin/bsh,/bin/csh,/bin/ksh,/bin/tsh,/bin/ksh93  
 maxlogins = 32767 
 logintimeout = 60 
 maxroles = 8 
 auth_type = STD_AUTH 
 pwd_algorithm = ssha256 

The system password algorithm takes effect only for newly created passwords and changed passwords. After the migration, all subsequent new passwords or password changes use the system password algorithm. The passwords that existed before the system password algorithm is chosen, either generated by the standard crypt function or by other supported LPA modules, still work on the system. Therefore, mixed passwords that were generated by different LPAs can coexist on the system.

copy (i dont trust IBM web contend managers) of post on IBM forum, here is the link:

admin · attr · attach · edit · history · print
Page last modified on September 11, 2007, at 12:05 PM