Less known Solaris features: On passwords - Part 2: Using stronger password hashing

Many people are unaware of the fact, that only the first eight characters of a password are used in the default configuration of Solaris. Don´t believe it? Let´s try it.

Testing the relevant password length for standard crypt

Okay, i´ve logged into my test machine and change my password:

bash-3.2$ passwd jmoekamp<br />
Enter existing login password: oldpassword<br />
New Password: <b>aa3456789</b><br />
Re-enter new Password: <b>aa3456789</b><br />
passwd: password successfully changed for jmoekamp<br />
bash-3.2$ 

Now let´s try a password that´s different at the ninth character by logging into the Solaris system from remote:

mymac:~ joergmoellenkamp$ ssh jmoekamp@10.211.55.200<br />
Password: <b>aa3456780</b><br />
Last login: Wed May 28 11:24:05 2008 from 10.211.55.2<br />
Sun Microsystems Inc.   SunOS 5.11      snv_84  January 2008

I´ve told you … only the first eight characters are relevant.

Stronger hash algorithms

But it´s not that way, that Solaris can´t do better than that. It´s just the binary compatibility guarantee again. You can´t simply change the mechanism encrypting the password. There may be scripts that still need the old unix crypt variant. But in case you are sure, that you haven´t such an application you can change it, and it´s really simple to do. When you look into the file /etc/security/crypt.conf you will find the additional modules for password encryption.

# The algorithm name __unix__ is reserved.
1       crypt_bsdmd5.so.1<br />
2a      crypt_bsdbf.so.1<br />
md5     crypt_sunmd5.so.1

The hashing mechanisms are loaded as libraries in the so-called Solaris Pluggable Crypt Framework. It´s even possible to develop your own crypting mechanism in the case you don´t trust the implementations delivered by Sun.

<table width=90%> Short Algorithm Description _unix_ standard unix crypt The standard unix crypt mechanism. It´s not loaded as a module, as it´s part of the libc 1 BSD alike,md5 based The crypt_bsdmd5 module is a one-way password hashing module for use with crypt(3C) that uses the MD5 message hash algorithm. The output is compatible with md5crypt on BSD and Linux systems. 2a BSD alike, blowfish based The crypt_bsdbf module is a one-way password hashing module for use with crypt(3C) that uses the Blowfish cryptographic algorithm. md5 Sun, md5 based The \verb=crypt_sunmd5= module is a one-way password hashing module for use with \verb=crypt(3C)= that uses the MD5 message hash algorithm. This module is designed to make it difficult to crack passwords that use brute force attacks based on high speed MD5 implementations that use code inlining, unrolled loops, and table lookup </table>


Each of the last three mechanisms support passwords with up to 255 characters. It´s important to know, that the different hashing algorithm can coexist in your password databases. The password hashing for a password will be changed when user change his or her password.

Changing the default hash mechanism

Let´s use the md5 algorithm in our example. But before that, we should look into the actual \verb=/etc/shadow=

# grep "jmoekamp" /etc/shadow<br />
jmoekamp:nM2/fPrCTe3F6:14027::::::

It´s simple to enable a different encryption algorithm for password. You have just to change a single line in /etc/security/policy.conf. To edit this file you have to login as root:

CRYPT_DEFAULT=md5

Okay, now let´s change the password.

<br />
# passwd jmoekamp<br />
New Password: aa1234567890<br />
Re-enter new Password:  aa1234567890<br />
passwd: password successfully changed for jmoekamp

When you look in the /etc/shadow for the user, you will see a slighly modified password field. It´s much longer and between the first and the second $ you seee the used encryption mechanism:

# grep "jmoekamp" /etc/shadow<br />
jmoekamp:$md5$vyy8.OVF$$FY4TWzuauRl4.VQNobqMY.:14027::::::<code></blockquote>
Now let´s try the login:<br />
<blockquote><code>mymac:~ joergmoellenkamp$ ssh jmoekamp@10.211.55.200<br />
Password: <b>aa1234567890</b><br />
Last login: Wed May 28 11:38:24 2008 from 10.211.55.2<br />
Sun Microsystems Inc.   SunOS 5.11      snv_84  January 2008<br />
$ exit<br />
Connection to 10.211.55.200 closed.<br />
mymac:~ joergmoellenkamp$ ssh jmoekamp@10.211.55.200<br />
Password: <b>aa1234567891</b><br />
Password: <b>aa1234567892</b><br />
Password: <b>aa1234567893</b><br />
Permission denied (gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive).<br />
mymac:~ joergmoellenkamp$

You see, the correctness of the complete password is tested, not just the first 8 characters.