pwchange Command

Purpose

Change user authentication and privacy keys dynamically.

Syntax

pwchange [ -e ] [ -d DebugLevel ] [ -p Protocol ] [ -u KeyUsage ] [ -s ] [ OldPassword NewPassword ] [ IPAddress | HostName | EngineID ]

Description

The pwchange command is provided to facilitate dynamic changes of user authentication and privacy keys. Dynamic configuration of authentication and privacy keys is done by doing set commands to objects of syntax keyChange. The keyChange syntax provides a way of changing keys without requiring that the actual keys (either new or old) be flowed directly across the wire, which would not be secure. Instead, if an object,such as usmUserAuthKeyChange (for example) is to be set, the keyChange value must be derived from the old and new passwords and the engineID of the agent at which the key will be used. The pwchange command is used to generate the keyChange values.

The pwchange command generates different output, depending on which protocol and what key usage is selected. Keychange values are typically twice as long as the key to be changed.

Flags

Item Description
-d DebugLevel This flag indicates what level of debug information is desired. Debug tracing is either on or off: 1 causes debug tracing to be generated to the screen of the command issuer (sysout). Debug tracing is off (0) by default.
-e This flag indicates that the agent for which the keychange value is being defined is identified by engineID rather than by IP address or host name.
-p Protocol This flag indicates the protocols for which the keychange values should be generated. Valid values are:
HMAC-MD5
Generates keychange values for use with the HMAC-MD5 authentication protocol.
HMAC-SHA
Generates keychange values for use with the HMAC-SHA authentication protocol.
all
Generates both HMAC-MD5 and HMAC-SHA keychange values.
The default is that keychange values for the HMAC-MD5 protocol are generated.
-s This flag indicates that output should be displayed with additional spaces to improve readability. By default, data is displayed in a condensed format to facilitate cut-and-paste operations on the keychange values onto command lines in shell scripts.
-u KeyUsage This flag indicates the usage intended for the keychange value. Valid values are:
auth
An authentication keychange value.
priv
A privacy keychange value.
all
Both authentication and privacy keychange values.
Note: There is no difference between a keychange value generated for authentication and a keychange value generated for privacy. However, the length of privacy keychange values depends on whether the keychange value is localized.

Parameters

Item Description
EngineID Specifies the engineID (1-32 octets, 2-64 hex digits) of the destination host at which the key is to be used. The engineID must be a string of 1-32 octets (2-64 hex digits). The default is that the agent identification is not an engineID.
HostName Specifies the destination host at which the key is to be used.
IPAddress Specifies an IPv4 or an IPv6 address of the agent at the destination host at which the key is to be used.
NewPassword Specifies the password that will be used in generating the new key. The password must be between eight and 255 characters long.
OldPassword Specifies the password that was used in generating the key originally. The password must be between eight and 255 characters long.

Security

Attention RBAC users and Trusted AIX® users: This command can perform privileged operations. Only privileged users can run privileged operations. For more information about authorizations and privileges, see Privileged Command Database in Security. For a list of privileges and the authorizations associated with this command, see the lssecattr command or the getcmdattr subcommand.

Examples

The pwchange command generates different output depending on which protocol and what key usage is selected. Key change values are typically twice as long as the key to be changed.

  1. The following command demonstrates how the pwchange command can be used: 
    pwchange oldpassword newpassword 9.67.113.79
    The output of this command looks similar to: 
    Dump of 32 byte HMAC-MD5 authKey keyChange value: 
  3eca6ff34b59010d262845210a401656 
  78dd9646e31e9f890480a233dbe1114d
    The value to be set should be passed as a hex value with the clsnmp command (all on one line): 
     clsnmp set usmUserAuthKeyChange.12.0.0.0.2.0.0.0.0.9.67.113.79.2.117.49 
 \'3eca6ff34b59010d262845210a40165678dd9646e31e9f890480a233dbe1114d\'h
    Note: The backslash in the preceding example is required before the single quotation mark to enable AIX to correctly interpret the hexadecimal value.
    The index of the usmUserTable is made up of the EngineID and the ASCII representation of the user name. In this case it is 2 characters long and translates to 117.49.
    Note: pwchange incorporates a random component in generating keys and keyChange values. The output from multiple commands with the same input does not produce duplicate results.
  2. The following command demonstrates how the pwchange command can be used with IPv6 address: 
    pwchange oldpassword newpassword 2000:1:1:1:209:6bff:feae:6d67
    The output of this command looks similar to: 
    Dump of 32 byte HMAC-MD5 authKey keyChange value:
  0000774adc53ba4b0427dc2f65568435
  721847d1b5cb597daa85d003033afba3
    The value to be set should be passed as a hex value with the clsnmp command (all on one line): 
    clsnmp set usmUserAuthKeyChange.21.128.0.0.2.2.32.0.0.1.0.1.0.1.2.9.107.255.254.174.
109.103.6.105.112.118.54.117.49  \'36133c694155026620637761f835ef616de294f37f758c74ff1544ca3de279b8\'h
    Note: The backslash in the preceding example is required before the single quotation mark to enable AIX to correctly interpret the hexadecimal value.
    The index of the usmUserTable is made up of the EngineID, in this case 21 octets: 128.0.0.2.2.32.0.0.1.0.1.0.1.2.9.107.255.254.174.109.103; And the ASCII representation of the user name, in this case it is 6 characters long and translates to 105.112.118.54.117.49.
    Note: The pwchange command incorporates a random component in generating keys and keyChange values. The output from multiple commands with the same input does not produce duplicate results.