Can I manually replace password hashes in the AIX /etc/security/passwd file?

Can I safely replace the password hash in the AIX /etc/security/passwd file? Are there any AIX quirks that would stand in the way of me just using vi to replace the hash?

I want to consolidate the root passwords on my AIX servers. On Solaris, IRIX, and Linux I would compare the password hash in /etc/shadow. If it wasn't the same, I could replace it with the desired hash. AIX uses /etc/security/passwd, which has a different format. Examples of the password field:

password = 2bOR!2Bp8jest
password = {ssha512}06$2bOR!2Bp8jestHAH$hamlet[...]

I assume the answer is, "Yes, they can be compared. They can be replaced, but be very careful."

Bonus points (if I have enough rep to award) if someone describes how older AIX versions fail if a newer crypto algorithms, such as {ssha512} isn't available.

IAmJeff

Posted 2015-04-27T17:18:56.710

Reputation: 142

I want to emphasize the fact I wish to manually edit /etc/security/passwd. Are there any AIX quirks that require any extra steps or precautions in addition to just using vi to edit the file? – IAmJeff – 2015-04-29T14:36:33.193

Have a look at this. I edit the file myself, but wanted to triple check before telling someone else to do it. https://www.ibm.com/developerworks/community/forums/html/topic?id=77777777-0000-0000-0000-000014454472

– Alex Atkinson – 2015-05-04T15:39:51.877

Yup, that answers it. I found another link and answered myself before I saw your comment. – IAmJeff – 2015-05-04T16:14:49.607

Answers

I found an IBM answer at Copying AIX password hashes between servers. You an use an editor to manually change the password, but there is a command to do that for you.

Quoting:

get the users password hash out of /etc/security/passwd and then use the "chpasswd" command to change the password on the other server.

The command is:

echo 'root:2bOR!2Bp8jest' | chpasswd -ec

IAmJeff

Posted 2015-04-27T17:18:56.710

Reputation: 142

1Hopefully not actually with a DES hash? – user1686 – 2015-05-04T16:57:30.657

Just an example using a lispy question. "2 be or not 2 be p infinite jest" PCI requires strong password algorithms here. – IAmJeff – 2015-05-18T16:23:55.720

This issue is that if any user modification to the security file, such as a PAM based password change, at the same time as you write to the security file using vi or any non PAM based commands then two programs are writing to the file at the same time and structure can't be maintained. corruption is guaranteed to occur. This becomes more apparent on systems where the password file is modified frequently and in this way. Definitely do use a PAM authorized method to write to your passwd/security files.

Gary Bowdridge

Posted 2015-04-27T17:18:56.710

Reputation: 11