Solaris Password Policy
The following steps are for Solaris 9, although are probably also applicable for Solaris 2.6, 7, and 8. Solaris 10 has much better password controls built-in.
/etc/default/passwd is the file related to password aging on new accounts.
- MAXWEEKS= is the maximum number of weeks a password may be used.
- MINWEEKS= is the minimum number of weeks allowed between password changes.
- WARNWEEKS= (not present by default) is the number of weeks' warning given before a password expires.
/usr/bin/passwd is used to modify password aging on existing accounts. passwd does not update the last password change field (field 3) in /etc/shadow, so passwords could expire immediately after running it.
User hutchib was already created with no password aging (MAXWEEKS= in /etc/default/passwd). To configure the following:
- A minimum of 7 days between password changes.
- Password expiration after 90 days.
- Begin warning about password expiration 14 days in advance.
# /usr/bin/passwd -n 7 -w 14 -x 90 hutchib
What happens when your password expires?
When your password expires, you are allowed a "grace login" where your old password is accepted, but you must immediately change your password. After changing your password, the connection is closed and you must login again.
WARNING: Your password has expired. You must change your password now and login again! passwd: Changing password for hutchib Enter existing login password: New Password: Re-enter new Password: passwd: password successfully changed for hutchib Connection to host closed.
The default Solaris install does provide pam_cracklib or pam_passwdqc. If the default password complexity rules are insufficient, these PAM modules (preferably pam_passwdqc) should be used.
Default password complexity rules from passwd(1):
Passwords must be constructed to meet the following require- ments: o Each password must have PASSLENGTH characters, where PASSLENGTH is defined in /etc/default/passwd and is set to 6. Only the first eight characters are signifi- cant. o Each password must contain at least two alphabetic characters and at least one numeric or special charac- ter. In this case, "alphabetic" refers to all upper or lower case letters. o Each password must differ from the user's login name and any reverse or circular shift of that login name. For comparison purposes, an upper case letter and its corresponding lower case letter are equivalent. o New passwords must differ from the old by at least three characters. For comparison purposes, an upper case letter and its corresponding lower case letter are equivalent.
Password history--i.e., preventing re-use of old passwords--may be enabled using the third-party PAM module pam_history
Example: Prevent re-use of each user's last 24 passwords.
- Install the COMSpamph package.
- Create a password history database that will store 24 passwords. Without this step, only 5 passwords would be stored.
# /usr/local/sbin/mkhistory -c -h 24
- Configure PAM.
Relevant entry in bold in /etc/pam.conf:
other password required pam_dhkeys.so.1 other password requisite pam_authtok_get.so.1 other password requisite pam_authtok_check.so.1 other password requisite pam_history.so.1 func=$1$ other password required pam_authtok_store.so.1
The func=$1$ is used to store the passwords in MD5 format in the password history database. By default, they would be stored in crypt format with only 8 characters of significance.
The func= option is only available in COMSpamph for Solaris 9 and later. See the Documentation and release notes for more information.
Problems with pam_history
Although the pam_history module works in preventing password re-use, I experience the following two problems on my Solaris 9 SPARC system.
- /usr/local/sbin/mkhistory always returns a last change date of the epoch.
# /usr/local/sbin/mkhistory hutchib: Wed Dec 31 18:00:00 1969
- A non-descriptive error message--"Please try again"--is returned when attempting to re-use a password in the history.
$ passwd passwd: Changing password for hutchib Enter existing login password: New Password: Please try again New Password:
Account lockout after a number of unsuccessful authentication attempts may be enabled using the third-party PAM module pam_login_limit. In this example, accounts are locked out for 30 minutes after 5 failed login attempts. During this 30 minutes, any authentication attempts for the user account, both successful or unsuccessful, will reset the 30 minute timer.
To enable account lockout:
- Install the COMSpamll package.
- Configure PAM.
Relevant entries in bold in /etc/pam.conf:
Lines preceding pam_login_limit must be a sufficient control. The order of pam_dial_auth and pam_unix_auth are switched to accommodate this. If not specified, the default count_limit is 3.
login auth requisite pam_authtok_get.so.1 login auth required pam_dhkeys.so.1 login auth required pam_dial_auth.so.1 login auth sufficient pam_unix_auth.so.1 login auth required pam_login_limit.so.1 count_limit=5 timeout_account=1800
ssh does not use the PAM login service unless UseLogin yes is defined in sshd_config. ssh uses the sshd PAM login service if it's defined, or other if not.
other auth requisite pam_authtok_get.so.1 other auth required pam_dhkeys.so.1 other auth sufficient pam_unix_auth.so.1 other auth required pam_login_limit.so.1 count_limit=5 timeout_account=1800
The following line in bold resets the failed login count after a successful login.
other account required pam_login_limit.so.1 count_limit=5 timeout_account=1800 other account requisite pam_roles.so.1 other account required pam_projects.so.1 other account required pam_unix_account.so.1
The following optional line in bold resets the failed login count after a successful password change. Without this line, if an administrator resets the password, the user will still have to wait timeout_account seconds until the password is unlocked. Or, the administrator could manually run /usr/local/sbin/login_account -c user to clear the counter.
other password required pam_dhkeys.so.1 other password requisite pam_authtok_get.so.1 other password requisite pam_authtok_check.so.1 other password requisite pam_history.so.1 history=24 func=$1$ other password required pam_authtok_store.so.1 other password optional pam_login_limit.so.1
- If you are using ssh:
- Make sure PAM support is enabled by setting UsePAM yes in sshd_config.
- You may want to disable password authentication by setting PasswordAuthentcation no in sshd_config. Without this, you will be prompted two additional times for your password if your account is locked (although you still won't be able to authenticate).
With PasswordAuthentication yes:
$ ssh hutchib@host Password: Password: Password: hutchib@host's password: Permission denied, please try again. hutchib@host's password: Received disconnect from 10.209.180.14: 2: Too many authentication failures for hutchib
With PasswordAuthentication no:
$ ssh hutchib@sprcmdo001 Password: Password: Password: Permission denied (publickey,keyboard-interactive,hostbased).