Solaris Password Policy

From Brandonhutchinson.com

Revision as of 20:03, 6 December 2007 by Hutch (Talk | contribs)
(diff) ←Older revision | Current revision (diff) | Newer revision→ (diff)
Jump to: navigation, search

The following steps are for Solaris 9, although are probably also applicable for Solaris 2.6, 7, and 8. Solaris 10 has much better password controls built-in.

Contents

Password Aging

New Accounts

/etc/default/passwd is the file related to password aging on new accounts.

  • MAXWEEKS= is the maximum number of weeks a password may be used.
  • MINWEEKS= is the minimum number of weeks allowed between password changes.
  • WARNWEEKS= (not present by default) is the number of weeks' warning given before a password expires.

Existing Accounts

/usr/bin/passwd is used to modify password aging on existing accounts. passwd does not update the last password change field (field 3) in /etc/shadow, so passwords could expire immediately after running it.

Example

User hutchib was already created with no password aging (MAXWEEKS= in /etc/default/passwd). To configure the following:

  • A minimum of 7 days between password changes.
  • Password expiration after 90 days.
  • Begin warning about password expiration 14 days in advance.
# /usr/bin/passwd -n 7 -w 14 -x 90 hutchib

What happens when your password expires?

  • If the account is inactive (see chage -I and field 7 in /etc/shadow), you will be unable to login and your password will have to be manually reset by an administrator.

e.g., /var/log/messages entry:

Dec  4 14:33:42 host sshd(pam_unix)[31601]: account hutchib has expired (failed to change password)
  • If the account is expired but not inactive, you are allowed a "grace login" where your old password is accepted, but you must immediately change your password. After changing your password, the connection is closed and you must login again.
WARNING: Your password has expired.
You must change your password now and login again!
Changing password for user hutchib.
Changing password for hutchib
(current) UNIX password: 
New UNIX password:
Retype new UNIX password: 
passwd: all authentication tokens updated successfully.
Connection to host closed.

Password Complexity

Both pam_cracklib and pam_passwordqc are modules used in enforcing password complexity. Although pam_passwordqc is more powerful, I'll be using pam_cracklib as its capabilities meet our site's needs and it is already in the PAM stack.

Example: Require a minimum password length of 9 characters, with at least 1 lowercase character, 1 uppercase character, and 1 digit.

Relevant entry in bold in /etc/pam.d/system-auth:

password    requisite     /lib/security/$ISA/pam_cracklib.so retry=3 minlen=12 lcredit=1 ucredit=1 dcredit=1 ocredit=0

Password History

Password history--i.e., preventing re-use of old passwords--may be enabled using both pam_unix (stores the old password) and pam_cracklib (prevents re-use). By default, password history is disabled.

Example: Prevent re-use of each user's last 24 passwords.

  • Create the password database store.
# touch /etc/security/opasswd
# chown root:root /etc/security/opasswd
# chmod 600 /etc/security/opasswd
  • Configure PAM.

Relevant entry in bold in /etc/pam.d/system-auth:

password    sufficient    /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow remember=24

Account Lockout

Account lockout after a number of unsuccessful authentication attempts may be enabled using pam_tally. In this example, accounts are locked out after 5 failed login attempts. Twice an hour, the failed login counter is reset. The failed login counter is also reset with each successful authentication (reset option in PAM configuration).

  • Create the pam_tally store for failed login attempts.
# touch /var/log/faillog
# chown root:root /var/log/faillog
# chmod 600 /var/log/faillog
  • Configure PAM.

Relevant entries in bold in /etc/pam.d/system-auth:

auth        required      /lib/security/$ISA/pam_env.so
auth        required      /lib/security/$ISA/pam_tally.so onerr=fail no_magic_root
auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok
auth        required      /lib/security/$ISA/pam_deny.so

account     required      /lib/security/$ISA/pam_unix.so
account     sufficient    /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet
account     required      /lib/security/$ISA/pam_permit.so
account     required      /lib/security/$ISA/pam_tally.so deny=5 no_magic_root reset
  • Run the reset_failed_logins script periodically from cron, unless your version of pam_tally supports the unlock_time parameter (pam_tally from the pam-0.77-66.5 package in this example does not).

Example root crontab:

# Reset pam_tally counter twice hourly
0,30 * * * * /usr/local/bin/reset_failed_logins

Links

Personal tools