Enhanced login privacy for AIX 5L Version 5.2.0

AIX 5L Version 5.2 now supports enhanced security options regarding the user’s interface. On the default AIX’s login screen, the user name is visible when entered and the password line also includes the user name. In some security environments, displaying the user name on the screen is considered a security exposure. In Version 5.2, the administrator has the option to change the login password prompt and to hide the user name from login and system messages. These settings can be configured as the system default or on a per port basis.

See the following example for the default behavior for logging in with telnet. The user is logging in as test9 and the user name test9 is displayed twice. The /usr/bin/su command also echoes the user name test8 in the password prompt.

telnet (server1)

AIX Version 5
(C) Copyrights by IBM and by others 1982, 2000.
login: test9
test9's Password:
...
$ su - test8
test8's Password:
$

The new attributes for login privacy are located in /etc/security/login.cfg. The pwdprompt attribute defines the password prompt message when asking for the password during login. The usernameecho attribute is a boolean value that determines whether the user name is displayed during login and security related messages. If usernameecho is false, the user name will be hidden during login and security related messages. If usernameecho is true (the default), user names are displayed as normal. To set these attributes on a per port basis, you must create a new stanza if necessary for that port (for example, /dev/lft0) and add the attributes to that port. If you want to make these attributes system-wide, add them to the default stanza. Attributes in the port-specific stanza will override attributes in the default stanza.

The following example shows the result of changing the system-wide password prompt to Password:.

# chsec -f /etc/security/login.cfg -s default -a pwdprompt="Password:"

telnet (server1)

AIX Version 5
(C) Copyrights by IBM and by others 1982, 2000.
login: root
Password:

In the following example, the password prompt is reset to default and usernameecho is set to false. The output for the telnet session is below. Notice that the user names displayed for the /usr/bin/su and /usr/bin/passwd commands are hidden.

# chsec -f /etc/security/login.cfg -s default -a pwdprompt=
# chsec -f /etc/security/login.cfg -s default -a usernameecho=false

telnet (server1)

AIX Version 5
(C) Copyrights by IBM and by others 1982, 2000.
login:
*****'s Password:
...
$ passwd
Changing password for "*****"
*****'s Old password:
*****'s New password:
Enter the new password again:

$ su - test8
3004-500 User "*****" does not exist.

$ su - test4
*****'s Password:

The following example shows how to specify the usernameecho attribute for a specific port (for example, /dev/lft0). Attributes specified in per port stanzas override the default stanza.

chsec -f /etc/security/login.cfg -s /dev/lft0 -a usernameecho=false

With the password prompt attribute pwdprompt set, the specified string is used by the su command when invoked by a non-root user, but the string will not be used by the passwd command to change the existing user password.