Solaris 10 can store the previous 26 passwords in a password history. These 26 passwords can not be choosen as a password at the next try to set a new password. Root is not affected by the password history.
server # cat /etc/default/passwd
..... Output skipped .....
# HISTORY sets the number of prior password changes to keep and
# check for a user when changing passwords. Setting the HISTORY
# value to zero (0), or removing/commenting out the flag will
# cause all users' prior password history to be discarded at the
# next password change by any user. No password history will
# be checked if the flag is not present or has zero value.
# The maximum value of HISTORY is 26.
#
# This flag is only enforced for user accounts defined in the
# local passwd(4)/shadow(4) files.
#
HISTORY=3
..... Output skipped .....
The password history of each user is stored in the /etc/security/passhistory file. This file can be view by root.
server # cat /etc/security/passhistory
userD:$md5$10UaDIO5$$rJ9iG3tGCZnmUDURvp.ZA.: $md5$ETwK1Yd9$$BPGt1b/o4/Fbu9GGNO/.a.:
$md5$QOvXzayQ$$63DofaRZ2xuFlOoU2OqdQ0:
ordinary-user $ passwd
passwd: Changing password for userD
Enter existing login password:
New Password:
passwd: Password in history list.
Please try again
New Password:
Another new feature in Solaris 10 is the programmable complexity for passwords. System administrators are now allowed to define how complex user passwords should be. The following characteristics can be set for a password:
| Complexity Setting | Purpose |
|---|---|
| MAXREPEATS | Maximum number of allowable consecutive repeating characters. If MAXREPEATS is not set or is zero (0), the default is no checks |
| MINALPHA | Minimum number of alpha character required. If MINALPHA is not set, the default is 2. |
| MINDIFF | Minimum differences required between an old and a new password. If MINDIFF is not set, the default is 3. |
| MINDIGIT | Minimum number of digits required. If MINDIGIT is not set or is set to zero (0), the default is no checks. You cannot be specify MINDIGIT if MINNONALPHA is also specified. |
| MINLOWER | Minimum number of lower case letters required. If not set or zero (0), the default is no checks. |
| MINNONALPHA | Minimum number of non-alpha (including numeric and special)
required. If MINNONALPHA is not set, the default is 1. You cannot specify MINNONALPHA if MINDIGIT or MINSPECIAL is also specified. |
| MINSPECIAL | Minimum number of special (non-alpha and non-digit) characters
required. If MINSPECIAL is not set or is zero (0), the default is no checks. You cannot specify MINSPECIAL if you also specify MINNONALPHA. |
| MINUPPER | Minimum number of upper case letters required. If MINUPPER is not set or is zero (0), the default is no checks. |
| NAMECHECK | Enable/disable checking or the login name. The default is to do login name checking. A case insensitive value of "no" disables this feature. |
| WHITESPACE | Determine if whitespace characters are allowed in passwords. Valid values are YES and NO. If WHITESPACE is not set or is set to YES, whitespace characters are allowed. |
server # vi /etc/default/passwd
..... Output Skipped .....
# NAMECHECK enables/disables login name checking.
# The default is to do login name checking.
# Specifying a value of "NO" will disable login name checking.
#
#NAMECHECK=NO
# Password complexity tunables. The values listed are the defaults
# which are compatible with previous releases of passwd.
# See passwd(1) and pam_authtok_check(5) for use warnings and
# discussion of the use of these options.
#
#MINDIFF=3
#MINALPHA=2
#MINNONALPHA=1
#MINUPPER=0
#MINLOWER=0
#MAXREPEATS=0
#MINSPECIAL=0
MINDIGIT=4
#WHITESPACE=YES
..... Output Skipped .....
ordinary-user $ passwd
passwd: Changing password for userD
Enter existing login password:
New Password:
passwd: The password must contain at least 4 digit(s).
Please try again
New Password:
Another feature that can be enabled is the use of a password dictionary mechanism. Any word found in the dictionary is not allowed as a password.
# vi /etc/passworddictionary
qaz123
123qaz
a1b2c3d4
Make sure that each line ends with a <NEWLINE>.
NB. The file /etc/default/passwd tells you to run the mkdict command to create a new dictionary db but this command does not exist. The correct command name is mkpwdict.
server # vi /etc/default/passwd
#
# passwd performs dictionary lookups if DICTIONLIST or DICTIONDBDIR
# is defined. If the password database does not yet exist, it is
# created by passwd. See passwd(1), pam_authtok_check(5) and
# mkdict(1) for more information.
#
DICTIONLIST=/etc/passwordictionary
DICTIONDBDIR=/var/passwd
server # mkpwdict
mkpwdict: using default database location: /var/passwd.
mkpwdict: using default dictionary list: /etc/passworddictionary.
server # cd /var/passwd
server # ls
authtok_check.lock pw_dict.pwd
pw_dict.hwm pw_dict.pwi
server # file *
authtok_check.lock: empty file
pw_dict.hwm: ascii text
pw_dict.pwd: ascii text
pw_dict.pwi: ascii text
server # cat pw_dict.pwd
123qaza1b2c3d4qaz123server #
ordinary-user $ passwd
passwd: Changing password for userA
Enter existing login password:
New Password:
passwd: password is based on a dictionary word.
Please try again
New Password:
So far the lock management was done by the system administrator. He or she was responsible for locking accounts and when needed unlocking accounts as well.
In Solaris 10 it is possible to lock an use account autmatically after a number of failed login attempts. When an account is automatically locked user may not log in using that account. Only after the system administrator has unlocked the account, the user is again allowed into the system.
The lock out count defines after how much failed attempts the account is locked. To change the lock out count, the system administrator needs to set the RETRIES setting in /etc/default/login.
server # vi /etc/default/login
..... Output Skipped .....
# RETRIES determines the number of failed logins that will be
# allowed before login exits. Default is 5 and maximum is 15.
# If account locking is configured (user_attr(4)/policy.conf(4))
# for a local user's account (passwd(4)/shadow(4)), that account
# will be locked if failed logins equals or exceeds RETRIES.
#
RETRIES=3
..... Output Skipped .....
vi /etc/security/policy.conf
..... Output Skipped .....
#
# LOCK_AFTER_RETRIES specifies the default account locking policy for local
# user accounts (passwd(4)/shadow(4)). The default may be overridden by
# a user's user_attr(4) "lock_after_retries" value.
# YES enables local account locking, NO disables local account locking.
# The default value is NO.
#
LOCK_AFTER_RETRIES=yes
server # usermod -K lock_after_retries=yes userA
server # cat /etc/user_attr
#
# Copyright (c) 2003 by Sun Microsystems, Inc. All rights reserved.
#
# /etc/user_attr
#
# user attributes. see user_attr(4)
#
#pragma ident "@(#)user_attr 1.1 03/07/09 SMI"
#
adm::::profiles=Log Management
lp::::profiles=Printer Management
root::::auths=solaris.*,solaris.grant;profiles=Web Console Management,All;lock_after_retries=no
userA::::type=normal;lock_after_retries=yes
Users not listed in /etc/user_attr or that do not have the lock_after_retries=yes setting will not automatically be locked when the lock out count is reached.
server # telnet .
Trying 0.0.0.0...
Connected to ..
Escape character is '^]'.
login: userA
Password:
Login incorrect
login: userA
Password:
Login incorrect
login: userA
Password:
Login incorrect
Connection to . closed by foreign host.
server # grep userA /etc/shadow
userA:*LK*v.y0Isc5YYt1E:12849::::::3
The default encryption algorithm in Solaris 10 is the well-known crypt(3c) algorithm. Because crypt is not considered a secure method anymore, Solaris 10 offers system administrator the opportunity to change the default password encryption algorithm.
server # cat /etc/security/crypt.conf
#
# Copyright 2002 Sun Microsystems, Inc. All rights reserved.
# Use is subject to license terms.
#
#ident "@(#)crypt.conf 1.1 02/06/07 SMI"
#
# The algorithm name __unix__ is reserved.
1 crypt_bsdmd5.so.1
2a crypt_bsdbf.so.1
md5 crypt_sunmd5.so.1
As the file states, the __unix__ name is reserved. Thought __unix__ is not explicitly listed it is the name for the traditional crypt() algorithm.
server # vi /etc/security/policy.conf
..... Output skipped .....
#
# CRYPT_ALGORITHMS_ALLOW specifies the algorithms that are allowed to
# be used for new passwords. This is enforced only in crypt_gensalt(3c).
#
CRYPT_ALGORITHMS_ALLOW=1,2a,md5
# To deprecate use of the traditional unix algorithm, uncomment below
# and change CRYPT_DEFAULT= to another algorithm. For example,
# CRYPT_DEFAULT=1 for BSD/Linux MD5.
#
#CRYPT_ALGORITHMS_DEPRECATE=__unix__
# The Solaris default is the traditional UNIX algorithm. This is not
# listed in crypt.conf(4) since it is internal to libc. The reserved
# name __unix__ is used to refer to it.
#
CRYPT_DEFAULT=1
#
..... Output Skipped .....
server # passwd userB
New Password:
Re-enter new Password:
passwd: password successfully changed for userB
server # grep ^user /etc/shadow
userA:rJbTunOcBqoaQ:12849::::::
userB:$1$cErSmGM8$589dqpN1ZnNY2Rbruyb451:12849::::::
As you can see, the password string (second column) of userB is longer thanthe passowrd string of userA. This is because the password of userB is encrypted using crypt_bsdmd5.so.1 and the password of userA is encrypted using crypt.
When you change the password encryption algorithm, the new algorithm will not be used until somebody (root, user or application) sets or resets a user password. Passwords encrypted with the old algorithm are not converted when the algoritm is changed, the new algorithm will be used when the password needs to be reset.
Both userA and userB are still able to log in, because Solaris 10 will figure out which algorithm was used to encrypt the password and it will then use the same algorithm to check if the user entered the correct password.
| Name | Module | Result | Encrypted Password |
|---|---|---|---|
| __unix__ | crypt() | xOj5VY2QvTFfk | userA |
| 1 | crypt_bsdmd5.so.1 | $1$cErSmGM8$589dqpN1ZnNY2Rbruyb451 | userB |
| 2a | crypt_bsdbf.so.1 | $2a$04$jmxXKgcZ912GlskLeenlWeQFVGFOaYSOX.PIUIroJ3vRbe0inKqHG | userC |
| md5 | crypt_sunmd5.so.1 | $md5$YoLVA6EB$$pCnB3U8r.Iazr15km8WCy. | userD |
| Account locking after retries(system wide) | /etc/default/login (RETRIES) , /etc/security/policy.conf (LOCK_AFTER_RETRIES) |
| Account locking after retries (per user) | /etc/user_attr (LOCK_AFTER_RETRIES) , /etc/default/login (RETRIES) |
| Account locking manually | /etc/shadow (*LK*) |
| Password complexity tunables | /etc/default/passwd |
| Password dictionary | /etc/default/passwd |
| Password encryption algorithm | /etc/security/crypt.conf , /etc/security/policy.conf |
| Password history | /etc/default/passwd , /etc/security/pass_hist |
I'm in no way responsible for what you do. Not even when you do it after reading my documents.