Account Attributes

Name of the user on the AIX computer that you want to use for connector operations

The General Electric Comprehensive Operating System (GECOS) information for User. The user's name, phone numbers, and other generic personal information are stored here.

User ID

Primary group of user

Secondary groups of user

Home directory of user

Default shell of user

Indicates whether the user can log in to the system with the login command. Possible values are:

• true (default) – The user can log in to the system.

• false – The user cannot log in to the system.

Indicates whether another user can switch to the specified user account with the su command. Possible values are:

• true (default) – Another user can switch to the specified account.

• false – Another user cannot switch to the specified account.

Permits access to the account from a remote location with the telnet or rlogin commands. Possible values are:

• true (default) – The user account can be accessed remotely.

• false – The user account cannot be accessed remotely.

Indicates whether the user specified by the Name parameter can execute programs using the cron daemon or the src (system resource controller) daemon. Possible values are:

• true (default) – The user can initiate cron and src sessions.

• false – The user cannot initiate cron and src sessions.

Defines the administrative status of the user. Possible values are:

• true – The user is an administrator. Only the root user can change the attributes of users defined as administrators.

• false (default) – The user is not an administrator.

Allows the DCE registry to overwrite the local user information with the DCE user information during a DCE export operation. Possible values are:

• true – Local user information will be overwritten.

• false – Local user information will not be overwritten.

Lists the groups that can use the su command to switch to the specified user account. The Value parameter is a comma-separated list of group names, or a value of ALL to indicate all groups. An ! (exclamation point) in front of a group name excludes that group. If this attribute is not specified, all groups can switch to this user account with the su command.

Lists the groups the user administrates. The Value parameter is a comma-separated list of group names. For additional information on group names, refer to the adms attribute of the /etc/security/group file.

Indicates the user's trusted path status. The possible values are:

• always – The user can only execute trusted processes. This implies that the user's initial program is in the trusted shell or some other trusted process.

• notsh – The user cannot invoke the trusted shell on a trusted path. If the user enters the secure attention key (SAK) after logging in, the login session ends.

• nosak (default) – The secure attention key (SAK) is disabled for all processes run by the user. Use this value if the user transfers binary data that may contain the SAK sequence.

• on – The user has normal trusted path characteristics and can invoke a trusted path (enter a trusted shell) with the secure attention key (SAK).

Lists the terminals that can access the account specified by the Name parameter. The Value parameter is a comma-separated list of full path names, or a value of ALL to indicate all terminals. The values of RSH and REXEC also can be used as terminal names. An ! (exclamation point) in front of a terminal name excludes that terminal. If this attribute is not specified, all terminals can access the user account. If the Value parameter is not ALL, then /dev/pts must be specified for network logins to work properly.

Identifies the expiration date of the account. The Value parameter is a 10-character string in the MMDDhhmmyy form, where MM = month, DD = day, hh = hour, mm = minute, and yy = last 2 digits of the years 1939 through 2038. All characters are numeric. If the Value parameter is 0, the account does not expire. The default is 0. See the date command for more information.

Lists additional mandatory methods for authenticating the user. The auth1 attribute has been deprecated and may not be supported in a future release. The SYSTEM attribute should be used instead. The authentication process will fail if any of the methods specified by the auth1 attribute fail.

• The Value parameter is a comma-separated list of Method;Name pairs.

• The Method parameter is the name of the authentication method.

• The Name parameter is the user to authenticate. If you do not specify a Name parameter, the name of the user being authenticated is used.

• Valid authentication methods for the auth1 and auth2 attributes are defined in the /etc/security/login.cfg file.

Lists additional optional methods for authenticating the user. The auth2 attribute has been deprecated and may not be supported in a future release. The SYSTEM attribute should be used instead. The authentication process will not fail if any of the methods specified by the auth2 attribute fail.

• The Value parameter is a comma-separated list of Method;Name pairs.

• The Method parameter is the name of the authentication method.

• The Name parameter is the user to authenticate. If you do not specify a Name parameter, the name of the user being authenticated is used.

Determines file permissions

This value, along with the permissions of the creating process, determines a file's permissions when the file is created. The default is 022.

Defines the authentication registry where the user is administered. It is used to resolve a remotely administered user to the local administered domain. This situation may occur when network services unexpectedly fail or network databases are replicated locally. Example values are files, NIS, or DCE.

Defines the system authentication mechanism for the user. The value may be an expression describing which authentication methods are to be used or it may be the keyword NONE.

The SYSTEM mechanism is always used to authenticate the user, regardless of the value of the auth1 and auth2 attributes. If the SYSTEM attribute is set to NONE, authentication is only performed using the auth1 and auth2 attributes. If the auth1 and auth2 attributes are blank or ignored, as with the TCP socket daemons (ftpd, rexecd, and rshd), no authentication will be performed.

The method names compat, files, and NIS are provided by the security library. Additional methods may be defined in the /usr/lib/security/methods.cfg file.

Specify the value for SYSTEM using the following syntax:

"SYSTEM"       ::= EXPRESSION
EXPRESSION     ::= PRIMITIVE  |
                    "("EXPRESSION")"  |
                     EXPRESSION OPERATOR EXPRESSION
PRIMITIVE      ::= METHOD  |
                    METHOD "["RESULT"]"
RESULT         ::= "SUCCESS" | "FAILURE" | "NOTFOUND" |
                   "UNAVAIL"  | "*"
OPERATOR       ::= "AND" | "OR"
METHOD         ::= "compat" | "files" | "NONE" |
                   [a-z,A-Z,0-9]*
An example of the syntax is:
SYSTEM = "DCE OR DCE[UNAVAIL] AND 
compat"

Specifies the times, days, or both, the user is allowed to access the system. The value is a comma-separated list of entries of the following form:

[!]:time-time
        -or-
[!]day[-day][:time-time]
        -or-
[!]date[-date][:time-time]

The day variable must be one digit between 0 and 6 that represents one of the days of the week. A 0 (zero) indicates Sunday and a 6 indicates Saturday.

The time variable is 24-hour military time (1700 is 5:00 p.m.). Leading zeroes are required. For example, you must enter 0800, not 800. The time variable must be four characters in length, and there must be a leading colon (:). An entry consisting of only a time specification applies to every day. The start hour of a time value must be less than the end hour.

The date variable is a four digit string in the form mmdd.mm represents the calendar month and dd represents the day number. For example 0001 represents January 1. dd may be 00 to indicate the entire month if the entry is not a range, or it may indicate the first or last day of the month depending on whether it appears as part of the start or end of a range.

For example:

• 0000 indicates the entire month of January.

• 0600 indicates the entire month of June.

• 311-0500 indicates April 11 through the last day of June.

Entries in this list specify times that a user is allowed or denied access to the system. Entries not preceded by an ! (exclamation point) allow access and are called ALLOW entries. Entries prefixed with an ! (exclamation point) deny access to the system and are called DENY entries. The ! operator applies to only one entry, not the whole restriction list. It must appear at the beginning of each entry.

Defines the number of unsuccessful login attempts allowed after the last successful login before the system locks the account. The value is a decimal integer string. A zero or negative value indicates that no limit exists. Once the user's account is locked, they will not be able to log in until the system administrator resets the user's unsuccessful_login_count attribute in the /etc/security/lastlog file to be less than the value of loginretries. To do this, enter the following:

chsec -f /etc/security/lastlog -s username -a \

unsuccessful_login_count=0

Defines the number of days before the system issues a warning that a password change is required. The value is a decimal integer string. A zero or negative value indicates that no message is issued. The value must be less than the difference of the maxage and minage attributes. Values greater than this difference are ignored, and a message is issued when the minage value is reached.

Indicates if the user account is locked. Possible values include:

• true – The user's account is locked. The values yes, true, and always are equivalent. The user is denied access to the system.

• false (default) – The user's account is not locked. The values no, false, and never are equivalent. The user is allowed access to the system.

Defines the minimum age (in weeks) a password must be before it can be changed. The value is a decimal integer string. The default is a value of 0, indicating no minimum age.

Defines the maximum age (in weeks) of a password. The password must be changed by this time. The value is a decimal integer string. The default is a value of 0, indicating no maximum age.

Defines the maximum time (in weeks) beyond the maxage value that a user can change an expired password. After this defined time, only an administrative user can change the password. The value is a decimal integer string. The default is -1, indicating no restriction is set. If the maxexpired attribute is 0, the password expires when the maxage value is met. If the maxage attribute is 0, the maxexpired attribute is ignored.

Defines the minimum number of alphabetic characters that must be in a new password. The value is a decimal integer string. The default is a value of 0, indicating no minimum number.

Defines the minimum number of non-alphabetic characters that must be in a new password. The value is a decimal integer string. The default is a value of 0, indicating no minimum number.

Defines the minimum number of characters required in a new password that were not in the old password. The value is a decimal integer string. The default is a value of 0, indicating no minimum number.

Defines the maximum number of times a character can be repeated in a new password. Since a value of 0 is meaningless, the default value of 8 indicates that there is no maximum number. The value is a decimal integer string.

Defines the minimum length of a password. The value is a decimal integer string. The default is a value of 0, indicating no minimum length. The maximum value allowed is 8. This attribute is determined by the minalpha attribute value added to the minother attribute value. If the sum of these values is greater than the minlen attribute value, the minimum length is set to the result.

Designates the period of time (in weeks) that a user cannot reuse a password. The value is a decimal integer string. The default is 0, indicating that no time limit is set.

Designates the number of previous passwords a user cannot reuse. The value is a decimal integer string. The default is 0.

Defines the password restriction methods enforced on new passwords. The value is a list of comma-separated method names and is evaluated from left to right. A method name is either an absolute path name or a path name relative to /usr/lib of an executable load module.

Defines the password dictionaries used by the composition restrictions when checking new passwords.

The password dictionaries are a list of comma-separated, absolute path names that are evaluated from left to right. All dictionary files and directories must be write-protected from all users except root. The dictionary files are formatted one word per line. The word begins in the first column and terminates with a new-line character. Only 7-bit ASCII words are supported for passwords. If text processing is installed on your system, the recommended dictionary file is the /usr/share/dict/words file.

Specifies the default roles for the user. The Value parameter, a comma-separated list of valid role names, can only contain roles assigned to the user in the roles attribute. You can use the ALL keyword to signify that the default roles for the user are all their assigned roles.

Identifies the soft limit for the largest file a user process can create or extend.

Sets the soft limit for the largest amount of system unit time (in seconds) that a user process can use.

Identifies the soft limit for the largest process data segment for a user process.

Specifies the soft limit for the largest process stack segment for a user process.

Specifies the soft limit for the largest core file a user process can create.

Sets the soft limit for the largest amount of physical memory a user process can allocate. This limit is not enforced by the system.

Sets the soft limit for the number of file descriptors a user process may have open at one time.

Specifies the largest process stack segment for a user process.

Specifies the number of seconds since the epoch (00:00:00 GMT, January 1, 1970) since the last successful login. The value is a decimal integer.

Specifies the terminal on which the user last logged in. The value is a character string.

Specifies the host from which the user last logged in. The value is a character string.

Specifies the number of unsuccessful login attempts since the last successful login. The value is a decimal integer. This attribute works in conjunction with the user's loginretries attribute, specified in the /etc/security/user file, to lock the user's account after a specified number of consecutive unsuccessful login attempts. Once the user's account is locked, the user will not be able to log in until the system administrator resets the user's unsuccessful_login_count attribute to be less than the value of loginretries. To do this, enter the following:

chsec -f /etc/security/lastlog -s username -a \ unsuccessful_login_count=0

Specifies the time when user's password last updated. The value is a character string.

Contains the list of roles for each user.

Contains the list of groups for each user.

Specifies the last unsuccessful host login.

Specifies the time of the last unsuccessful login.

Defines the minimum number of lowercase alphabetic characters that must be in a new password. The value is a decimal integer string. The default is a value of 0, indicating no minimum number.

Defines the minimum number of uppercase alphabetic characters that must be in a new password. The value is a decimal integer string. The default is a value of 0, indicating no minimum number.

Defines the minimum number of special characters that must be in a new password. The value is a decimal integer string. The default is a value of 0, indicating no minimum number.

Defines the minimum number of numerical digits that must be in a new password. The value is a decimal integer string. The default is a value of 0, indicating no minimum number.

Specifies the terminal on which the there was an unsuccessful user login. The value is a character string.