AIX: Changing User Passwords as Root Without Triggering ADMCHG Flag


9 views

When administering AIX systems, administrators often need to change user passwords without forcing password changes at next login. The standard passwd command and other methods typically set the ADMCHG flag in /etc/security/passwd, which forces password change on next login.

The most reliable method is to directly edit the password hash in /etc/security/passwd:

1. Become root: 
   # su - root

2. Backup the password file:
   # cp /etc/security/passwd /etc/security/passwd.bak

3. Generate the new password hash:
   # openssl passwd -1 "newpassword"

4. Edit the password file:
   # vi /etc/security/passwd
   (Locate the user and replace the password hash)

Alternatively, you can use pwdadm with specific flags:

# pwdadm -f NOCHECK user1
# pwdadm user1
(Enter new password when prompted)

The -f NOCHECK option prevents setting the ADMCHG flag while changing the password.

For bulk password changes, create a script like this:

#!/usr/bin/ksh
for user in user1 user2 user3
do
    pwdadm -f NOCHECK $user << EOF
newpassword
newpassword
EOF
done

After changing the password, verify the ADMCHG flag status:

# lsuser -a admchg user1
user1 admchg=false

Remember that directly editing system files carries risks. Always create backups and test in non-production environments first.

When administering AIX systems, you'll notice that any password change performed by root using standard methods (like passwd or pwdadm) automatically sets the ADMCHG flag in /etc/security/passwd. This forces the user to change their password at next login - which isn't always desired behavior.

The most reliable method is to manually edit the password file after changing the password:


# First change the password normally
passwd username
New Password: 
Re-enter new Password:

# Then edit the security file
vi /etc/security/passwd
# Locate the user and remove the ADMCHG flag
username:
        password = 
        lastupdate = 1682345600
        flags =       ← Ensure this line is empty or removed

For a more programmatic approach, use chsec to modify the security attributes:


# Change password first
echo "username:newpassword" | chpasswd -c

# Then clear the ADMCHG flag
chsec -f /etc/security/passwd -s username -a "flags="

The pwdadm command can be combined with attribute modification:


# Set the password
pwdadm -f NOCHECK username
echo "newpassword" | pwdadm -p username

# Clear admin change flag
chuser flags= username

While these methods work, consider the security implications:

  • Password changes should typically force a reset if the admin initiated them
  • Make sure you're not bypassing important security policies
  • Document any exceptions to standard procedures

For frequent use, create a shell script (e.g., setpasswd):


#!/bin/ksh
if [ $# -ne 2 ]; then
    echo "Usage: $0 username password"
    exit 1
fi

echo "$1:$2" | chpasswd -c
chsec -f /etc/security/passwd -s $1 -a "flags="

Remember to set appropriate permissions on the script (chmod 700) since it will contain clear-text passwords during execution.