pwdck Command

Purpose

Verifies the correctness of local authentication information.

Syntax

pwdck { -p | -n | -t | -y } { ALL | User ... }

Description

The pwdck command verifies the correctness of the password information in the user database files by checking the definitions for ALL the users or for the users specified by the User parameter. If more than one user is specified, there must be a space between the names.

Note: This command writes its messages to stderr.

You must select a flag to indicate whether the system should try to fix erroneous attributes. The following attributes are checked for locally defined users in the /etc/passwd file:

Item Description
entry Ensures that each entry is readable and that it contains at least two : (colons). If you indicate that the system should fix errors, the entire entry is discarded.
passwd Ensures that the password field is an ! (exclamation point). If you indicate that the system should fix errors, it transfers the information in the password field to the /etc/security/passwd file, updates the lastupdate attribute in the /etc/security/passwd file, and then replaces the password field in the /etc/passwd file with an !. In general, passwords are required if the minalpha, minother, or minlen password restriction is set to a nonzero value in the /etc/security/user file.
user Ensures that the user name is a unique string of 8 bytes or less. It cannot begin with a + (plus sign), a : (colon), a - (minus sign), or a ~ (tilde). It cannot contain a : (colon) in the string and cannot be the ALL, default, or * keywords. If you indicate that the system should fix errors, it removes this user's entry line from the /etc/passwd file. If the user name starts with a + or a - symbol, the user is not locally defined, and checks are not performed.

Attributes checked in the /etc/security/passwd file are:

Item Description
line Ensures that each line is readable and is part of a stanza. Any invalid line is discarded.
password Ensures that the password attribute exists and is not blank, if passwords are required on the system. If you indicate that the system should fix errors, the password is set to * (asterisk), and the lastupdate attribute is discarded.

In general, passwords are required if either of the minalpha or minother password restrictions are set to nonzero values in the /etc/security/user file. If a user's flags attribute specifies the NOCHECK keyword, a password is not required for this user, and the check is ignored.

lastupdate Ensures that the lastupdate attribute exists for a valid non-blank password, and that its time is prior to the current time. If you indicate that the system should fix errors, the lastupdate attribute is discarded or updated, depending on the password attribute. The lastupdate attribute is discarded if the password attribute doesn't exist, or equals a blank or an * (asterisk). Otherwise, the lastupdate time is set to the current time.
flags Ensures that the flags attribute contains only the keywords ADMIN, ADMCHG, and NOCHECK. If you indicate that the system should fix errors, it deletes any undefined flags.

Attributes checked in the /etc/security/user file are:

Item Description
auth1 Ensures that each SYSTEM;username entry defined for a local user has an username entry in the /etc/security/passwd file. If you indicate that the system should fix errors, a stanza is added to the /etc/security/passwd file for each missing entry, in the following format:
username:
          password = *         

If a user's entry and a default entry both are missing from the /etc/security/user file, the system assumes the following values and the check on auth1 is performed:

auth1 = SYSTEM;user                
Note: The auth1 attribute is deprecated and should not be used.
auth2 Ensures that each authname;username entry defined for a local user has an username entry in the /etc/security/passwd file. If you indicate that the system should fix errors, an entry is added for each missing entry.

If a user's entry and a default entry both are missing from the /etc/security/user file, the system assumes the following values and the check on auth2 is performed:

auth2 = NONE                  

When ALL is specified, the pwdck command ensures that each stanza in the /etc/security/passwd file corresponds to an authentication name of a local user as a SYSTEM;username entry in the /etc/security/user file. If you indicate that the system should fix errors, a stanza which does not correspond to an username entry in the /etc/security/user file is discarded from the /etc/security/passwd file.

The pwdck command locks the /etc/passwd file and the /etc/security/passwd file when it updates them. If either of these files are locked by another process, the pwdck command waits a few minutes for the files to be unlocked, and terminates if this does not happen.

The pwdck command checks to see if the /etc/passwd file and the /etc/security/passwd file are modified by another process while the current pwdck process is running. If you indicate that the system should fix errors, the pwdck command updates the /etc/passwd file and the /etc/security/passwd file, and may overwrite any changes made by the other process.

The pwdck command also checks to see if the database management security files (/etc/passwd.nm.idx, /etc/passwd.id.idx, /etc/security/passwd.idx, and /etc/security/lastlog.idx) files are up-to-date or newer than the corresponding system security files. Please note, it is alright for the /etc/security/lastlog.idx to be not newer than /etc/security/lastlog. If the database management security files are out-of-date, a warning message appears indicating that the root user should run the mkpasswd command.

Generally, the sysck command calls the pwdck command as part of the verification of a trusted-system installation. In addition, the root user or a member of the security group can enter the command.

Note: The auth2 attribute is deprecated and should not be used.

Flags

Item Description
-n Reports errors but does not fix them.
-p Fixes errors but does not report them.
-t Reports errors and asks if they should be fixed.
-y Fixes errors and reports them.

Security

Access Control: This command should grant execute (x) access to the root user and members of the security group. The command should be setuid to the root user, to read and write the authentication information, and have the trusted computing base attribute.

Files Accessed:

Mode File
rw /etc/passwd
r /etc/security/user
rw /etc/security/passwd
r /etc/security/login.cfg

Auditing Events:

Event Information
PASSWORD_Check user, error/fix, status
PASSWORD_Ckerr file/user, error, status

Attention RBAC users and Trusted AIX® users: This command can perform privileged operations. Only privileged users can run privileged operations. For more information about authorizations and privileges, see Privileged Command Database in Security. For a list of privileges and the authorizations associated with this command, see the lssecattr command or the getcmdattr subcommand.

Examples

  1. To verify that all local users have valid passwords, enter:

    pwdck  -y ALL

    This reports errors, and fixes them.
  2. To ensure that user ariel has a valid stanza in the /etc/security/passwd file, enter:

    pwdck  -y ariel

Files

Item Description
/usr/bin/pwdck Contains the pwdck command.
/etc/security/passwd Contains actual passwords and security information.
/etc/security/login.cfg Contains configuration information and password restrictions.