Solaris 10 Password Policy Enforcement | arfore dot com

Image Credit: Ohio State University

I was recently handed a baseline policy that was to implemented for all users on the Solaris 10 systems that I support.  After a small amount of research I was able to find the various pieces that needed to be altered.

Desired Policy

After discussion between the security officer and the other management level staff, the following policy was decided upon:

Normal User Password Requirements

  • at least 8 characters in length
  • no more than 20 characters in length
  • contain at least on letter
  • contain at least one number
  • forced to change at least every 180 days
  • 15 minute lockout after 5 unsuccessful attempts

Most of the restrictions were fairly basic and could be easily accomplished.  The only one that I could find no mechanism for control of in Solaris 10 is the automatic unlock of an account after the specified 15 minute lockout.  While it is possible to determine when an account has been locked by looking at the timestamp in the syslog, there is no automated method for unlocking the account after a certain amount of time has elapsed.  I suppose it would be possible to write a script to check the entries in the shadow file then grep the syslog then do some math on the timestamp, but honestly I am not worried about it.

Implementation

The implementation process involves editing two files that are key to the functionality of user login security.  As always when altering system files it is a good idea to make backups of the originals in case things go wrong.  The files involved are:

  1. /etc/default/login
  2. /etc/default/passwd

Setting the account lockout (aka Three Strikes)

Generally the default on a Solaris 10 system is to set the account lockout to three password retries before an account is locked.  We decided to relax this a little and allow for five retries.

  1. Open /etc/default/login in your favorite editor
  2. Search for the line reading RETRIES=3
  3. Change the line to read RETRIES=5

Configuring the complexity rules

The password complexity ruleset for Solaris 10 is fairly understandable.  The rules are defined in /etc/default/passwd and the values to be tweaked are:

  • MINDIFF
  • MINALPHA
  • MINNONALPHA
  • MINUPPER
  • MINLOWER
  • MAXREPEATS
  • MINSPECIAL
  • MINDIGIT
  • WHITESPACE

The desired policy decided upon was to require at least one number and one letter.  There was some discussion about special characters, but it was decided to not require any special characters for normal user accounts.  Given these requirements the following process is used to implement the complexity ruleset:

  1. Open the file /etc/default/passwd in your favorite editor
  2. Set the password complexity tunables to look as follows
MINDIFF=3
MINALPHA=1
#MINNONALPHA=1
#MINUPPER=1
#MINLOWER=1
MAXREPEATS=0
#MINSPECIAL=0
MINDIGIT=1
WHITESPACE=YES

Setting the password expiration and length rules

Configuring account lockouts and password complexity is a great start, however it is not the complete picture.  While reasonable complexity rules will allow users to set passwords that they can readily remember, and a flexible lockout value will give some room for fumble fingers, if users are not required to change their passwords every so often then the security of the system can suffer as well.

You also should consider password length.  A shorter password, regardless of complexity, is going to be easier to crack from an algorithmic standpoint.  This is simply due to the mathematical requirements.  The problem is that user’s tend to not like long passwords.  As you increase the password length, you increase the likelihood the passwords will use dictionary words (we can account for that as well).

The agreed upon setting for normal users on our systems was 180 days.  Unfortunately Solaris 10 uses a setting measured in weeks and not days.  What this means is that the setting will have to be slightly longer.  The password length was decided to be at least 8 characters and no longer than 20 characters.  Also, Solaris 10 has no setting to enable a maximum password length.

  1. Open /etc/default/passwd in your favorite editor
  2. Set the value for MAXWEEKS to be the value of number of days divided by 7, rounding up
  3. Set the value for PASSLENGTH to be the value of the minimum number of characters

Important Notes and Considerations

Password Length

The default algorithm used for passwords under Solaris 10 is crypt_unix.  This algorithm is not considered sufficiently secure, even by Oracle.  You should investigate using a different algorithm such as MD5 or Blowfish instead.  The default will not allow for passwords that are longer than 8 characters.  You can set the password to be longer, but all characters after the eighth position will be discarded during the authentication check process.

Retroactive Usage

Changes to the password expiration policy is not immediately retroactive.  For the expiration requirements to take effect on existing accounts you will need to initiate a manual password change for the shadow file entry to be updated.

Dictionary Words

When Solaris 10 was introduced one of the changes made to PAM was the ability to use a comma-delimited list of dictionary files to avoid usage of common words during password selection.  This can be configured with the DICTIONLIST variable in the /etc/default/passwd file.

Applying lockout to the root user

While this is not the default, you can apply the lockout rule to the root user account by editing the /etc/user_attr file and changing the lock_after_retries value for this user to yes.  Be warned this is not recommended since a locked account can only be unlocked by the root user.  If your root level account becomes locked then you will need to have an account that allows sudo access or you will end up going to some extreme lengths to re-enable access to the system.

References

Of course, none of this information is really unique.  Here is the list of resources I used to put all of this together:

For more commentary on password length, complexity, etc., see a few of these sites: