Security Enhancements

The Solaris software includes the following security enhancements from prior Solaris 9 releases:

• sadmind Security Level Raised

• Kerberos Enhancements

• Internet Key Exchange (IKE) Key Storage on Sun Crypto Accelerator 4000 Board

• Internet Key Exchange (IKE) Hardware Acceleration

• Auditing Enhancements

• Smart Card Terminal Interfaces

• Enhanced crypt() Function

• Password Management Feature in pam_ldap

• Pluggable Authentication Module (PAM) Enhancement

sadmind Security Level Raised

To improve security with the sadmind command, the default security level has been raised to 2 (DES). If you do not require sadmind, comment the entry out of the inetd.conf file.

For further information, see the sadmind(1M) man page.

Kerberos Enhancements

This feature is new in the Solaris 9 12/03 release.

The Solaris Kerberos Key Distribution Center (KDC) is now based on MIT Kerberos version 1.2.1. The KDC now defaults to a btree-based database, which is more reliable than the current hash-based database.

See the kdc.conf(4) man page for more information.

Internet Key Exchange (IKE) Key Storage on Sun Crypto Accelerator 4000 Board

This feature is new in the Solaris 9 12/03 release.

IKE runs on IPv6 as well as IPv4 networks. For information on keywords that are specific to the IPv6 implementation, see the ifconfig(1M) and ike.config(4) man pages.

When a Sun^TM Crypto Accelerator 4000 board is attached, IKE can offload computation-intensive operations to the board, thus freeing the operating system for other tasks. IKE can also use the attached board to store public keys, private keys, and public certificates. Key storage on a separate piece of hardware provides additional security.

For further information, see the IPsec and IKE Administration Guide and the ikecert(1M) man page.

Internet Key Exchange (IKE) Hardware Acceleration

This feature is new in the Solaris 9 4/03 release.

Public key operations in IKE can be accelerated by a Sun Crypto Accelerator 1000 card. The operations are offloaded to the card. The offloading accelerates encryption and reduces demands on operating system resources.

For information about IKE, see the IPsec and IKE Administration Guide.

Auditing Enhancements

This feature is new in the Solaris 9 8/03 release.

Enhancements to the audit features in this Solaris release reduce noise in the trail, and enable administrators to use XML scripting to parse the trail. These enhancements include the following:

• Public files are no longer audited for read-only events. The public policy flag for the auditconfig command controls whether public files are audited. By not auditing public objects, the audit trail is greatly reduced. Attempts to read sensitive files are therefore easier to monitor.

• The praudit command has an additional output format, XML. The XML format enables the output to be read in a browser, and provides source for XML scripting for reports. See the praudit(1M) man page.

• The default set of audit classes has been restructured. Audit metaclasses provide support for finer-grained audit classes. See the audit_class(4) man page.

• The bsmconv command no longer disables the use of the Stop-A key. The Stop-A event is now audited to maintain security.

For further information, see the System Administration Guide: Security Services.

Smart Card Terminal Interfaces

This feature is new in the Solaris 9 8/03 release.

Solaris smart card interfaces are a set of public interfaces for Smart Card Terminals. See Smart Card Interfaces.

Enhanced crypt() Function

This feature is new in the Solaris 9 12/02 release.

Password encryption protects passwords from being read by intruders. Three strong password encryption modules are now available in the software:

• A version of Blowfish that is compatible with Berkeley Software Distribution (BSD) systems

• A version of Message Digest 5 (MD5) that is compatible with BSD and Linux systems

• A stronger version of MD5 that is compatible with other Solaris systems

For information on how to protect your user passwords with these new encryption modules, see the System Administration Guide: Security Services. For information on the strength of the modules, see the crypt_bsdbf(5), crypt_bsdmd5(5), and crypt_sunmd5(5) man pages.

Password Management Feature in pam_ldap

This feature is new in the Solaris 9 12/02 release.

The pam_ldap password management feature strengthens the overall security of the LDAP Naming Service when used in conjunction with the Sun ONE Directory Server (formerly iPlanet^TM Directory Server). Specifically, the password management feature does the following:

• Allows for tracking password aging and expiration

• Prevents users from choosing trivial or previously used passwords

• Warns users if their passwords are about to expire

• Locks out users after repeated login failures

• Prevents users, other than the authorized system administrator, from deactivating initialized accounts

For further information on Solaris naming and directory services, see the System Administration Guide: Naming and Directory Services (DNS, NIS, and LDAP). For information about Solaris security features, see the System Administration Guide: Security Services.

Pluggable Authentication Module (PAM) Enhancement

This feature is new in the Solaris 9 12/02 release.

The PAM framework was expanded by including a new control flag. The new control flag provides the ability to skip additional stack processing. This skipping is enabled if the current service module is successful and if no failure occurred on the previous mandatory modules.

For more information about this change, see the System Administration Guide: Security Services.