I have been trying to enable password complexity variables on Solaris 10 by editing the /etc/default/passwd file but none of my changes are taking effect (I'm still able to set passwords that violate the rules I am trying to implement).
I've tried an O/S reboot after the changes but that had no effect.
The variables I am trying to change/enabled within the /etc/default/passwd file:
MAXWEEKS=12
PASSLENGTH=8
MINALPHA=1
MINNNALPHA=1
MINUPPER=1
Please help.
Are your users local i.e. in the /etc/passwd file?
The /etc/default/passwd rules only apply to local users (who have UID!=0).
The UIDs are in the 100-110 range and in the /etc/passwd file.
Also, if root runs the passwd user command, the rules do not apply.
But they do apply if the user runs the passwd command.
So what do you find that it still allows users to do that you wouldn't expect?
I cannot be sure that it's relevant but have a read of this thread:
from a long time ago and contributed to by myself, MadeInGermany, Don, Robin, and others.
It may help, maybe not.
Do note the comment on that thread saying "Seems that if you don't DEPRICATE the previous algorithm it continues to get used for password changes. Only new accounts set up use the new algorithm".
That was the issue. I was su into the root account. Is there any way to force password complexity on the root user as well?
I think you must patch your Solaris 10, then root is no longer exempted from the complexity rules.
man passwd on an old Solaris 10 says:
While a newer Solaris 10 says
This article suggests the change happened with Solaris 10 8/11.
BTW if you set the minimum password length to 8 then in fact you lower the security somewhat if you have CRYPT_DEFAULT=__unix__ in /etc/security/policy.conf because it always limits the maximum password length to 8.
So you should change it to CRYPT_DEFAULT=1 ( 1 or 2a or md5 ) to allow longer passwords! It also will create longer crypts in /etc/shadow, but can still understand the existing short Unix crypts.