Tuesday, April 27, 2010

Solaris 10: Password Fail

Posted by at 6:31 PM
A while back I found out that some Solaris systems I was working with were exhibiting unusual behavior with regards to user authentication... when logging in I only needed to get the first 8 characters of my password right to log in, the rest could be gibberish or nothing, it only evaluated the first 8.

For example, let's say your password was "Solaris!!!123" just for laughs...

"Solaris!" is all that gets evaluated and will work by it's self, so would
"Solaris!alsioiwrgf0awey8owy8ogho7wrfgiwehro".

This just disturbed the hell out of me, what I usually tell people is the minimum length of a good password is Solaris' default MAXIMUM. Absolute fail..

However, it can be fixed. The cause of the problem is that the default crypt being used when setting a user's password with "passwd" in Solaris 10 is just that "crypt", ancient as dirt and only able to handle 8 characters. We can get Solaris to use a better encryption algorithm by editing /etc/security/policy.conf

if you #vi /etc/security/policy.conf there is the following line:

CRYPT_DEFAULT=__unix__

you need to change that line to at the very least use md5 (preferably something even stronger, but for this example it will do):

CRYPT_DEFAULT=md5 

Then go reset all your user passwords to use the new crypt method and Magic... the system now cares about passwords longer than 8 characters
Labels: ,

2 comments:

  1. Way to go Solaris! Hopefully Oracle will take note of this now.. but it seems that some of Sun's open source software projects may not be around for far too much longer.

    ReplyDelete

  2. Yeah, most of the old Sun projects may just die... No idea what oracle has planned for the Solaris OS, but people appear to be losing confidence in it at an increased rate lately... and I don't really blame them :)

    ReplyDelete

Subscribe to: Post Comments (Atom)