|
Home > Archive > Unix administration > November 2005 > Enforcing password policy on Solaris 8/9
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Enforcing password policy on Solaris 8/9
|
|
| BoraBaysal 2005-11-12, 7:49 am |
| Hi,
We're looking at the possibilities to implement our "Authentication and
Password Policy" on Solaris systems. We have mainly Solaris 8 systems
much more than Solaris 9 systems.
My question is if it is possible to implement such policy stated below:
--
Passwords that validate a candidate username's access to <ourCompany>
systems shall be at a minimum six characters in length for functional
users, 8 characters for administrators. Passwords shall include at
least two alphabetic, one numeric or special character (e.g., an
asterisk or a dash), and may contain at least one upper case and one
lower case character. Systems shall prohibit the use of simpler
passwords.
--
I wonder if anyone has experience with this kind of implementation on
Solaris 8/9 systems. If yes, would you recommend local solution (via
PAM modules) or
Identity Management (i.e. LDAP autentication) usage?
Thanks in advance,
-Bora
| |
|
|
| Michael Vilain 2005-11-13, 5:53 pm |
| In article <1131871757.588874.169790@f14g2000cwb.googlegroups.com>,
"gmburns@gmail.com" <gmburns@gmail.com> wrote:
> Bora,
>
> Take a look at npasswd:
> http://www.cert.org/security-improv...ns/i028.05.html
>
> HTH
Does this work with SSH? I'd heard not.
--
DeeDee, don't press that button! DeeDee! NO! Dee...
| |
| BoraBaysal 2005-11-13, 5:53 pm |
| Yes I've heard npasswd but couldn't see SSH in the docs. I believe it's
not supported.
-Bora
| |
| Jonathan Abbey 2005-11-15, 5:59 pm |
| In article <1131908675.979787.90030@g14g2000cwa.googlegroups.com>,
BoraBaysal <bora_baysal@hotmail.com> wrote:
| Yes I've heard npasswd but couldn't see SSH in the docs. I believe it's
| not supported.
|
| -Bora
All npasswd does is check the quality of passwords for you when your
users change their passwords. This checking can certainly work in the
context of SSH use.
The real question is, 'where are your passwords stored'? npasswd
comes with support for /etc/passwd, /etc/shadow, and NIS use, as I
understand it. It does not support NIS+, and it won't support LDAP
out-of-the-box.
On the other hand, npasswd does come with the support necessary to use
it as a library. We have incorporated npasswd password checking into
our network information management system here
(http://www.arlut.utexas.edu/gash2/), and it does very well for us in
checking password quality, tracking attempts at password re-use, etc.
We depend on our Ganymede software to get the passwords where we need
them to go (NIS, Active Directory, RADIUS, tacacs+, etc.),
however.. npasswd doesn't do any of that.
Jon
--
-------------------------------------------------------------------------------
Jonathan Abbey jonabbey@arlut.utexas.edu
Applied Research Laboratories The university of Texas at Austin
GPG Key: 71767586 at keyserver pgp.mit.edu, http://www.ganymeta.org/workkey.gpg
| |
| BoraBaysal 2005-11-16, 7:54 am |
| Thanks for the reply.
All we need to check is password quality checking on UNIX systems
(mainly Solaris 8/9 boxes and some Tru64 & HP-UX boxes) for now.
We also have a Novell's IDM (Identity Mgmt) project in progress in
order to manage all identities enterprise-wide. It's a long process and
before integrating UNIX identities into IDM, we're trying to find a
quick way to implement just password quality checking on UNIX boxes
which would conform the policy IS department wants from us.
I believe npasswd would do the job.
-Bora
| |
| Jonathan Abbey 2005-11-16, 6:03 pm |
| In article <1132141259.163273.61260@g14g2000cwa.googlegroups.com>,
BoraBaysal <bora_baysal@hotmail.com> wrote:
| Thanks for the reply.
|
| All we need to check is password quality checking on UNIX systems
| (mainly Solaris 8/9 boxes and some Tru64 & HP-UX boxes) for now.
|
| We also have a Novell's IDM (Identity Mgmt) project in progress in
| order to manage all identities enterprise-wide. It's a long process and
| before integrating UNIX identities into IDM, we're trying to find a
| quick way to implement just password quality checking on UNIX boxes
| which would conform the policy IS department wants from us.
|
| I believe npasswd would do the job.
npasswd works quite well, but be warned that it is actually pretty
ruthless about password quality checking. Lots of our users have
complained about how anal it is.
Jon
| -Bora
--
-------------------------------------------------------------------------------
Jonathan Abbey jonabbey@arlut.utexas.edu
Applied Research Laboratories The university of Texas at Austin
GPG Key: 71767586 at keyserver pgp.mit.edu, http://www.ganymeta.org/workkey.gpg
|
|
|
|
|