Need help in configuring Password Constraints for Solaris 11.3

jebby123 · September 8, 2016, 5:22am

Hello Friends

I was running Solaris 11.3 x86.

Below is my configuration to set password Constraints.

more /etc/default/passwd 

MAXWEEKS=4
MINWEEKS=1
WARNWEEKS=1
PASSLENGTH=8

NAMECHECK=YES

HISTORY=4

MINDIFF=3
MINALPHA=2
MINNONALPHA=1
MINUPPER=1
MINLOWER=1
MAXREPEATS=2
MINSPECIAL=0
MINDIGIT=1
WHITESPACE=YES

DICTIONLIST=/usr/share/lib/dict/words
DICTIONDBDIR=/var/passwd
#DICTIONMINWORDLENGTH=3

more /etc/pam.conf

other   password required       pam_dhkeys.so.1
other   password requisite      pam_authtok_get.so.1
other   password requisite      pam_authtok_check.so.1
other   password required       pam_authtok_store.so.1

more /etc/shadow

test123:$5$d0RtrmM4$dKEvxqLSUDvMpjVy5l8nrg/42cBdqzlsff3lGlaYte9:17052:7:28:7:::

Still I am able to set even single digit as password to any account, even though PASSLENGTH is configured as 8.

root@test:~# passwd test123
New Password: 
Re-enter new Password: 
passwd: password successfully changed for test123
root@test:~#

Can anybody with experience on this help in figuring out the issue. Where else do I need to do configuration to have /etc/default/passwd related constraints effective.

Thanks in advance

hicksd8 · September 8, 2016, 3:05pm

Hi jebby123 and welcome to the forums.

Please search this forum for discussions on this topic.

Here is a link to a thread where many of us so called experts had input to reach the correct conclusion:

I'll check it out and post links to other threads shortly, but do you own search please.

---------- Post updated at 07:59 PM ---------- Previous update was at 07:57 PM ----------

Happy learning....

---------- Post updated at 08:05 PM ---------- Previous update was at 07:59 PM ----------

jlliagre · September 8, 2016, 3:41pm

Have a look to the /usr/lib/security/pam_authtok_common file. The force_check parameter might have been removed from the pam_authtok_check.so.1 module:

other password requisite  pam_authtok_check.so.1 force_check

jebby123 · September 9, 2016, 6:38am

Hi Jlliagre

Adding force_check solved the issue.

Thanks for the help

jlliagre · September 9, 2016, 7:33am

Glad it worked!

Note that under Solaris 10 and older, root wasn't affected by password constraints and could set whatever password for any account. Solaris 11 changed that and, by default, is enforcing the password constraints for all users including root. That wasn't the case in your system which was modified to restore the old behavior. Regular (i.e. non root) accounts were still constrained though.