Less known Solaris features: On passwords - Part 2: Using stronger password hashing
Many people are unaware of the fact, that only the first eight characters of a password are used in the default configuration of Solaris. Don´t believe it? Let´s try it.
Testing the relevant password length for standard crypt
Okay, i´ve logged into my test machine and change my password:
bash-3.2$ passwd jmoekamp<br />
Enter existing login password: oldpassword<br />
New Password: <b>aa3456789</b><br />
Re-enter new Password: <b>aa3456789</b><br />
passwd: password successfully changed for jmoekamp<br />
bash-3.2$ Now let´s try a password that´s different at the ninth character by logging into the Solaris system from remote:
mymac:~ joergmoellenkamp$ ssh jmoekamp@10.211.55.200<br />
Password: <b>aa3456780</b><br />
Last login: Wed May 28 11:24:05 2008 from 10.211.55.2<br />
Sun Microsystems Inc. SunOS 5.11 snv_84 January 2008I´ve told you … only the first eight characters are relevant.
Stronger hash algorithms
But it´s not that way, that Solaris can´t do better than that. It´s just the binary compatibility guarantee again. You can´t simply change the mechanism encrypting the password. There may be scripts that still need the old unix crypt variant. But in case you are sure, that you haven´t such an application you can change it, and it´s really simple to do.
When you look into the file /etc/security/crypt.conf you will find the additional modules for password encryption.
# The algorithm name __unix__ is reserved.
1 crypt_bsdmd5.so.1<br />
2a crypt_bsdbf.so.1<br />
md5 crypt_sunmd5.so.1The hashing mechanisms are loaded as libraries in the so-called Solaris Pluggable Crypt Framework. It´s even possible to develop your own crypting mechanism in the case you don´t trust the implementations delivered by Sun.
libccrypt_bsdmd5 module is a one-way password hashing module for use with crypt(3C) that uses the MD5 message hash algorithm. The output is compatible with md5crypt on BSD and Linux systems.crypt_bsdbf module is a one-way password hashing module for use with crypt(3C) that uses the Blowfish cryptographic algorithm.
Each of the last three mechanisms support passwords with up to 255 characters. It´s important to know, that the different hashing algorithm can coexist in your password databases. The password hashing for a password will be changed when user change his or her password.
Changing the default hash mechanism
Let´s use the md5 algorithm in our example. But before that, we should look into the actual \verb=/etc/shadow=
# grep "jmoekamp" /etc/shadow<br />
jmoekamp:nM2/fPrCTe3F6:14027::::::It´s simple to enable a different encryption algorithm for password. You have just to change a single line in /etc/security/policy.conf. To edit this file you have to login as root:
CRYPT_DEFAULT=md5Okay, now let´s change the password.
<br />
# passwd jmoekamp<br />
New Password: aa1234567890<br />
Re-enter new Password: aa1234567890<br />
passwd: password successfully changed for jmoekampWhen you look in the /etc/shadow for the user, you will see a slighly modified password field. It´s much longer and between the first and the second $ you seee the used encryption mechanism:
# grep "jmoekamp" /etc/shadow<br />
jmoekamp:$md5$vyy8.OVF$$FY4TWzuauRl4.VQNobqMY.:14027::::::<code></blockquote>
Now let´s try the login:<br />
<blockquote><code>mymac:~ joergmoellenkamp$ ssh jmoekamp@10.211.55.200<br />
Password: <b>aa1234567890</b><br />
Last login: Wed May 28 11:38:24 2008 from 10.211.55.2<br />
Sun Microsystems Inc. SunOS 5.11 snv_84 January 2008<br />
$ exit<br />
Connection to 10.211.55.200 closed.<br />
mymac:~ joergmoellenkamp$ ssh jmoekamp@10.211.55.200<br />
Password: <b>aa1234567891</b><br />
Password: <b>aa1234567892</b><br />
Password: <b>aa1234567893</b><br />
Permission denied (gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive).<br />
mymac:~ joergmoellenkamp$You see, the correctness of the complete password is tested, not just the first 8 characters.