| Skip Navigation Links | |
| Exit Print View | |
|   | System Administration Guide: Security Services Oracle Solaris 10 8/11 Information Library | 
1. Security Services (Overview)
Part II System, File, and Device Security
2. Managing Machine Security (Overview)
3. Controlling Access to Systems (Tasks)
Controlling System Access (Task Map)
Securing Logins and Passwords (Task Map)
How to Display a User's Login Status
How to Display Users Without Passwords
How to Temporarily Disable User Logins
How to Monitor Failed Login Attempts
How to Monitor All Failed Login Attempts
How to Create a Dial-Up Password
How to Temporarily Disable Dial-Up Logins
Changing the Password Algorithm (Task Map)
Changing the Default Algorithm for Password Encryption
How to Specify an Algorithm for Password Encryption
How to Specify a New Password Algorithm for an NIS Domain
How to Specify a New Password Algorithm for an NIS+ Domain
How to Specify a New Password Algorithm for an LDAP Domain
How to Install a Password Encryption Module From a Third Party
Monitoring and Restricting Superuser (Task Map)
Monitoring and Restricting Superuser
How to Monitor Who Is Using the su Command
How to Restrict and Monitor Superuser Logins
SPARC: Controlling Access to System Hardware (Task Map)
Controlling Access to System Hardware
How to Require a Password for Hardware Access
How to Disable a System's Abort Sequence
4. Controlling Access to Devices (Tasks)
5. Using the Basic Audit Reporting Tool (Tasks)
6. Controlling Access to Files (Tasks)
7. Using the Automated Security Enhancement Tool (Tasks)
Part III Roles, Rights Profiles, and Privileges
8. Using Roles and Privileges (Overview)
9. Using Role-Based Access Control (Tasks)
10. Role-Based Access Control (Reference)
Part IV Cryptographic Services
13. Oracle Solaris Cryptographic Framework (Overview)
14. Oracle Solaris Cryptographic Framework (Tasks)
15. Oracle Solaris Key Management Framework
Part V Authentication Services and Secure Communication
16. Using Authentication Services (Tasks)
19. Using Oracle Solaris Secure Shell (Tasks)
20. Oracle Solaris Secure Shell (Reference)
21. Introduction to the Kerberos Service
22. Planning for the Kerberos Service
23. Configuring the Kerberos Service (Tasks)
24. Kerberos Error Messages and Troubleshooting
25. Administering Kerberos Principals and Policies (Tasks)
26. Using Kerberos Applications (Tasks)
27. The Kerberos Service (Reference)
Part VII Oracle Solaris Auditing
28. Oracle Solaris Auditing (Overview)
29. Planning for Oracle Solaris Auditing
30. Managing Oracle Solaris Auditing (Tasks)
By default, user passwords are encrypted with the crypt_unix algorithm. You can use a stronger encryption algorithm, such as MD5 or Blowfish, by changing the default password encryption algorithm.
In this procedure, the BSD-Linux version of the MD5 algorithm is the default encryption algorithm that is used when users change their passwords. This algorithm is suitable for a mixed network of machines that run the Oracle Solaris, BSD, and Linux versions of UNIX. For a list of password encryption algorithms and algorithm identifiers, see Table 2-1.
The Primary Administrator role includes the Primary Administrator profile. To create the role and assign the role to a user, see Chapter 2, Working With the Solaris Management Console (Tasks), in System Administration Guide: Basic Administration.
Type the identifier as the value for the CRYPT_DEFAULT variable in the /etc/security/policy.conf file.
You might want to comment the file to explain your choice.
# cat /etc/security/policy.conf … CRYPT_ALGORITHMS_ALLOW=1,2a,md5,5,6 # # Use the version of MD5 that works with Linux and BSD systems. # Passwords previously encrypted with __unix__ will be encrypted with MD5 # when users change their passwords. # # CRYPT_DEFAULT=__unix__ CRYPT_DEFAULT=1
In this example, the algorithms configuration ensures that the weakest algorithm, crypt_unix, is never used to encrypt a password. Users whose passwords were encrypted with the crypt_unix module get a crypt_bsdmd5-encrypted password when they change their passwords.
For more information on configuring the algorithm choices, see the policy.conf(4) man page.
Example 3-6 Using the Blowfish Algorithm for Password Encryption
In this example, the identifier for the Blowfish algorithm, 2a, is specified as the value for the CRYPT_DEFAULT variable in the policy.conf file:
CRYPT_ALGORITHMS_ALLOW=1,2a,md5,5,6 #CRYPT_ALGORITHMS_DEPRECATE=__unix__ CRYPT_DEFAULT=2a
This configuration is compatible with BSD systems that use the Blowfish algorithm.
When users in an NIS domain change their passwords, the NIS client consults its local algorithms configuration in the /etc/security/policy.conf file. The NIS client machine encrypts the password.
When users in an NIS+ domain change their passwords, the NIS+ naming service consults the algorithms configuration in the /etc/security/policy.conf file on the NIS+ master. The NIS+ master, which is running the rpc.nispasswd daemon, creates the encrypted password.
When the LDAP client is properly configured, the LDAP client can use the new password algorithms. The LDAP client behaves just as an NIS client behaves.
Ensure that a comment sign (#) precedes entries that include pam_ldap.so.1. Also, do not use the new server_policy option with the pam_authtok_store.so.1 module.
The PAM entries in the client's pam.conf file enable the password to be encrypted according to the local algorithms configuration. The PAM entries also enable the password to be authenticated.
When users in the LDAP domain change their passwords, the LDAP client consults its local algorithms configuration in the /etc/security/policy.conf file. The LDAP client machine encrypts the password. Then, the client sends the encrypted password, with a {crypt} tag, to the server. The tag tells the server that the password is already encrypted. The password is then stored, as is, on the server. For authentication, the client retrieves the stored password from the server. The client then compares the stored password with the encrypted version that the client has just generated from the user's typed password.
Note - To take advantage of password policy controls on the LDAP server, use the server_policy option with the pam_authtok_store entries in the pam.conf file. Passwords are then encrypted on the server by using the Sun Java System Directory Server's cryptographic mechanism. For the procedure, see Chapter 11, Setting Up Sun Java System Directory Server With LDAP Clients (Tasks), in System Administration Guide: Naming and Directory Services (DNS, NIS, and LDAP).
A third-party password encryption algorithm is typically delivered as a module in a software package. When you run the pkgadd command, scripts from the vendor should modify the /etc/security/crypt.conf file. You then modify the /etc/security/policy.conf file to include the new module and its identifier.
For detailed instructions on how to add software, see Adding or Removing a Software Package (pkgadd) in System Administration Guide: Basic Administration.
Read the list of encryption algorithms in the /etc/security/crypt.conf file.
For example, the following lines show that a module that implements the crypt_rot13 algorithm has been installed.
# crypt.conf # md5 /usr/lib/security/$ISA/crypt_md5.so rot13 /usr/lib/security/$ISA/crypt_rot13.so # For *BSD - Linux compatibility # 1 is MD5, 2a is Blowfish 1 /usr/lib/security/$ISA/crypt_bsdmd5.so 2a /usr/lib/security/$ISA/crypt_bsdbf.so
The following lines show excerpts from the policy.conf file that would need to be modified to add the rot13 identifier.
# Copyright 1999-2002 Sun Microsystems, Inc. All rights reserved. # ... #ident "@(#)policy.conf 1.12 08/05/14 SMI" # ... # crypt(3c) Algorithms Configuration CRYPT_ALGORITHMS_ALLOW=1,2a,md5,5,6,,rot13 #CRYPT_ALGORITHMS_DEPRECATE=__unix__ CRYPT_DEFAULT=md5
In this example, the rot13 algorithm is used if the current password was encrypted with the crypt_rot13 algorithm. New user passwords are encrypted with the crypt_sunmd5 algorithm. This algorithm configuration works on Solaris-only networks.