Skip Navigation Links | |
Exit Print View | |
Oracle Solaris Administration: Security Services Oracle Solaris 11 Information Library |
1. Security Services (Overview)
Part II System, File, and Device Security
2. Managing Machine Security (Overview)
3. Controlling Access to Systems (Tasks)
Controlling System Access (Task Map)
Securing Logins and Passwords (Tasks)
Securing Logins and Passwords (Task Map)
How to Change the root Password
How to Display a User's Login Status
How to Display Users Without Passwords
How to Temporarily Disable User Logins
How to Monitor Failed Login Attempts
How to Monitor All Failed Login Attempts
Changing the Default Algorithm for Password Encryption (Tasks)
How to Specify an Algorithm for Password Encryption
Monitoring and Restricting Superuser (Tasks)
How to Monitor Who Is Using the su Command
How to Restrict and Monitor Superuser Logins
Controlling Access to System Hardware (Tasks)
How to Require a Password for Hardware Access
How to Disable a System's Abort Sequence
4. Virus Scanning Service (Tasks)
5. Controlling Access to Devices (Tasks)
6. Using the Basic Audit Reporting Tool (Tasks)
7. Controlling Access to Files (Tasks)
Part III Roles, Rights Profiles, and Privileges
8. Using Roles and Privileges (Overview)
9. Using Role-Based Access Control (Tasks)
10. Security Attributes in Oracle Solaris (Reference)
Part IV Cryptographic Services
11. Cryptographic Framework (Overview)
12. Cryptographic Framework (Tasks)
Part V Authentication Services and Secure Communication
14. Network Services Authentication (Tasks)
17. Using Secure Shell (Tasks)
19. Introduction to the Kerberos Service
20. Planning for the Kerberos Service
21. Configuring the Kerberos Service (Tasks)
22. Kerberos Error Messages and Troubleshooting
23. Administering Kerberos Principals and Policies (Tasks)
24. Using Kerberos Applications (Tasks)
25. The Kerberos Service (Reference)
By default, user passwords are encrypted with the crypt_sha256 algorithm. You can use a different encryption algorithm, by changing the default password encryption algorithm.
In this procedure, the BSD-Linux version of the MD5 algorithm is the default encryption algorithm that is used when users change their passwords. This algorithm is suitable for a mixed network of systems that run the Oracle Solaris, BSD, and Linux versions of UNIX. For a list of password encryption algorithms and algorithm identifiers, see Table 2-1.
Before You Begin
You must be in the root role.
Type the identifier as the value for the CRYPT_DEFAULT variable in the /etc/security/policy.conf file.
You might want to comment the file to explain your choice.
# cat /etc/security/policy.conf … CRYPT_ALGORITHMS_ALLOW=1,2a,md5,5,6 # # Use the version of MD5 (5) that works with Linux and BSD systems. # Passwords previously encrypted with SHA256 (1) will be encrypted # with MD5 when users change their passwords. # # #CRYPT_DEFAULT=5 CRYPT_DEFAULT=1
In this example, the algorithms configuration ensures that the sha256 algorithm is not used to encrypt a password. Users whose passwords were encrypted with the sha256 module get a crypt_bsdmd5-encrypted password when they change their passwords.
For more information about configuring the algorithm choices, see the policy.conf(4) man page.
Example 3-6 Constraining Password Encryption Algorithms in a Heterogeneous Environment
In this example, the administrator on a network that includes BSD and Linux systems configures passwords to be usable on all systems. Because some network applications cannot handle SHA512 encryption, the administrator does not include its identifier in the list of allowed algorithms. The administrator retains the SHA256 algorithm, 5, as the value for the CRYPT_DEFAULT variable. The CRYPT_ALGORITHMS_ALLOW variable contains the MD5 identifier, which is compatible with BSD and Linux systems, and the Blowfish identifier, which is compatible with BSD systems. Because 5 is the CRYPT_DEFAULT algorithm, it does not need to be listed in the CRYPT_ALGORITHMS_ALLOW list. However, for maintenance purposes, the administrator places 5 in the CRYPT_ALGORITHMS_ALLOW list and the unused identifiers in the CRYPT_ALGORITHMS_DEPRECATE list.
CRYPT_ALGORITHMS_ALLOW=1,2a,5 #CRYPT_ALGORITHMS_DEPRECATE=__unix__,md5,6 CRYPT_DEFAULT=5
When users in an NIS domain change their passwords, the NIS client consults its local algorithms configuration in the /etc/security/policy.conf file. The NIS client system encrypts the password.
Before You Begin
You must be in the root role.
When the LDAP client is properly configured, the LDAP client can use the new password algorithms. The LDAP client behaves just as an NIS client behaves.
Before You Begin
You must be in the root role.
Ensure that a comment sign (#) precedes entries that include pam_ldap.so.1. Also, do not use the server_policy option with the pam_authtok_store.so.1 module.
The PAM entries in the client's pam.conf file enable the password to be encrypted according to the local algorithms configuration. The PAM entries also enable the password to be authenticated.
When users in the LDAP domain change their passwords, the LDAP client consults its local algorithms configuration in the /etc/security/policy.conf file. The LDAP client system encrypts the password. Then, the client sends the encrypted password, with a {crypt} tag, to the server. The tag tells the server that the password is already encrypted. The password is then stored, as is, on the server. For authentication, the client retrieves the stored password from the server. The client then compares the stored password with the encrypted version that the client has just generated from the user's typed password.
Note - To take advantage of password policy controls on the LDAP server, use the server_policy option with the pam_authtok_store entries in the pam.conf file. Passwords are then encrypted on the server by using the Oracle Directory Server Enterprise Edition's cryptographic mechanism. For the procedure, see Chapter 11, Setting Up Oracle Directory Server Enterprise Edition With LDAP Clients (Tasks), in Oracle Solaris Administration: Naming and Directory Services.