JavaScript is required to for searching.
Skip Navigation Links
Exit Print View
Oracle Solaris 11.1 Administration: Security Services     Oracle Solaris 11.1 Information Library
search filter icon
search icon

Document Information

Preface

Part I Security Overview

1.  Security Services (Overview)

Part II System, File, and Device Security

2.  Managing Machine Security (Overview)

3.  Controlling Access to Systems (Tasks)

Securing Logins and Passwords (Tasks)

Securing Logins and Passwords (Task Map)

How to Change the root Password

How to Display a User's Login Status

How to Display Users Without Passwords

How to Temporarily Disable User Logins

About Failed Logins

Changing the Default Algorithm for Password Encryption (Tasks)

How to Specify an Algorithm for Password Encryption

How to Specify a New Password Algorithm for an NIS Domain

How to Specify a New Password Algorithm for an LDAP Domain

Monitoring and Restricting root Access (Tasks)

How to Monitor Who Is Using the su Command

How to Restrict and Monitor root Logins

Controlling Access to System Hardware (Tasks)

How to Require a Password for SPARC Hardware Access

How to Disable a System's Abort Sequence

4.  Virus Scanning Service (Tasks)

5.  Controlling Access to Devices (Tasks)

6.  Verifying File Integrity by Using BART (Tasks)

7.  Controlling Access to Files (Tasks)

Part III Roles, Rights Profiles, and Privileges

8.  Using Roles and Privileges (Overview)

9.  Using Role-Based Access Control (Tasks)

10.  Security Attributes in Oracle Solaris (Reference)

Part IV Cryptographic Services

11.  Cryptographic Framework (Overview)

12.  Cryptographic Framework (Tasks)

13.  Key Management Framework

Part V Authentication Services and Secure Communication

14.  Using Pluggable Authentication Modules

15.  Using Secure Shell

16.  Secure Shell (Reference)

17.  Using Simple Authentication and Security Layer

18.  Network Services Authentication (Tasks)

Part VI Kerberos Service

19.  Introduction to the Kerberos Service

20.  Planning for the Kerberos Service

21.  Configuring the Kerberos Service (Tasks)

22.  Kerberos Error Messages and Troubleshooting

23.  Administering Kerberos Principals and Policies (Tasks)

24.  Using Kerberos Applications (Tasks)

25.  The Kerberos Service (Reference)

Part VII Auditing in Oracle Solaris

26.  Auditing (Overview)

27.  Planning for Auditing

28.  Managing Auditing (Tasks)

29.  Auditing (Reference)

Glossary

Index

Changing the Default Algorithm for Password Encryption (Tasks)

By default, user passwords are encrypted with the crypt_sha256 algorithm. You might want to change the default algorithm to interoperate in a heterogeneous networked environment, such as to log in to frequently used older systems on the network.

How to Specify an Algorithm for Password Encryption

In this procedure, the BSD-Linux version of the MD5 algorithm is the default encryption algorithm that is used when users change their passwords. This algorithm is suitable for a mixed network of systems that run the Oracle Solaris, BSD, and Linux versions of UNIX. For a list of password encryption algorithms and algorithm identifiers, see Table 2-1.

Before You Begin

You must assume the root role. For more information, see How to Use Your Assigned Administrative Rights.

Example 3-4 Constraining Password Encryption Algorithms in a Heterogeneous Environment

In this example, the administrator on a network that includes BSD and Linux systems configures passwords to be usable on all systems. Because some network applications cannot handle SHA512 encryption, the administrator does not include its identifier in the list of allowed algorithms. The administrator retains the SHA256 algorithm, 5, as the value for the CRYPT_DEFAULT variable. The CRYPT_ALGORITHMS_ALLOW variable contains the MD5 identifier, which is compatible with BSD and Linux systems, and the Blowfish identifier, which is compatible with BSD systems. Because 5 is the CRYPT_DEFAULT algorithm, it does not need to be listed in the CRYPT_ALGORITHMS_ALLOW list. However, for maintenance purposes, the administrator places 5 in the CRYPT_ALGORITHMS_ALLOW list and the unused identifiers in the CRYPT_ALGORITHMS_DEPRECATE list.

CRYPT_ALGORITHMS_ALLOW=1,2a,5
#CRYPT_ALGORITHMS_DEPRECATE=__unix__,md5,6
CRYPT_DEFAULT=5

How to Specify a New Password Algorithm for an NIS Domain

When users in an NIS domain change their passwords, the NIS client consults its local algorithms configuration in the /etc/security/policy.conf file. The NIS client system encrypts the password.

Before You Begin

You must assume the root role. For more information, see How to Use Your Assigned Administrative Rights.

  1. Specify the password encryption algorithm in the /etc/security/policy.conf file on the NIS client.
  2. Copy the modified /etc/security/policy.conf file to every client system in the NIS domain.
  3. To minimize confusion, copy the modified /etc/security/policy.conf file to the NIS root server and to the slave servers.

How to Specify a New Password Algorithm for an LDAP Domain

When the LDAP client is properly configured, the LDAP client can use the new password algorithms. The LDAP client behaves just as an NIS client behaves.

Before You Begin

You must assume the root role. For more information, see How to Use Your Assigned Administrative Rights.

  1. Specify a password encryption algorithm in the /etc/security/policy.conf file on the LDAP client.
  2. Copy the modified policy.conf file to every client system in the LDAP domain.
  3. Ensure that the client's /etc/pam.conf file does not use a pam_ldap module.

    Ensure that a comment sign (#) precedes entries that include pam_ldap.so.1. Also, do not use the server_policy option with the pam_authtok_store.so.1 module.

    The PAM entries in the client's pam.conf file enable the password to be encrypted according to the local algorithms configuration. The PAM entries also enable the password to be authenticated.

    When users in the LDAP domain change their passwords, the LDAP client consults its local algorithms configuration in the /etc/security/policy.conf file. The LDAP client system encrypts the password. Then, the client sends the encrypted password, with a {crypt} tag, to the server. The tag tells the server that the password is already encrypted. The password is then stored, as is, on the server. For authentication, the client retrieves the stored password from the server. The client then compares the stored password with the encrypted version that the client has just generated from the user's typed password.


    Note - To take advantage of password policy controls on the LDAP server, use the server_policy option with the pam_authtok_store entries in the pam.conf file. Passwords are then encrypted on the LDAP server. For the procedure, see Chapter 11, Setting Up Oracle Directory Server Enterprise Edition With LDAP Clients (Tasks), in Working With Naming and Directory Services in Oracle Solaris 11.1.