Less known Solaris features: On passwords - Part 2: Using stronger password hashing
Many people are unaware of the fact, that only the first eight characters of a password are used in the default configuration of Solaris. Don´t believe it? Let´s try it.
Testing the relevant password length for standard crypt
Okay, i´ve logged into my test machine and change my password:
Now let´s try a password that´s different at the ninth character by logging into the Solaris system from remote:
I´ve told you … only the first eight characters are relevant.
Stronger hash algorithms
But it´s not that way, that Solaris can´t do better than that. It´s just the binary compatibility guarantee again. You can´t simply change the mechanism encrypting the password. There may be scripts that still need the old unix crypt variant. But in case you are sure, that you haven´t such an application you can change it, and it´s really simple to do.
When you look into the file /etc/security/crypt.conf
you will find the additional modules for password encryption.
The hashing mechanisms are loaded as libraries in the so-called Solaris Pluggable Crypt Framework. It´s even possible to develop your own crypting mechanism in the case you don´t trust the implementations delivered by Sun.
libc
crypt_bsdmd5
module is a one-way password hashing module for use with crypt(3C)
that uses the MD5 message hash algorithm. The output is compatible with md5crypt
on BSD and Linux systems.crypt_bsdbf
module is a one-way password hashing module for use with crypt(3C)
that uses the Blowfish cryptographic algorithm.
Each of the last three mechanisms support passwords with up to 255 characters. It´s important to know, that the different hashing algorithm can coexist in your password databases. The password hashing for a password will be changed when user change his or her password.
Changing the default hash mechanism
Let´s use the md5
algorithm in our example. But before that, we should look into the actual \verb=/etc/shadow=
It´s simple to enable a different encryption algorithm for password. You have just to change a single line in /etc/security/policy.conf
. To edit this file you have to login as root:
Okay, now let´s change the password.
When you look in the /etc/shadow
for the user, you will see a slighly modified password field. It´s much longer and between the first and the second $
you seee the used encryption mechanism:
You see, the correctness of the complete password is tested, not just the first 8 characters.