User password management and login information have changed in the following ways:
Assuming a role – All role assumption requires a password. In this release, at administrative discretion, the password that you supply to assume a role can be your own password.
Expanded login options during shutdown – During a system shutdown, an /etc/nologin file is created. This file displays a message that the system is being shut down and that logins are not possible. However, this type of shutdown does not prevent superuser from logging into the system. In this release, users who are assigned the root role and users who are assigned the solaris.system.maintenance authorization are also not blocked when the nologin file is present on the system.
Failed login count notification – The system notifies users of failed authentication attempts, even if the user account is not configured to enforce failed logins. Users who fail to authenticate correctly, will see a message similar to following upon successful authentication:
Warning: 2 failed authentication attempts since last successful authentication. The latest at Thu May 24 12:02 2012.
To suppress such notifications, create a ~/.hushlogin file.
Monitoring and restricting root access – In a default system configuration, a user cannot remotely log in to as root. When logging in remotely, users must log in with their user name and then become root by using the su command. You can monitor who has been using the su command, as well as restrict root access to a system. See Monitoring and Restricting root Access in Securing Systems and Attached Devices in Oracle Solaris 11.2
Password hashing algorithm – The default password hashing algorithm in this release is SHA256. This password hash is similar to the following:
$5$cgQk2iUy$AhHtVGx5Qd0.W3NCKjikb8.KhOiA4DpxsW55sP0UnYD
Also, there is no longer an eight character limitation for user passwords. The eight character limitation only applies to passwords that use the older crypt_unix (5) algorithm, which has been preserved for backwards compatibility with any existing passwd file entries and NIS maps. Starting with Oracle Solaris 11, the crypt_sha256 algorithm is the default
Passwords are encoded by using one of the other crypt (3c) algorithms, including the SHA256 algorithm, which is the default in the policy.conf file. Thus, passwords can be much longer than eight characters. See policy.conf (4) .
root password changes – It is no longer possible to use a system without assigning the root role a password of the requisite length that also meets other password complexity requirements.
Property definition refinements for the password command – This change clarifies which user accounts can and cannot be locked. The primary changes impact the LK and NL property definitions in the following ways:
The account is locked for UNIX authentication. The passwd –l command was run, or the account was automatically locked due to the number of authentication failures reaching the configured maximum that is allowed. See the policy.conf(4) and user_attr(4) man pages.
The account is a no login account. The passwd –N command was run.