AIX

Hi Guys,

some one could help me on this that will be great .

I have AIX 5.1 . when ever u login as root .it says u r passwd is expiredchoose new passwd . I tried couple of times changeing the passwd .still it behaves every time u login it asks to change the passwd . i teied to lokk into passwd file, /etc/security/passwd , smitty user management ,but no use .

any body have any idea !!! how to set this passwd expiration !!!!!!!

thanks in advance
susesun

As long as you can still log in as root run the command pwdadm -c root this should cure the problem. However the user root should really change the password on a regular basis for good security practice. You need to look in the /etc/security/passwd file. This is where all the flags are kept such ADMCHG. Hope this is helpful.

I understand that by running the command pwdadm -c user, the ADMCHG flags will be removed from /etc/security/passwd file. But in the first place, why it doesn't remove the flags after root id has changed the password?
Why we need to run this command of pwdadm -c to remove the flag ADMCHG manually?
Is there any patches need to be applied to permanently fix the problem?
I afraid whenever the root id been expired, the same problem will happen again.
Thanks.

This is less a question of whether it would be technically possible but more a question of privacy. Depending on where you where brought up this might not be so obvious but where I live users prefer root not knowing their personal passwords. So while root can get around this little hurdle by removing the ADMCHG flag it is not the default. It has to be done intentionally which makes a difference from the legal perspective.

The ADMCHG flag is set if root changes another user's password. If that user changes his/her password (at first login) the ADMCHG flag is removed and the password is valid until it expires for some defined reason.
If you don't want a password to expire after a defined time set the maxage parameter to "0" in the user's settings. However, keeping a password forever is considered a security risk in certain environments.
From a mere technical point of view you could write a script to change password and run pwdadm in one step though.