Less known Solaris features: On passwords - Part 2: Using stronger password hashing
Many people are unaware of the fact, that only the first eight characters of a password are used in the default configuration of Solaris. Don´t believe it? Let´s try it.
Testing the relevant password length for standard crypt
Okay, i´ve logged into my test machine and change my password:
Now let´s try a password that´s different at the ninth character by logging into the Solaris system from remote:
I´ve told you … only the first eight characters are relevant.
Stronger hash algorithms
But it´s not that way, that Solaris can´t do better than that. It´s just the binary compatibility guarantee again. You can´t simply change the mechanism encrypting the password. There may be scripts that still need the old unix crypt variant. But in case you are sure, that you haven´t such an application you can change it, and it´s really simple to do.
When you look into the file
/etc/security/crypt.conf you will find the additional modules for password encryption.
The hashing mechanisms are loaded as libraries in the so-called Solaris Pluggable Crypt Framework. It´s even possible to develop your own crypting mechanism in the case you don´t trust the implementations delivered by Sun.
crypt_bsdmd5module is a one-way password hashing module for use with
crypt(3C)that uses the MD5 message hash algorithm. The output is compatible with
md5crypton BSD and Linux systems.
crypt_bsdbfmodule is a one-way password hashing module for use with
crypt(3C)that uses the Blowfish cryptographic algorithm.
Each of the last three mechanisms support passwords with up to 255 characters. It´s important to know, that the different hashing algorithm can coexist in your password databases. The password hashing for a password will be changed when user change his or her password.
Changing the default hash mechanism
Let´s use the
md5 algorithm in our example. But before that, we should look into the actual \verb=/etc/shadow=
It´s simple to enable a different encryption algorithm for password. You have just to change a single line in
/etc/security/policy.conf. To edit this file you have to login as root:
Okay, now let´s change the password.
When you look in the
/etc/shadow for the user, you will see a slighly modified password field. It´s much longer and between the first and the second
$ you seee the used encryption mechanism:
You see, the correctness of the complete password is tested, not just the first 8 characters.