Since passwdqc is distributed in source code form, you will need to have a C compiler installed - either gcc or Sun Studio cc. You may download gcc from Sunfreeware. The C compiler invocation command must be in your search PATH - that is, when you type gcc or cc (as appropriate), you should receive output like gcc: no input files or usage: cc [ options] files. Use 'cc -flags' for details rather than a “command not found” message. You also need to have the /usr/ccs/bin directory in your PATH such that the make command is found; alternatively, you may install GNU make and have the path to that in your PATH.
As an exception, if you need to install passwdqc on multiple similar systems, you do not have to have a C compiler installed on each. Instead, you may tar up the passwdqc build tree after the make step below - and reuse the tree on other systems, where you'd start with the make install step.
Download a passwdqc distribution tarball from http://www.openwall.com/passwdqc/. Extract it, enter the directory, and compile the sources:
gzip -dc passwdqc-VERSION.tar.gz | tar xvf - cd passwdqc-VERSION make
where VERSION is the passwdqc version number (e.g., 1.2.2). This will use gcc by default; to use cc, edit the Makefile according to the comment in that file first.
Install all of the components of passwdqc with:
make install
(as root).
To actually enable the use of pam_passwdqc by the system, edit the /etc/pam.conf file. You will likely want to preserve the unedited version somewhere (e.g., in a separate file or with commented-out lines).
On Solaris 10, 9, and newer revisions of Solaris 8 (with patch 108993-18/108994-18 or later), edit the following section (found near the end of the file):
# # Default definition for Password management # Used when service name is not explicitly mentioned for password management # other password required pam_dhkeys.so.1 other password requisite pam_authtok_get.so.1 other password requisite pam_authtok_check.so.1 other password required pam_authtok_store.so.1
to look like:
# # Default definition for Password management # Used when service name is not explicitly mentioned for password management # other password required pam_dhkeys.so.1 other password requisite /usr/lib/security/pam_passwdqc.so retry=1 max=8 other password required pam_authtok_store.so.1
On Solaris 2.6, 7, and older revisions of Solaris 8 (without patch 108993-18/108994-18 or later), edit the following section (found near the end of the file):
# # Password management # other password required /usr/lib/security/pam_unix.so.1
to look like:
# # Password management # other password required /usr/lib/security/pam_passwdqc.so ask_oldauthtok=update check_oldauthtok max=8 other password required /usr/lib/security/pam_unix.so.1 use_first_pass
To test the setup, invoke the passwd command and see that passwdqc's default password policy is being described and enforced. The behavior should be similar to that seen on these screenshots.
We're using the max=8 option to pam_passwdqc in the /etc/pam.conf changes shown above in order to match the “traditional” Unix password hashing method, which truncates passwords at 8 characters. A much better alternative is to configure your Solaris system to use a modern password hashing method instead. This requires a recent version of Solaris.
In the /etc/security/policy.conf file, locate the CRYPT_DEFAULT setting. It might look like:
# The Solaris default is the traditional UNIX algorithm. This is not # listed in crypt.conf(4) since it is internal to libc. The reserved # name __unix__ is used to refer to it. # CRYPT_DEFAULT=__unix__
You will want to edit it to look like:
CRYPT_DEFAULT=2a
to enable OpenBSD-style bcrypt (Blowfish-based) password hashing.
Once the above change is made, you will need to remove the max=8 setting from your pam_passwdqc line in /etc/pam.conf and re-test the setup. An extra test to make is to set a longer than 8 characters password, then try to authenticate using just the first 8 characters of the password. This should fail (meaning that passwords of longer than 8 characters are now supported for real).
If you ever choose to uninstall, you will need to:
/etc/pam.conf to revert your prior changesmake uninstall (as root)Back to passwdqc resources.