Hello All, I am being often criticized for using very cryptic passwords on my systems which has multiple combination's of numeric and special characters. But in really speaking, its indeed a good practice to maintain complex passwords on your systems, so that they cant be easily guessed, cant be breaking into using some silly dictionary attack tool.
If you guys are not aware of, let me tell you this - (sometimes you know something that takes you by surprise and you tell yourself "How come i didn't already know this?") Solaris systems by default still maintain traditional salted crypt passwords (called default crypt_unix(5) algorithm). Take a a closer look at /etc/shadow file and you would see something like this -
vishal:bwtNbxhjKdK7k:13223::::::
The field "bwtNbxhjKdK7k" is nothing but your salted crypt password and this is the default out of the box password format for Solaris and you would be surprized to know that the length of these passwords cannot exceed 8 characters. So if you typed your password as "barackobama", then your effective password is "barackob" ONLY.Try it for yourself once to know what i am talking about.
Ok now your next question would be, How should you go about fixing this? Well its pretty simple and straight forward. All you are suppose to do is change your password scheme. Solaris by default (out-of-the-box) provides 4 such schemes for you to choose from. Do a cat /etc/security/policy.conf
my-server # cat /etc/security/policy.conf
#
# Copyright 1999-2002 Sun Microsystems, Inc. All rights reserved.
# Use is subject to license terms.
#
# /etc/security/policy.conf
#
# security policy configuration for user attributes. see policy.conf(4)
#
#ident "@(#)policy.conf 1.6 02/06/19 SMI"
#
AUTHS_GRANTED=solaris.device.cdrw
PROFS_GRANTED=Basic Solaris User
# crypt(3c) Algorithms Configuration
#
# CRYPT_ALGORITHMS_ALLOW specifies the algorithms that are allowed to
# be used for new passwords. This is enforced only in crypt_gensalt(3c).
#
CRYPT_ALGORITHMS_ALLOW=1,2a,md5
# To deprecate use of the traditional unix algorithm, uncomment below
# and change CRYPT_DEFAULT= to another algorithm. For example,
# CRYPT_DEFAULT=1 for BSD/Linux MD5.
#
#CRYPT_ALGORITHMS_DEPRECATE=__unix__
# The Solaris default is the traditional UNIX algorithm. This is not
# listed in crypt.conf(4) since it is internal to libc. The reserved
# name __unix__ is used to refer to it.
#
CRYPT_DEFAULT=__unix__
Pay special attention to the lines in bold above. These are the algorithms which the system uses to store your passwords which apparently also includes the deadly CRYPT_DEFAULT=__unix__ , which is nothing but crypt_unix. The other crypt algorithms that are allowed are CRYPT_ALGORITHMS_ALLOW=1,2a,md5. Further details of which you can find under /etc/security/crypt.conf
my-server # cat /etc/security/crypt.conf
#
# Copyright 2002 Sun Microsystems, Inc. All rights reserved.
# Use is subject to license terms.
#
#ident "@(#)crypt.conf 1.1 02/06/19 SMI"
#
# The algorithm name __unix__ is reserved.
1 crypt_bsdmd5.so.1
2a crypt_bsdbf.so.1
md5 crypt_sunmd5.so.1
Let me explain you all of these a little more -
a) 1 - (crypt_bsdmd5.so): One-way password hashing module for use with crypt(3C) that uses the MD5 message hash algorithm. The output is compatible with md5crypt on BSD and Linux systems. Password Limit: 255 chars
b) 2a - (crypt_bsdbf.so): One-way password hashing module for use with crypt(3C) that uses the Blowfish cryptographic algorithm. Password Limit: 255 chars
c) md5 - (crypt_sunmd5.so): One-way password hashing module for use with crypt(3C) that uses the MD5 message hash algorithm. This module is designed to make it difficult to crack passwords that use brute force attacks based on high speed MD5 implementations that use code inlining, unrolled loops, and table lookup. Password Limit: 255 chars
So you have all of the above to choose from and to switch to better and more secure password scheme, do the following-
Edit the two lines in /etc/security/policy.conf from
#CRYPT_ALGORITHMS_DEPRECATE=__unix__
CRYPT_DEFAULT=__unix__
to-
(uncomment this line)
CRYPT_ALGORITHMS_DEPRECATE=__unix__
(change this line to your password scheme of choice)
CRYPT_DEFAULT=md5
You can also force move from one algorithm to another by editing the
CRYPT_ALGORITHMS_ALLOW=
line in policy.conf instead of the deprecation line.
NOTE - AFTER DOING THE CHANGE, MAKE SURE YOU CHANGE YOUR USER'S PASSWORD USING passwd COMMAND SO THAT GOING FORWARD, YOUR SYSTEM CAN SAVE PASSWORDS IN THE PASSWORD SCHEME OF YOUR CHOICE. IT CAN BE A HASSLE FOR YOU TO DO THIS, BUT THEN YOU CAN ALWAYS WRITE A SCRIPT TO AUTOMATE THIS TASK.
ANOTHER IMPORTANT NOTE - AFTER CHANGING YOUR PASSWORD SCHEME, SOME OF YOUR ADMIN APPS LIKE SOLARIS MANAGEMENT CONSOLE, WEBMIN OR WBEM AND MANY OTHERS THAT I MIGHT NOT BE AWARE OF, WILL NOT WORK. BUT SINCE I DONT USE THEM AT ALL. IT DOESNT REALLY BOTHER ME MUCH.
Categories
- Basics (11)
- Storage (SAN) (2)
- Veritas Volume Manager (2)
- ZFS (8)
- Zones (6)
Tuesday, August 5, 2008
Password Securing Guide - Solaris
Subscribe to:
Post Comments (Atom)
1 comments:
Hi Vishal,
How to restore to original setting?
The default unix crypt setting.
I have tried with md5, it works. So now try to restore the policy.conf to original setting by commenting
#CRYPT_ALGORITHMS_DEPRECATE=__unix__
and setting CRYPT_DEFAULT=__unix__
When I check /etc/shadow it still shows $md5xxxxx
u can reply me at scorpstar63@gmail.com
Post a Comment