Since passwdqc is distributed in source code form, you will need to have a C compiler installed - either
gcc or Sun Studio
cc. You may download
gcc from Sunfreeware. The C compiler invocation command must be in your search
PATH - that is, when you type
cc (as appropriate), you should receive output like
gcc: no input files or
usage: cc [ options] files. Use 'cc -flags' for details rather than a “command not found” message. You also need to have the
/usr/ccs/bin directory in your
PATH such that the
make command is found; alternatively, you may install GNU make and have the path to that in your
As an exception, if you need to install passwdqc on multiple similar systems, you do not have to have a C compiler installed on each. Instead, you may tar up the passwdqc build tree after the
make step below - and reuse the tree on other systems, where you'd start with the
make install step.
Download a passwdqc distribution tarball from http://www.openwall.com/passwdqc/. Extract it, enter the directory, and compile the sources:
gzip -dc passwdqc-VERSION.tar.gz | tar xvf - cd passwdqc-VERSION make
VERSION is the passwdqc version number (e.g., 1.2.2). This will use gcc by default; to use cc, edit the Makefile according to the comment in that file first.
Install all of the components of passwdqc with:
To actually enable the use of
pam_passwdqc by the system, edit the
/etc/pam.conf file. You will likely want to preserve the unedited version somewhere (e.g., in a separate file or with commented-out lines).
On Solaris 10, 9, and newer revisions of Solaris 8 (with patch 108993-18/108994-18 or later), edit the following section (found near the end of the file):
# # Default definition for Password management # Used when service name is not explicitly mentioned for password management # other password required pam_dhkeys.so.1 other password requisite pam_authtok_get.so.1 other password requisite pam_authtok_check.so.1 other password required pam_authtok_store.so.1
to look like:
# # Default definition for Password management # Used when service name is not explicitly mentioned for password management # other password required pam_dhkeys.so.1 other password requisite /usr/lib/security/pam_passwdqc.so retry=1 max=8 other password required pam_authtok_store.so.1
On Solaris 2.6, 7, and older revisions of Solaris 8 (without patch 108993-18/108994-18 or later), edit the following section (found near the end of the file):
# # Password management # other password required /usr/lib/security/pam_unix.so.1
to look like:
# # Password management # other password required /usr/lib/security/pam_passwdqc.so ask_oldauthtok=update check_oldauthtok max=8 other password required /usr/lib/security/pam_unix.so.1 use_first_pass
To test the setup, invoke the
passwd command and see that passwdqc's default password policy is being described and enforced. The behavior should be similar to that seen on these screenshots.
We're using the
max=8 option to pam_passwdqc in the
/etc/pam.conf changes shown above in order to match the “traditional” Unix password hashing method, which truncates passwords at 8 characters. A much better alternative is to configure your Solaris system to use a modern password hashing method instead. This requires a recent version of Solaris.
/etc/security/policy.conf file, locate the
CRYPT_DEFAULT setting. It might look like:
# The Solaris default is the traditional UNIX algorithm. This is not # listed in crypt.conf(4) since it is internal to libc. The reserved # name __unix__ is used to refer to it. # CRYPT_DEFAULT=__unix__
You will want to edit it to look like:
Once the above change is made, you will need to remove the
max=8 setting from your pam_passwdqc line in
/etc/pam.conf and re-test the setup. An extra test to make is to set a longer than 8 characters password, then try to authenticate using just the first 8 characters of the password. This should fail (meaning that passwords of longer than 8 characters are now supported for real).
If you ever choose to uninstall, you will need to:
/etc/pam.confto revert your prior changes
make uninstall(as root)
Back to passwdqc resources.