Solaris Password Policy
From Brandonhutchinson.com
(New page: The following steps are for Solaris 9, although are probably also applicable for Solaris 2.6, 7, and 8. Solaris 10 has much better password controls built-in. == Password Aging == === Ne...) |
|||
| Line 26: | Line 26: | ||
==== What happens when your password expires? ==== | ==== What happens when your password expires? ==== | ||
| - | + | When your password expires, you are allowed a "grace login" where your old password is accepted, but you must immediately change your password. After changing your password, the connection is closed and you must login again. | |
| - | + | ||
| - | + | ||
| - | + | ||
| - | + | ||
| - | + | ||
WARNING: Your password has expired. | WARNING: Your password has expired. | ||
You must change your password now and login again! | You must change your password now and login again! | ||
| - | Changing password for | + | passwd: Changing password for hutchib |
| - | + | Enter existing login password: | |
| - | + | New Password: | |
| - | New | + | Re-enter new Password: |
| - | + | passwd: password successfully changed for hutchib | |
| - | passwd: | + | |
Connection to host closed. | Connection to host closed. | ||
== Password Complexity == | == Password Complexity == | ||
| - | + | The default Solaris install does provide ''pam_cracklib'' or ''pam_passwdqc''. If the default password complexity rules are insufficient, these PAM modules (preferably ''pam_passwdqc'') should be used. | |
| - | + | Default password complexity rules from ''passwd''(1): | |
| - | + | Passwords must be constructed to meet the following require- | |
| - | password | + | ments: |
| + | |||
| + | o Each password must have PASSLENGTH characters, where | ||
| + | PASSLENGTH is defined in /etc/default/passwd and is | ||
| + | set to 6. Only the first eight characters are signifi- | ||
| + | cant. | ||
| + | |||
| + | o Each password must contain at least two alphabetic | ||
| + | characters and at least one numeric or special charac- | ||
| + | ter. In this case, "alphabetic" refers to all upper or | ||
| + | lower case letters. | ||
| + | |||
| + | o Each password must differ from the user's login name | ||
| + | and any reverse or circular shift of that login name. | ||
| + | For comparison purposes, an upper case letter and its | ||
| + | corresponding lower case letter are equivalent. | ||
| + | |||
| + | o New passwords must differ from the old by at least | ||
| + | three characters. For comparison purposes, an upper | ||
| + | case letter and its corresponding lower case letter | ||
| + | are equivalent. | ||
== Password History == | == Password History == | ||
Revision as of 20:10, 6 December 2007
The following steps are for Solaris 9, although are probably also applicable for Solaris 2.6, 7, and 8. Solaris 10 has much better password controls built-in.
Contents |
Password Aging
New Accounts
/etc/default/passwd is the file related to password aging on new accounts.
- MAXWEEKS= is the maximum number of weeks a password may be used.
- MINWEEKS= is the minimum number of weeks allowed between password changes.
- WARNWEEKS= (not present by default) is the number of weeks' warning given before a password expires.
Existing Accounts
/usr/bin/passwd is used to modify password aging on existing accounts. passwd does not update the last password change field (field 3) in /etc/shadow, so passwords could expire immediately after running it.
Example
User hutchib was already created with no password aging (MAXWEEKS= in /etc/default/passwd). To configure the following:
- A minimum of 7 days between password changes.
- Password expiration after 90 days.
- Begin warning about password expiration 14 days in advance.
# /usr/bin/passwd -n 7 -w 14 -x 90 hutchib
What happens when your password expires?
When your password expires, you are allowed a "grace login" where your old password is accepted, but you must immediately change your password. After changing your password, the connection is closed and you must login again.
WARNING: Your password has expired. You must change your password now and login again! passwd: Changing password for hutchib Enter existing login password: New Password: Re-enter new Password: passwd: password successfully changed for hutchib Connection to host closed.
Password Complexity
The default Solaris install does provide pam_cracklib or pam_passwdqc. If the default password complexity rules are insufficient, these PAM modules (preferably pam_passwdqc) should be used.
Default password complexity rules from passwd(1):
Passwords must be constructed to meet the following require-
ments:
o Each password must have PASSLENGTH characters, where
PASSLENGTH is defined in /etc/default/passwd and is
set to 6. Only the first eight characters are signifi-
cant.
o Each password must contain at least two alphabetic
characters and at least one numeric or special charac-
ter. In this case, "alphabetic" refers to all upper or
lower case letters.
o Each password must differ from the user's login name
and any reverse or circular shift of that login name.
For comparison purposes, an upper case letter and its
corresponding lower case letter are equivalent.
o New passwords must differ from the old by at least
three characters. For comparison purposes, an upper
case letter and its corresponding lower case letter
are equivalent.
Password History
Password history--i.e., preventing re-use of old passwords--may be enabled using both pam_unix (stores the old password) and pam_cracklib (prevents re-use). By default, password history is disabled.
Example: Prevent re-use of each user's last 24 passwords.
- Create the password database store.
# touch /etc/security/opasswd # chown root:root /etc/security/opasswd # chmod 600 /etc/security/opasswd
- Configure PAM.
Relevant entry in bold in /etc/pam.d/system-auth:
password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow remember=24
Account Lockout
Account lockout after a number of unsuccessful authentication attempts may be enabled using pam_tally. In this example, accounts are locked out after 5 failed login attempts. Twice an hour, the failed login counter is reset. The failed login counter is also reset with each successful authentication (reset option in PAM configuration).
- Create the pam_tally store for failed login attempts.
# touch /var/log/faillog # chown root:root /var/log/faillog # chmod 600 /var/log/faillog
- Configure PAM.
Relevant entries in bold in /etc/pam.d/system-auth:
auth required /lib/security/$ISA/pam_env.so auth required /lib/security/$ISA/pam_tally.so onerr=fail no_magic_root auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok auth required /lib/security/$ISA/pam_deny.so account required /lib/security/$ISA/pam_unix.so account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet account required /lib/security/$ISA/pam_permit.so account required /lib/security/$ISA/pam_tally.so deny=5 no_magic_root reset
- Run the reset_failed_logins script periodically from cron, unless your version of pam_tally supports the unlock_time parameter (pam_tally from the pam-0.77-66.5 package in this example does not).
Example root crontab:
# Reset pam_tally counter twice hourly 0,30 * * * * /usr/local/bin/reset_failed_logins
