Hi All,
I have a problem setting the password when I have to create a user and password as detailed below.
username : gaacj01 password : oshopp01
username : gaacj02 password : oshopp02
username : gaacj03 password : oshopp03
username : gaacj04 password : oshopp04
username : gaacj05 password : oshopp05
username : gaacj06 password : oshopp06
When users have login to the system. He can use the password "oshopp" or "oshoppXX" login to the system. I can not find the problem with the system.
Is the password limited to a maximum usable length of 6 perhaps?
You don't tell us your OS or version or anything else that might be pertinent and your grammar makes it unclear. Could you explain the problem again and show us some output from your testing, including the password being set.
Regards,
Robin
Apologize my grammar and lacking of details robin
My system is Solaris 10. The Usernames and passwords are to log in into the system.When a user use any usernames from the list above, he can use any passwords and get access to the system.Even worse, he can omit the last two digits or add other two digits which not included in the list,ie. oshopp99, and get access to the system as well. Any suggestion where i should look into?
cheers
Kitti
Code on /etc/default/passwd on below :
#ident "@(#)passwd.dfl 1.7 04/04/22 SMI"
#
# Copyright 2004 Sun Microsystems, Inc. All rights reserved.
# Use is subject to license terms.
#
MAXWEEKS=
MINWEEKS=
PASSLENGTH=6
# NAMECHECK enables/disables login name checking.
# The default is to do login name checking.
# Specifying a value of "NO" will disable login name checking.
#
#NAMECHECK=NO
# HISTORY sets the number of prior password changes to keep and
# check for a user when changing passwords. Setting the HISTORY
# value to zero (0), or removing/commenting out the flag will
# cause all users' prior password history to be discarded at the
# next password change by any user. No password history will
# be checked if the flag is not present or has zero value.
# The maximum value of HISTORY is 26.
#
# This flag is only enforced for user accounts defined in the
# local passwd(4)/shadow(4) files.
#
#HISTORY=0
#
# Password complexity tunables. The values listed are the defaults
# which are compatible with previous releases of passwd.
# See passwd(1) and pam_authtok_check(5) for use warnings and
# discussion of the use of these options.
#
#MINDIFF=3
#MINALPHA=2
#MINNONALPHA=1
#MINUPPER=0
#MINLOWER=0
#MAXREPEATS=0
#MINSPECIAL=0
#MINDIGIT=0
#WHITESPACE=YES
#
#
# passwd performs dictionary lookups if DICTIONLIST or DICTIONDBDIR
# is defined. If the password database does not yet exist, it is
# created by passwd. See passwd(1), pam_authtok_check(5) and
# mkdict(1) for more information.
#
#DICTIONLIST=
#DICTIONDBDIR=/var/passwd
Code on /etc/default/login on below :
#ident "@(#)login.dfl 1.14 04/06/25 SMI"
#
# Copyright 2004 Sun Microsystems, Inc. All rights reserved.
# Use is subject to license terms.
# Set the TZ environment variable of the shell.
#
#TIMEZONE=EST5EDT
# ULIMIT sets the file size limit for the login. Units are disk blocks.
# The default of zero means no limit.
#
#ULIMIT=0
# If CONSOLE is set, root can only login on that device.
# Comment this line out to allow remote login by root.
#
CONSOLE=/dev/console
# PASSREQ determines if login requires a password.
#
PASSREQ=YES
# ALTSHELL determines if the SHELL environment variable should be set
#
ALTSHELL=YES
# PATH sets the initial shell PATH variable
#
#PATH=/usr/bin:
# SUPATH sets the initial shell PATH variable for root
#
#SUPATH=/usr/sbin:/usr/bin
# TIMEOUT sets the number of seconds (between 0 and 900) to wait before
# abandoning a login session.
#
#TIMEOUT=300
# UMASK sets the initial shell file creation mode mask. See umask(1).
#
#UMASK=022
# SYSLOG determines whether the syslog(3) LOG_AUTH facility should be used
# to log all root logins at level LOG_NOTICE and multiple failed login
# attempts at LOG_CRIT.
#
SYSLOG=YES
# SLEEPTIME controls the number of seconds that the command should
# wait before printing the "login incorrect" message when a
# bad password is provided. The range is limited from
# 0 to 5 seconds.
#
#SLEEPTIME=4
# DISABLETIME If present, and greater than zero, the number of seconds
# login will wait after RETRIES failed attempts or the PAM framework returns
# PAM_ABORT. Default is 20. Minimum is 0. No maximum is imposed.
#
#DISABLETIME=20
# RETRIES determines the number of failed logins that will be
# allowed before login exits. Default is 5 and maximum is 15.
# If account locking is configured (user_attr(4)/policy.conf(4))
# for a local user's account (passwd(4)/shadow(4)), that account
# will be locked if failed logins equals or exceeds RETRIES.
#
#RETRIES=5
#
# The SYSLOG_FAILED_LOGINS variable is used to determine how many failed
# login attempts will be allowed by the system before a failed login
# message is logged, using the syslog(3) LOG_NOTICE facility. For example,
# if the variable is set to 0, login will log -all- failed login attempts.
#
#SYSLOG_FAILED_LOGINS=5
Thank you so much for help.
Kitti
Can you show us the content of /etc/security/crypt.conf too please. There are hits about limits on 8 significant characters, perhaps you have it set lower in there.
Robin
I initially thought this (and posted in haste) but further reading suggests that this might be the minimum length (totally re-wrote my post), so I'm left confused. There are descriptions about altering the encryption to use md5 or another method that will lift the limit too.
Robin
@rbatte1......yes, of course, you are correct.
Here's a link on Solaris 10 password policy
Solaris 10 Password Policy Enforcement | arfore dot com
My money is still on something to do with this setup, but I can't see what.
The system is ignoring the later characters in the passwords given.
1 Like
Agreed, and until we find that, ..............
Do accounts other than the gaajc;s behave correctly?
If you test another account with, say, a eight character password, will it still login if you don't give all eight characters for the password?
Is the odd behaviour only associated with 'gaajcXX' accounts?
Doesn't the line you showed us:
PASSLENGTH=6
tell your system to ignore everything after the first six characters in a password.
Code on /etc/security/crypt.conf :
#
# Copyright 2008 Sun Microsystems, Inc. All rights reserved.
# Use is subject to license terms.
#
#ident "@(#)crypt.conf 1.2 08/05/14 SMI"
#
# The algorithm name __unix__ is reserved.
1 crypt_bsdmd5.so.1
2a crypt_bsdbf.so.1
md5 crypt_sunmd5.so.1
5 crypt_sha256.so.1
6 crypt_sha512.so.1
Yes, it does.
Change it to 8 !
@DonC & MadeInGermany......We (us UK boys) jumped to that conclusion too but having looked it up, it appears PASSLENGTH sets the minimum password length, not the maximum length. Hence my removing my post#7 because I thought I was wrong. So the result was that we were looking for something else. Are we wrong? We've all seen edits of passwd and shadow files prevent logins so I was wondering whether to call for the contents of /etc/passwd and /etc/shadow to be posted just to check the format. Repeat, we concluded that the setting of PASSLENGTH was not the cause. Anyway, thanks to you both for joining this thread; I think this is still a mystery, and needs heavy expertise like yours to solve.
---------- Post updated at 10:09 AM ---------- Previous update was at 09:50 AM ----------
I found this on OTN:
Solaris 9 setting passlength > 8 - Oracle Forums
Is this system definitely Solaris 10???? Or could it be Solaris 8 or 9?
3 Likes
It has been a couple of decades since I did any serious sys admin work and I've obviously not kept up with recent changes. So, as the next wild speculation, could there be a plug-in authentication module (PAM) installed that is only looking at the 1st six characters of a password for some users?
Please post the content of:
/etc/security/policy.conf
It seems like this weird behaviour is not unknown:
.InsecureSystem.: Solaris 10: Password Fail
You learn something new every day!!!!
Also, see this Oracle doc page:
Synopsis - man pages section 4: File Formats
Seems that if you don't DEPRICATE the previous algorithm it continues to get used for password changes. Only new accounts set up use the new algorithm.
I can fix the problem by changing the data in the file /etc/security/policy.conf from CRYPT_DEFAULT=__unix__ to CRYPT_DEFAULT=md5 and reset all users password. Thank you so much for your help.