Enforcing password policy on Solaris 8/9 - SUN

This is a discussion on Enforcing password policy on Solaris 8/9 - SUN ; Hi, We're looking at the possibilities to implement our "Authentication and Password Policy" on Solaris systems. We have mainly Solaris 8 systems much more than Solaris 9 systems. My question is if it is possible to implement such policy stated ...

+ Reply to Thread
Results 1 to 7 of 7

Thread: Enforcing password policy on Solaris 8/9

  1. Enforcing password policy on Solaris 8/9

    Hi,

    We're looking at the possibilities to implement our "Authentication and
    Password Policy" on Solaris systems. We have mainly Solaris 8 systems
    much more than Solaris 9 systems.

    My question is if it is possible to implement such policy stated below:

    --
    Passwords that validate a candidate username's access to
    systems shall be at a minimum six characters in length for functional
    users, 8 characters for administrators. Passwords shall include at
    least two alphabetic, one numeric or special character (e.g., an
    asterisk or a dash), and may contain at least one upper case and one
    lower case character. Systems shall prohibit the use of simpler
    passwords.
    --

    I wonder if anyone has experience with this kind of implementation on
    Solaris 8/9 systems. If yes, would you recommend local solution (via
    PAM modules) or
    Identity Management (i.e. LDAP autentication) usage?

    Thanks in advance,

    -Bora


  2. Re: Enforcing password policy on Solaris 8/9

    Bora,

    Take a look at npasswd:
    http://www.cert.org/security-improve...s/i028.05.html

    HTH


  3. Re: Enforcing password policy on Solaris 8/9

    In article <1131871757.588874.169790@f14g2000cwb.googlegroups. com>,
    "gmburns@gmail.com" wrote:

    > Bora,
    >
    > Take a look at npasswd:
    > http://www.cert.org/security-improve...s/i028.05.html
    >
    > HTH


    Does this work with SSH? I'd heard not.

    --
    DeeDee, don't press that button! DeeDee! NO! Dee...




  4. Re: Enforcing password policy on Solaris 8/9

    Yes I've heard npasswd but couldn't see SSH in the docs. I believe it's
    not supported.

    -Bora


  5. Re: Enforcing password policy on Solaris 8/9

    In article <1131908675.979787.90030@g14g2000cwa.googlegroups.c om>,
    BoraBaysal wrote:
    | Yes I've heard npasswd but couldn't see SSH in the docs. I believe it's
    | not supported.
    |
    | -Bora

    All npasswd does is check the quality of passwords for you when your
    users change their passwords. This checking can certainly work in the
    context of SSH use.

    The real question is, 'where are your passwords stored'? npasswd
    comes with support for /etc/passwd, /etc/shadow, and NIS use, as I
    understand it. It does not support NIS+, and it won't support LDAP
    out-of-the-box.

    On the other hand, npasswd does come with the support necessary to use
    it as a library. We have incorporated npasswd password checking into
    our network information management system here
    (http://www.arlut.utexas.edu/gash2/), and it does very well for us in
    checking password quality, tracking attempts at password re-use, etc.

    We depend on our Ganymede software to get the passwords where we need
    them to go (NIS, Active Directory, RADIUS, tacacs+, etc.),
    however.. npasswd doesn't do any of that.

    Jon

    --
    -------------------------------------------------------------------------------
    Jonathan Abbey jonabbey@arlut.utexas.edu
    Applied Research Laboratories The University of Texas at Austin
    GPG Key: 71767586 at keyserver pgp.mit.edu, http://www.ganymeta.org/workkey.gpg

  6. Re: Enforcing password policy on Solaris 8/9

    Thanks for the reply.

    All we need to check is password quality checking on UNIX systems
    (mainly Solaris 8/9 boxes and some Tru64 & HP-UX boxes) for now.

    We also have a Novell's IDM (Identity Mgmt) project in progress in
    order to manage all identities enterprise-wide. It's a long process and
    before integrating UNIX identities into IDM, we're trying to find a
    quick way to implement just password quality checking on UNIX boxes
    which would conform the policy IS department wants from us.

    I believe npasswd would do the job.

    -Bora


  7. Re: Enforcing password policy on Solaris 8/9

    In article <1132141259.163273.61260@g14g2000cwa.googlegroups.c om>,
    BoraBaysal wrote:
    | Thanks for the reply.
    |
    | All we need to check is password quality checking on UNIX systems
    | (mainly Solaris 8/9 boxes and some Tru64 & HP-UX boxes) for now.
    |
    | We also have a Novell's IDM (Identity Mgmt) project in progress in
    | order to manage all identities enterprise-wide. It's a long process and
    | before integrating UNIX identities into IDM, we're trying to find a
    | quick way to implement just password quality checking on UNIX boxes
    | which would conform the policy IS department wants from us.
    |
    | I believe npasswd would do the job.

    npasswd works quite well, but be warned that it is actually pretty
    ruthless about password quality checking. Lots of our users have
    complained about how anal it is.

    Jon

    | -Bora

    --
    -------------------------------------------------------------------------------
    Jonathan Abbey jonabbey@arlut.utexas.edu
    Applied Research Laboratories The University of Texas at Austin
    GPG Key: 71767586 at keyserver pgp.mit.edu, http://www.ganymeta.org/workkey.gpg

+ Reply to Thread