A few days back i had a need to rename my Solaris zones from "orazone" to "oraprodzone". I followed the below steps to successfully rename my zone's name.
STEP 1: Shutdown the zone "orazone"
Issue the following commands from the globalzone to shutdown orazone.
globalzone# zoneadm list -iv
ID NAME STATUS PATH
0 global running /
2 orazone running /zones/orazone
globalzone# zoneadm -z orazone halt
globalzone# zoneadm list -iv
ID NAME STATUS PATH
0 global running /
- orazone installed /zones/orazone
globalzone#
STEP 2: Rename the Zone from "orazone" to "oraprodzone"
Enter zone configuration from the global zone using the below mentioned commands.
globalzone# zonecfg -z orazone
zonecfg:orazone> set zonename=oraprodzone
zonecfg:orazone> commit
zonecfg:orazone> exit
globalzone# zoneadm list -vc
ID NAME STATUS PATH BRAND
0 global running / native
- oraprodzone installed /zones/orazone native
STEP 3: Boot the zone
After you have made the above changes, boot the zone from the global zone using the below commands.
globalzone# zoneadm -z oraprodzone boot
globalzone# zoneadm list -iv
ID NAME STATUS PATH
0 global running /
2 orazone running /zones/orazone
Done!
There is another way to rename a zone (not supported, but it worked for me), but then that's not the right one though. However, i would mention that as well.
Renaming zone orazone to oraprodzone
Perform all of the below as root of global zone.
First shutdown your orazone zone
globalzone# zoneadm -z orazone halt
globalzone# vi /etc/zones/index
change orazone to oraprodzone
globalzone# cd /etc/zones
globalzone# mv orazone.xml oraprodzone.xml
globalzone# vi oraprodzone.xml
change orazone to oraprodzone
globalzone# cd /zones
-/zones is where I have stored all the zones
globalzone# mv orazone oraprodzone
-cd to your new zone (/zones/oraprodzone)and modify /etc/hosts, /etc/nodename, /etc/hostname.xxx
globalzone# cd /zones/oraprodzone/root/etc
-boot new renaming zone
globalzone# zoneadm -z oraprodzone boot
Feel free to leave a comment :)
Monday, August 25, 2008
How to Rename a Solaris Zone?
Tuesday, August 5, 2008
Password Securing Guide - Solaris
Hello All, I am being often criticized for using very cryptic passwords on my systems which has multiple combination's of numeric and special characters. But in really speaking, its indeed a good practice to maintain complex passwords on your systems, so that they cant be easily guessed, cant be breaking into using some silly dictionary attack tool.
If you guys are not aware of, let me tell you this - (sometimes you know something that takes you by surprise and you tell yourself "How come i didn't already know this?") Solaris systems by default still maintain traditional salted crypt passwords (called default crypt_unix(5) algorithm). Take a a closer look at /etc/shadow file and you would see something like this -
vishal:bwtNbxhjKdK7k:13223::::::
The field "bwtNbxhjKdK7k" is nothing but your salted crypt password and this is the default out of the box password format for Solaris and you would be surprized to know that the length of these passwords cannot exceed 8 characters. So if you typed your password as "barackobama", then your effective password is "barackob" ONLY.Try it for yourself once to know what i am talking about.
Ok now your next question would be, How should you go about fixing this? Well its pretty simple and straight forward. All you are suppose to do is change your password scheme. Solaris by default (out-of-the-box) provides 4 such schemes for you to choose from. Do a cat /etc/security/policy.conf
my-server # cat /etc/security/policy.conf
#
# Copyright 1999-2002 Sun Microsystems, Inc. All rights reserved.
# Use is subject to license terms.
#
# /etc/security/policy.conf
#
# security policy configuration for user attributes. see policy.conf(4)
#
#ident "@(#)policy.conf 1.6 02/06/19 SMI"
#
AUTHS_GRANTED=solaris.device.cdrw
PROFS_GRANTED=Basic Solaris User
# crypt(3c) Algorithms Configuration
#
# CRYPT_ALGORITHMS_ALLOW specifies the algorithms that are allowed to
# be used for new passwords. This is enforced only in crypt_gensalt(3c).
#
CRYPT_ALGORITHMS_ALLOW=1,2a,md5
# To deprecate use of the traditional unix algorithm, uncomment below
# and change CRYPT_DEFAULT= to another algorithm. For example,
# CRYPT_DEFAULT=1 for BSD/Linux MD5.
#
#CRYPT_ALGORITHMS_DEPRECATE=__unix__
# The Solaris default is the traditional UNIX algorithm. This is not
# listed in crypt.conf(4) since it is internal to libc. The reserved
# name __unix__ is used to refer to it.
#
CRYPT_DEFAULT=__unix__
Pay special attention to the lines in bold above. These are the algorithms which the system uses to store your passwords which apparently also includes the deadly CRYPT_DEFAULT=__unix__ , which is nothing but crypt_unix. The other crypt algorithms that are allowed are CRYPT_ALGORITHMS_ALLOW=1,2a,md5. Further details of which you can find under /etc/security/crypt.conf
my-server # cat /etc/security/crypt.conf
#
# Copyright 2002 Sun Microsystems, Inc. All rights reserved.
# Use is subject to license terms.
#
#ident "@(#)crypt.conf 1.1 02/06/19 SMI"
#
# The algorithm name __unix__ is reserved.
1 crypt_bsdmd5.so.1
2a crypt_bsdbf.so.1
md5 crypt_sunmd5.so.1
Let me explain you all of these a little more -
a) 1 - (crypt_bsdmd5.so): One-way password hashing module for use with crypt(3C) that uses the MD5 message hash algorithm. The output is compatible with md5crypt on BSD and Linux systems. Password Limit: 255 chars
b) 2a - (crypt_bsdbf.so): One-way password hashing module for use with crypt(3C) that uses the Blowfish cryptographic algorithm. Password Limit: 255 chars
c) md5 - (crypt_sunmd5.so): One-way password hashing module for use with crypt(3C) that uses the MD5 message hash algorithm. This module is designed to make it difficult to crack passwords that use brute force attacks based on high speed MD5 implementations that use code inlining, unrolled loops, and table lookup. Password Limit: 255 chars
So you have all of the above to choose from and to switch to better and more secure password scheme, do the following-
Edit the two lines in /etc/security/policy.conf from
#CRYPT_ALGORITHMS_DEPRECATE=__unix__
CRYPT_DEFAULT=__unix__
to-
(uncomment this line)
CRYPT_ALGORITHMS_DEPRECATE=__unix__
(change this line to your password scheme of choice)
CRYPT_DEFAULT=md5
You can also force move from one algorithm to another by editing the
CRYPT_ALGORITHMS_ALLOW=
line in policy.conf instead of the deprecation line.
NOTE - AFTER DOING THE CHANGE, MAKE SURE YOU CHANGE YOUR USER'S PASSWORD USING passwd COMMAND SO THAT GOING FORWARD, YOUR SYSTEM CAN SAVE PASSWORDS IN THE PASSWORD SCHEME OF YOUR CHOICE. IT CAN BE A HASSLE FOR YOU TO DO THIS, BUT THEN YOU CAN ALWAYS WRITE A SCRIPT TO AUTOMATE THIS TASK.
ANOTHER IMPORTANT NOTE - AFTER CHANGING YOUR PASSWORD SCHEME, SOME OF YOUR ADMIN APPS LIKE SOLARIS MANAGEMENT CONSOLE, WEBMIN OR WBEM AND MANY OTHERS THAT I MIGHT NOT BE AWARE OF, WILL NOT WORK. BUT SINCE I DONT USE THEM AT ALL. IT DOESNT REALLY BOTHER ME MUCH.
