Solaris – Extending 8 char limit on password

Every user on a UNIX® system has a password associated with their account. It seems obvious that these passwords need to be known only to the user and the actual operating system. In order to keep these passwords secret, they are encrypted with what is known as a “one-way hash”, that is, they can only be easily encrypted but not decrypted. In other words, the operating system itself does not really know the password. It only knows the encrypted form of the password. The only way to get the “plain-text” password is by a brute force search of the space of possible passwords.


By default, user passwords are encrypted with the crypt_unix algorithm. Since Solaris 9 12/02, extended methods of authentication and securing the local passwords exist. You can now use a stronger encryption algorithm, such as MD5 or Blowfish, by changing the default password encryption algorithm. The next time that your users change their password, the algorithm that you specified encrypts the password

Identify your release

$ cat /etc/release

Solaris 9 8/03 s9s_u4wos_08a SPARC
Copyright 2003 Sun Microsystems, Inc. All Rights Reserved.
Use is subject to license terms.
Assembled 13 June 2003

Select encryption algorithgm: You have the option of using blowfish or MD5 as algorithms to encrypt your passwords. This algorithm is suitable for a mixed network of machines that run the Solaris, BSD, and Linux versions of UNIX. In terms of cryptographic security, Blowfish is MUCH stronger than MD5 and has yet to be cracked. Hence, I highly recommend to choose blowfish over MD5.

Change to Blowfish Algorithm for Password Encryption

As root edit the CRYPT_DEFAULT variable in the /etc/security/policy.conf file and change it to 2a as your value for the CRYPT_DEFAULT variable. The policy.conf entries that control password encryption would look like the following:

AUTHS_GRANTED=solaris.device.cdrw
PROFS_GRANTED=Basic Solaris Use
# crypt(3c) Algorithms Configuration
#
# CRYPT_ALGORITHMS_ALLOW specifies the algorithms that are allowed to
# be used for new passwords. This is enforced only in crypt_gensalt(3c).
#

CRYPT_ALGORITHMS_ALLOW=1,2a,md5

# To deprecate use of the traditional unix algorithm, uncomment below
# and change CRYPT_DEFAULT= to another algorithm. For example,
# CRYPT_DEFAULT=1 for BSD/Liux MD5.
#
CRYPT_ALGORITHMS_DEPRECATE=__unix__

# The Solaris default is the traditional UNIX algorithm. This is not
# listed in crypt.conf(4) since it is internal to libc. The reserved
# name __unix__ is used to refer to it.
#
CRYPT_DEFAULT=2a

Change the User Password

Finally, here’s how /etc/shadow entry for a user looks like when using the Blowfish hash function:

testuser:$2a$04$/dlXUpiyQTHSyB1.iG97t.Tpwjlmn4QaTvpQzFZUNDX.MREFFljp2

A tell-tale sign of the blowfish password is the $2a$. (MD5 passwords have $1$ at the beginning. DES passwords have short hashes with no leading characters) Notice how the hash is larger in size as stronger encryption algorithms are used… Longer hashes don’t necessarily mean better, but for the algorithms mentioned here, it does.

Troubleshooting

8 char password still works

I was bitten by this problem on one of our machines. As per Casper Dik, if you really use crypt blowfish then there’s no way the 8 byte password should be acceptable. In my case, I had modified the pam.conf when I had installed Titan (a security module that secures your Solaris installs). Once I replaced the original pam.conf, the password length started working.

Other Misc troubleshooting tricks

Check function that passwd is using

One of the ways to check which function (getpass() or getpassphrase() ) passwd is using, do something like:

[root@chromium:~]# sotruss passwd
passwd -> libc.so.1:*atexit(0xff3cd050, 0x24c00, 0×0)
passwd -> libpam.so.1:*pam_authenticate(0x26ae0, 0×0, 0×25090)
passwd -> libc.so.1:*str2spwd(0×27868, 0×56, 0xffbfebec)
passwd -> libc.so.1:*calloc(0×1, 0×8, 0x26ae0)
passwd -> libc.so.1:*getpassphrase(0xffbfaa78, 0×0, 0xffffffff)

As you can see from the above sotruss output, passwd is indeed using getpassphrase. The getpass() function opens the process’s controlling terminal, writes to that device the null-terminated string prompt, disables echoing, reads a string of characters up to the next newline character or EOF, restores the terminal state and closes the terminal. The getpassphrase() function is identical to getpass(), except that it reads and returns a string of up to 256 characters in length.

Another way to check which library (in this case /usr/lib/security/crypt_bsdbf.so.1) passwd is using to encrypt /etc/shadow you can truss passwd’s output and look for the library being used. For example, if we use Blowfish, passwd should use crypt_bsdbf.so, i.e.:

[root@chromium:~]# truss passw
read(4, ” #\n # C o p y r i g h”.., 8192) = 250
close(4) = 0
stat(“/usr/lib/security/crypt_bsdbf.so.1″, 0xFFBFDC3C) = 0
open(“/usr/lib/security/crypt_bsdbf.so.1″, O_RDONLY) = 4
fstat(4, 0xFFBFDC3C) = 0
mmap(0×00000000, 8192, PROT_READ|PROT_EXEC, MAP_PRIVATE, 4, 0) = 0xFF2C0000
mmap(0×00000000, 90112, PROT_READ|PROT_EXEC, MAP_PRIVATE, 4, 0) = 0xFEEB0000
mmap(0xFEEC4000, 659, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 4, 16384) = 0xFEEC4000
munmap(0xFEEB4000, 65536) = 0
resolvepath(“/usr/lib/security/crypt_bsdbf.so.1″, “/usr/lib/security/crypt_bsdbf.so.1″, 1023) = 34
memcntl(0xFEEB0000, 1592, MC_ADVISE, MADV_WILLNEED, 0, 0) = 0
close(4) = 0

Hopefully you found this useful. If you have further problems, you can always email me or try the sunmanager’s list (and archive).


Bruno Saverio Delbono

[1] – http://docs.sun.com/db/doc/816-4883/6mb2joatc?a=view
[2] – http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/crypt.html
[3] – http://bsdvault.net/sections.php?op=printpage&artid=89

About these ads

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

%d bloggers like this: