How to install passwdqc on Solaris

Ensure the system is prepared

Since passwdqc is distributed in source code form, you will need to have a C compiler installed - either gcc or Sun Studio cc. You may download gcc from Sunfreeware. The C compiler invocation command must be in your search PATH - that is, when you type gcc or cc (as appropriate), you should receive output like gcc: no input files or usage: cc [ options] files. Use 'cc -flags' for details rather than a “command not found” message. You also need to have the /usr/ccs/bin directory in your PATH such that the make command is found; alternatively, you may install GNU make and have the path to that in your PATH.

As an exception, if you need to install passwdqc on multiple similar systems, you do not have to have a C compiler installed on each. Instead, you may tar up the passwdqc build tree after the make step below - and reuse the tree on other systems, where you'd start with the make install step.

Build and install passwdqc

Download a passwdqc distribution tarball from http://www.openwall.com/passwdqc/. Extract it, enter the directory, and compile the sources:

gzip -dc passwdqc-VERSION.tar.gz | tar xvf -
cd passwdqc-VERSION
make

where VERSION is the passwdqc version number (e.g., 1.2.2). This will use gcc by default; to use cc, edit the Makefile according to the comment in that file first.

Install all of the components of passwdqc with:

make install

(as root).

Configure the system to use pam_passwdqc

To actually enable the use of pam_passwdqc by the system, edit the /etc/pam.conf file. You will likely want to preserve the unedited version somewhere (e.g., in a separate file or with commented-out lines).

On Solaris 10, 9, and newer revisions of Solaris 8 (with patch 108993-18/108994-18 or later), edit the following section (found near the end of the file):

#
# Default definition for  Password management
# Used when service name is not explicitly mentioned for password management
#
other   password required       pam_dhkeys.so.1
other   password requisite      pam_authtok_get.so.1
other   password requisite      pam_authtok_check.so.1
other   password required       pam_authtok_store.so.1

to look like:

#
# Default definition for  Password management
# Used when service name is not explicitly mentioned for password management
#
other   password required       pam_dhkeys.so.1
other   password requisite      /usr/lib/security/pam_passwdqc.so retry=1 max=8
other   password required       pam_authtok_store.so.1

On Solaris 2.6, 7, and older revisions of Solaris 8 (without patch 108993-18/108994-18 or later), edit the following section (found near the end of the file):

#
# Password management
#
other   password required       /usr/lib/security/pam_unix.so.1

to look like:

#
# Password management
#
other   password required       /usr/lib/security/pam_passwdqc.so ask_oldauthtok=update check_oldauthtok max=8
other   password required       /usr/lib/security/pam_unix.so.1 use_first_pass

Ensure that the system uses pam_passwdqc properly

To test the setup, invoke the passwd command and see that passwdqc's default password policy is being described and enforced. The behavior should be similar to that seen on these screenshots.

Switch to a better password hashing method (and avoid the 8-character limit)

We're using the max=8 option to pam_passwdqc in the /etc/pam.conf changes shown above in order to match the “traditional” Unix password hashing method, which truncates passwords at 8 characters. A much better alternative is to configure your Solaris system to use a modern password hashing method instead. This requires a recent version of Solaris.

In the /etc/security/policy.conf file, locate the CRYPT_DEFAULT setting. It might look like:

# The Solaris default is the traditional UNIX algorithm.  This is not
# listed in crypt.conf(4) since it is internal to libc.  The reserved
# name __unix__ is used to refer to it.
#
CRYPT_DEFAULT=__unix__

You will want to edit it to look like:

CRYPT_DEFAULT=2a

to enable OpenBSD-style bcrypt (Blowfish-based) password hashing.

Once the above change is made, you will need to remove the max=8 setting from your pam_passwdqc line in /etc/pam.conf and re-test the setup. An extra test to make is to set a longer than 8 characters password, then try to authenticate using just the first 8 characters of the password. This should fail (meaning that passwords of longer than 8 characters are now supported for real).

How to uninstall passwdqc

If you ever choose to uninstall, you will need to:

  1. Edit /etc/pam.conf to revert your prior changes
  2. Enter the passwdqc build directory and invoke make uninstall (as root)

Back to passwdqc resources.

passwdqc/solaris.txt · Last modified: 2010/06/22 16:18 by solar
 
Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Noncommercial-Share Alike 3.0 Unported
Recent changes RSS feed Donate to DokuWiki Powered by PHP Valid XHTML 1.0 Valid CSS Driven by DokuWiki Powered by OpenVZ Powered by Openwall GNU/*/Linux Bookmark and Share