AIX - IBM's Advanced Interactive eXecutive

AIX : Packet filtering

As well as Linux having an integrated firewall (NetFilter / Iptables), AIX comes with built-in filtering capabilities.

Commands (source) :

lsfilt
list existing filter rules

How to lock / unlock a user account ?

Lock :
chuser account_locked=true bob
Unlock :
chuser account_locked=false bob
Check :
lsuser bob
bob id=1234 pgrp=webgrp groups=webgrp,staff home=/home/bob shell=/usr/bin/ksh login=true su=true rlogin=false daemon=true admin=false sugroups=ALL admgroups= tpath=nosak ttys=ALL expires=0 auth1=SYSTEM auth2=NONE umask=27 registry=files SYSTEM=compat logintimes= loginretries=5 pwdwarntime=0 account_locked=true minage=1 maxage=26 maxexpired=-1 minalpha=2 minloweralpha=1 minupperalpha=1 minother=2 mindigit=1 minspecialchar=1 mindiff=4 maxrepeats=2 minlen=12 histexpire=0 histsize=5 pwdchecks= dictionlist= default_roles= fsize=2097151 cpu=-1 data=262144 stack=65536 core=2097151 rss=65536 nofiles=2000 roles=

After creating a user account, the user has a * in the password field (rather than a ! which is used to signify the password is stored in a shadow file : /etc/security/passwd). This * means the new account is disabled until a password is set (using passwd or pwdadm).

I've noticed lines such as :

+:
in /etc/group and
+:@string::::::
in /etc/password (string being the server name, something looking like the name of a group of machines/architecture/datacenter). Such entries are undocumented so far, and look like Vi typos (especially +:), but after removing them, I couldn't login to this server anymore. I guess they're related to some proprietary/home-made solution for user authentication/machines inventory/... and that is specific to my company's machines.