Password policy problem ??

UNIX Solaris
1

Hi Solaris's expert

I need to change user password on Solaris10 2 servers.
With the same password I can change it just only one.
Try to check everything but not found difference??

password pattern: abcdeFgh9Jk

server1 check all characters but server2 check only first 8 characters.Why??
I think solaris just check only first 8 char.

error msg on server2 ->> passwd: The first 8 characters of the password must contain at least 1 numeric or special character(s).
Anyone have any idea for this case?

File: /etc/default/passwd

Server0101 *** Change password success

MINALPHA=2
#MINDIFF=5
MINNONALPHA=1
#MINUPPER=0
#MINLOWER=2
#MAXREPEATS=2
WHITESPACE=YES
NAMECHECK=YES
DICTIONDBDIR=/var/passwd
DICTIONLIST=/usr/share/lib/dict/words
MINWEEKS=1
MAXWEEKS=9
WARNWEEKS=1
PASSLENGTH=8

Server02 **** Cannot change password
HISTORY=3
MINALPHA=2
#MINDIFF=5
MINNONALPHA=1
#MINUPPER=0
#MINLOWER=2
#MAXREPEATS=2
WHITESPACE=YES
NAMECHECK=YES
DICTIONDBDIR=/var/passwd
DICTIONLIST=/usr/share/lib/dict/words
MINWEEKS=1
MAXWEEKS=9
WARNWEEKS=1
PASSLENGTH=8

Thank you,:rolleyes:

2

1st question to you.. isn't your server 1 checks for password history?
and according to the error messages, your 1st 8 char should have at leasta special char or numeric, which does not match

3
  1. Yes server1 check password history too [HISTORY=3]
  2. my password have number "9" at 9th char, but why we can use this password in server1 ??

my password example: ->> abcdeFgh9Jk

4

By default with Solaris 10 and older the password is truncated to the first eight characters before further processing. Remaining ones are simply ignored.

5

Can you see this in my previous answer?
.
.
2. my password have number "9" at 9th char, but why we can use this password in server1 ?? <<<<

6

There is nothing wrong with server1 checking the ninth character. As I wrote, the default configuration truncates to eight. You do not give evidence server1 uses the default security policy configuration.

You would need to compare /etc/security/policy.conf files, especially the CRYPT_DEFAULT parameter.

7

Oh thank you jlliagre, I found difference but I'm not understand it.

server1 have no parameter "CRYPT_DEFAULT" .

but server2 have
> CRYPT_DEFAULT=2a
> CRYPT_ALGORITHMS_ALLOW=1,2a,md5

what about these?

8

Hope these docs will shine some light on the feature.

Learning Solaris 10
{LANG_NAVORIGIN}

9

Oh great!!,

 It can solve my problem, but have some question incredible?

in policy.conf we change
CRYPT_DEFAULT=1 to 2a [it check password more than first 8 chars]
but when change it back (CRYPT_DEFAULT=1 ) [it still check password more than first 8 chars]???

thanks,
aRm_naja

10

That's because "1" is still not the default algorithm but md5.

Use that one:

CRYPT_DEFAULT=__unix__
11

I get it!

Thanks for All (jlliagre, incredible)
See you next Thread :b: