Image Credit: Ohio State University
I was recently handed a baseline policy that was to implemented for all users on the Solaris 10 systems that I support. After a small amount of research I was able to find the various pieces that needed to be altered.
Desired Policy
After discussion between the security officer and the other management level staff, the following policy was decided upon:
Normal User Password Requirements
- at least 8 characters in length
- no more than 20 characters in length
- contain at least on letter
- contain at least one number
- forced to change at least every 180 days
- 15 minute lockout after 5 unsuccessful attempts
Most of the restrictions were fairly basic and could be easily accomplished. The only one that I could find no mechanism for control of in Solaris 10 is the automatic unlock of an account after the specified 15 minute lockout. While it is possible to determine when an account has been locked by looking at the timestamp in the syslog, there is no automated method for unlocking the account after a certain amount of time has elapsed. I suppose it would be possible to write a script to check the entries in the shadow file then grep the syslog then do some math on the timestamp, but honestly I am not worried about it.
Implementation
The implementation process involves editing two files that are key to the functionality of user login security. As always when altering system files it is a good idea to make backups of the originals in case things go wrong. The files involved are:
- /etc/default/login
- /etc/default/passwd
Setting the account lockout (aka Three Strikes)
Generally the default on a Solaris 10 system is to set the account lockout to three password retries before an account is locked. We decided to relax this a little and allow for five retries.
- Open /etc/default/login in your favorite editor
- Search for the line reading RETRIES=3
- Change the line to read RETRIES=5
Configuring the complexity rules
The password complexity ruleset for Solaris 10 is fairly understandable. The rules are defined in /etc/default/passwd and the values to be tweaked are:
- MINDIFF
- MINALPHA
- MINNONALPHA
- MINUPPER
- MINLOWER
- MAXREPEATS
- MINSPECIAL
- MINDIGIT
- WHITESPACE
The desired policy decided upon was to require at least one number and one letter. There was some discussion about special characters, but it was decided to not require any special characters for normal user accounts. Given these requirements the following process is used to implement the complexity ruleset:
- Open the file /etc/default/passwd in your favorite editor
- Set the password complexity tunables to look as follows
MINDIFF=3
MINALPHA=1
#MINNONALPHA=1
#MINUPPER=1
#MINLOWER=1
MAXREPEATS=0
#MINSPECIAL=0
MINDIGIT=1
WHITESPACE=YES
Setting the password expiration and length rules
Configuring account lockouts and password complexity is a great start, however it is not the complete picture. While reasonable complexity rules will allow users to set passwords that they can readily remember, and a flexible lockout value will give some room for fumble fingers, if users are not required to change their passwords every so often then the security of the system can suffer as well.
You also should consider password length. A shorter password, regardless of complexity, is going to be easier to crack from an algorithmic standpoint. This is simply due to the mathematical requirements. The problem is that user’s tend to not like long passwords. As you increase the password length, you increase the likelihood the passwords will use dictionary words (we can account for that as well).
The agreed upon setting for normal users on our systems was 180 days. Unfortunately Solaris 10 uses a setting measured in weeks and not days. What this means is that the setting will have to be slightly longer. The password length was decided to be at least 8 characters and no longer than 20 characters. Also, Solaris 10 has no setting to enable a maximum password length.
- Open /etc/default/passwd in your favorite editor
- Set the value for MAXWEEKS to be the value of number of days divided by 7, rounding up
- Set the value for PASSLENGTH to be the value of the minimum number of characters
Important Notes and Considerations
Password Length
The default algorithm used for passwords under Solaris 10 is crypt_unix. This algorithm is not considered sufficiently secure, even by Oracle. You should investigate using a different algorithm such as MD5 or Blowfish instead. The default will not allow for passwords that are longer than 8 characters. You can set the password to be longer, but all characters after the eighth position will be discarded during the authentication check process.
Retroactive Usage
Changes to the password expiration policy is not immediately retroactive. For the expiration requirements to take effect on existing accounts you will need to initiate a manual password change for the shadow file entry to be updated.
Dictionary Words
When Solaris 10 was introduced one of the changes made to PAM was the ability to use a comma-delimited list of dictionary files to avoid usage of common words during password selection. This can be configured with the DICTIONLIST variable in the /etc/default/passwd file.
Applying lockout to the root user
While this is not the default, you can apply the lockout rule to the root user account by editing the /etc/user_attr file and changing the lock_after_retries value for this user to yes. Be warned this is not recommended since a locked account can only be unlocked by the root user. If your root level account becomes locked then you will need to have an account that allows sudo access or you will end up going to some extreme lengths to re-enable access to the system.
References
Of course, none of this information is really unique. Here is the list of resources I used to put all of this together:
For more commentary on password length, complexity, etc., see a few of these sites: