Using a FIPS 140 Enabled System in Oracle® Solaris 11.2

Exit Print View

Updated: August 2014

passwd Command as a FIPS 140 Consumer

The passwd command is a consumer of the userland Cryptographic Framework. Two configuration files, /etc/security/crypt.conf and /etc/security/policy.conf, determine which password hash the system uses.

The passwd command calls the crypt() function by using the PAM modules and The crypt() function dynamically loads plugins from the message digest library, libmd(), based on entries in the crypt.conf file. Among the plugins are the SHA256, SHA512, and MD5 password hash algorithms. The policy.conf file lists the password hashes from the crypt.conf file that are in effect on the system. By default, the policy.conf file does not allow the use of the MD5 password hash.

Note -  The cryptographic password hash policy in the /etc/security/policy.conf file promotes interoperability with systems that use Blowfish as a password hash. To promote FIPS 140 security, remove the Blowfish algorithm (2a) from the CRYPT_ALGORITHMS_ALLOW=2a,5,6 entry in the policy.conf file.

For examples, see Creating a Login for a Trusted User in Securing Users and Processes in Oracle Solaris 11.2 and Creating a Role in Securing Users and Processes in Oracle Solaris 11.2 .