User Management AIX

User Management in AIX

User is the integral part of Operating System. AIX has rich set of command lines to create, delete, modify, lock, unlock and manage the User accounts. Unix is a multi user operating system where multiple users can log in to same partition and perform their task. 



Create local user
To create a user in AIX Operating System you should be root user or should have appropriate permission granted from the root user to create a new users. Here is how you create user using mkuser, list user lsuser and change password using passwd

# mkuser newuser
#
# lsuser newuser
newuser id=209 pgrp=staff groups=staff home=/home/newuser shell=/usr/bin/ksh login=true su=true rlogin=true daemon=true admin=false sugroups=ALL admgroups= tpath=nosak ttys=ALL expires=0 auth1=SYSTEM auth2=NONE umask=22 registry=files SYSTEM=compat logintimes= loginretries=0 pwdwarntime=0 account_locked=false minage=0 maxage=0 maxexpired=-1 minalpha=0 minloweralpha=0 minupperalpha=0 minother=0 mindigit=0 minspecialchar=0 mindiff=0 maxrepeats=8 minlen=0 histexpire=0 histsize=0 pwdchecks= dictionlist= default_roles= fsize=-1 cpu=-1 data=-1 stack=65536 core=-1 rss=-1 nofiles=-1 stack_hard=-1 roles=
#
# passwd newuser
Changing password for "newuser"
newuser's New password:
Enter the new password again:
#


Done creating user now its time to login to the newuser. If we try to login first time again it will ask the newuser to change its password as the password change is mandatory when we login first time. It may log you in or log you out on changing password and you should logging again with new password and this depends on policy root user has set.

login: newuser
newuser's Password: 
[compat]: 3004-610 You are required to change your password.
        Please choose a new one.

newuser's New password: 
Enter the new password again:
$
$ lsuser newuser
newuser id=209 pgrp=staff groups=staff home=/home/newuser shell=/usr/bin/ksh roles=

User accounts can be temporary locked and unlocked, users can get locked because entry of wrong password three times or five times or one time as specified by this policy. Root user can set the account locking when newuser enters wrong password for three times this helps in preventing any DoS attack on user account. Lock user upon one time entering wrong password
#
# chuser loginretries=1 newuser
# ssh newuser@localhost
newuser@localhost's password: 
Permission denied, please try again.
newuser@localhost's password: 
Permission denied, please try again.
newuse r@localhost's password: 
Received disconnect from 127.0.0.1 port 22:2: Too many authentication failures
Authentication failed.


Once the account is locked via unsuccessful login attempt there is only way to unlock the account is using setting the attribute unsuccessful_login_count  to Zero then unlock the account 

# lsuser -a unsuccessful_login_count newuser
newuser unsuccessful_login_count=1
#
# chsec -f /etc/security/lastlog -s newuser -a unsuccessful_login_count=0
#
# chuser account_locked=false newuser

Also root user can set the user account to lock for any other reason like user is on vacation for 15 days and he is not going to work for these 15 days of his holiday. After 15 days of vacation the root user can set the account to unlock.
# chuser account_locked=true newuser
# ssh newuser@localhost
newuser@localhost's password: 
Permission denied, please try again.
newuser@localhost's password: 
Permission denied, please try again.
newuser@localhost's password: 
Received disconnect from 127.0.0.1 port 22:2: Too many authentication failures
Authentication failed.
# chuser account_locked=false newuser

We can set the password expiry date of new user to specified date upon that user wont be able to login to his account. In below example the user password is valid until Dec 31 2020 Midnight. To set it to password never expires we need to set the attribute  expires  to 0.

#
# lsuser -a expires newuser
newuser expires=1231235920
# chuser expires=0 newuser
# lsuser -a expires newuser
newuser expires=0

Delete the user  

# rmuser newuser
# lsuser newuser
3004-687 User "newuser" does not exist.

Upon user gets deleted his directory is left as is and the files that have been created by newuser will be left intact. Depends on root user he can remove those left over files or leave as is.