I have been trying to enable password complexity variables on Solaris 10 by editing the /etc/default/passwd file but none of my changes are taking effect (I'm still able to set passwords that violate the rules I am trying to implement).
I've tried an O/S reboot after the changes but that had no effect.
The variables I am trying to change/enabled within the /etc/default/passwd file:
So what do you find that it still allows users to do that you wouldn't expect?
I cannot be sure that it's relevant but have a read of this thread:
from a long time ago and contributed to by myself, MadeInGermany, Don, Robin, and others.
It may help, maybe not.
Do note the comment on that thread saying "Seems that if you don't DEPRICATE the previous algorithm it continues to get used for password changes. Only new accounts set up use the new algorithm".
I think you must patch your Solaris 10, then root is no longer exempted from the complexity rules. man passwd on an old Solaris 10 says:
While a newer Solaris 10 says
This article suggests the change happened with Solaris 10 8/11.
BTW if you set the minimum password length to 8 then in fact you lower the security somewhat if you have CRYPT_DEFAULT=__unix__ in /etc/security/policy.conf because it always limits the maximum password length to 8.
So you should change it to CRYPT_DEFAULT=1 ( 1 or 2a or md5 ) to allow longer passwords! It also will create longer crypts in /etc/shadow, but can still understand the existing short Unix crypts.