SGI: Security

login password length

Does anyone have any ideas on how to get around the password length problem. I would like to increase my usable password length to more than 8 characters. Has anyone figured out how to do this?
you could crypt on your own and paste it into shadow...

_________________
r-a-c.de
foetz wrote:
you could crypt on your own and paste it into shadow...


Actually, I talked to a person at SGI. The problem is not the password program, it is the login program. Login only looks at the first 8 characters regardless of how many are set by passwd. He suggested that pam might help with this, but he wasn't sure. I have next to no exprerience setting up pam.

Perhaps there is another way, which I am unaware.
irixpgmr wrote:
foetz wrote:
you could crypt on your own and paste it into shadow...


Actually, I talked to a person at SGI. The problem is not the password program, it is the login program. Login only looks at the first 8 characters regardless of how many are set by passwd. He suggested that pam might help with this, but he wasn't sure. I have next to no exprerience setting up pam.

Perhaps there is another way, which I am unaware.


well, depends on which auth. mechanism you rely.
however i think a good 8 chars password should be sufficient. there're many other more critical things to do first and if you're that paranoid you have to use trusted irix anyway :D

_________________
r-a-c.de
irixpgmr wrote:
foetz wrote:
you could crypt on your own and paste it into shadow...


Actually, I talked to a person at SGI. The problem is not the password program, it is the login program. Login only looks at the first 8 characters regardless of how many are set by passwd.

If I remember correctly, old versions of Solaris have the same "problem", I haven't verified it with recent ( >8.0) version.

_________________
Humppa is a serious thing!
I'll be putting Sol 9 on my server soon, I can check it then if I don't forget...

_________________
覇気元
Eroteme.org
If you'd like to, yes please. I haven't got a Solaris box around.

_________________
Humppa is a serious thing!
From Solaris 10 passwd man:
Quote:
Each password must have PASSLENGTH characters, where PASSLENGTH is defined in /etc/default/passwd and is set to 6.
Setting PASSLENGTH to more than eight characters requires configuring policy.conf(4) with an algorithm that supports greater than eight characters.
unixmuseum, great stuff. can you post the relevant policy.conf sections by any chance? Would be good to see if this stuff is commented or not...

_________________
覇気元
Eroteme.org
Hakimoto wrote:
unixmuseum, great stuff. can you post the relevant policy.conf sections by any chance? Would be good to see if this stuff is commented or not...

I'm not sure if this is what you are looking for, but the man pages for several Solaris (back to version 2.4!) are searchable at http://docs.sun.com , and you can browse to the man page for policy.conf in the Solaris 10 "Reference Manual" section.
irixpgmr wrote:
Does anyone have any ideas on how to get around the password length problem. I would like to increase my usable password length to more than 8 characters. Has anyone figured out how to do this?


IIRC, the GUI password/secuirty tools limit you to 8 characters, but the good old UNIX "passwd" utility doesn't impose any arbitrary* length restrictions.

So, the best thing to do is probably to run "pwconv" (to setup/synchronise shadow passwords) and then use "passwd" to set the passwords for any accounts you need.

* although I think there is still a maximum of 255 characters
Hakimoto wrote:
unixmuseum, great stuff. can you post the relevant policy.conf sections by any chance? Would be good to see if this stuff is commented or not...
Here ya go, straight from /etc/security/policy.conf:

Quote:
#
# Copyright 2004 Sun Microsystems, Inc. All rights reserved.
# Use is subject to license terms.
#
# /etc/security/policy.conf
#
# security policy configuration for user attributes. see policy.conf(4)
#
#ident "@(#)policy.conf 1.11 04/09/27 SMI"
#
AUTHS_GRANTED=solaris.device.cdrw
PROFS_GRANTED=Basic Solaris User

# crypt(3c) Algorithms Configuration
#
# CRYPT_ALGORITHMS_ALLOW specifies the algorithms that are allowed to
# be used for new passwords. This is enforced only in crypt_gensalt(3c).
#
CRYPT_ALGORITHMS_ALLOW=1,2a,md5

# To deprecate use of the traditional unix algorithm, uncomment below
# and change CRYPT_DEFAULT= to another algorithm. For example,
# CRYPT_DEFAULT=1 for BSD/Linux MD5.
#
#CRYPT_ALGORITHMS_DEPRECATE=__unix__

# The Solaris default is the traditional UNIX algorithm. This is not
# listed in crypt.conf(4) since it is internal to libc. The reserved
# name __unix__ is used to refer to it.
#
CRYPT_DEFAULT=__unix__
#
# These settings determine the default privileges users have. If not set,
# the default privileges are taken from the inherited set.
# There are two different settings; PRIV_DEFAULT determines the default
# set on login; PRIV_LIMIT defines the Limit set on login.
# Individual users can have privileges assigned or taken away through
# user_attr. Privileges can also be assigned to profiles in which case
# the users with those profiles can use those privileges through pfexec(1m).
# For maximum future compatibility, the specifications should
# always include "basic" or "all"; privileges should then be removed using
# the negation. E.g., PRIV_LIMIT=all,!sys_linkdir takes away only the
# sys_linkdir privilege, regardless of future additional privileges.
# Similarly, PRIV_DEFAULT=basic,!file_link_any takes away only the
# file_link_any privilege from the basic privilege set; only that notation
# is immune from a future addition of currently unprivileged operations to
# the basic privilege set.
# NOTE: removing privileges from the the Limit set requires EXTREME care
# as any set-uid root program may suddenly fail because it lacks certain
# privilege(s).
#
#PRIV_DEFAULT=basic
#PRIV_LIMIT=all
#
# LOCK_AFTER_RETRIES specifies the default account locking policy for local
# user accounts (passwd(4)/shadow(4)). The default may be overridden by
# a user's user_attr(4) "lock_after_retries" value.
# YES enables local account locking, NO disables local account locking.
# The default value is NO.
#
#LOCK_AFTER_RETRIES=NO
stuart wrote:
irixpgmr wrote:
Does anyone have any ideas on how to get around the password length problem. I would like to increase my usable password length to more than 8 characters. Has anyone figured out how to do this?


IIRC, the GUI password/secuirty tools limit you to 8 characters, but the good old UNIX "passwd" utility doesn't impose any arbitrary* length restrictions.

So, the best thing to do is probably to run "pwconv" (to setup/synchronise shadow passwords) and then use "passwd" to set the passwords for any accounts you need.

* although I think there is still a maximum of 255 characters

Actually, the login program truncates at 8 characters. I set the password to a password longer than 8 characters. I then put in the password with junk characters after the first 8 and I was logged in.
well i have to wonder a bit.
do you really think a password beyond 8 chars will significantly increase security?
i have to repeat "a good 8 chars password should be sufficient. there're many other more critical things to do first and if you're that paranoid you have to use trusted irix".

_________________
r-a-c.de
For Solaris 10, to enable longer passwords, edit /etc/security/policy.conf
and change:
CRYPT_DEFAULT=__unix__
to:
CRYPT_DEFAULT=md5

Then update /etc/default/passwd by changing the PASSLENGTH= to a value higher than the standard "6"

This solves the problem wherein a password can be long but that only the first 8 characters are used.

http://www.vmunix.com/mark/blog/archive ... n-solaris/