Hi,

We're looking at the possibilities to implement our "Authentication and
Password Policy" on Solaris systems. We have mainly Solaris 8 systems
much more than Solaris 9 systems.

My question is if it is possible to implement such policy stated below:

--
Passwords that validate a candidate username's access to <ourCompany>
systems shall be at a minimum six characters in length for functional
users, 8 characters for administrators. Passwords shall include at
least two alphabetic, one numeric or special character (e.g., an
asterisk or a dash), and may contain at least one upper case and one
lower case character. Systems shall prohibit the use of simpler
passwords.
--

I wonder if anyone has experience with this kind of implementation on
Solaris 8/9 systems. If yes, would you recommend local solution (via
PAM modules) or
Identity Management (i.e.  LDAP autentication) usage?

Thanks in advance,

-Bora

[ Post a follow-up to this message ]

Bora,

Take a look at npasswd:
http://www.cert.org/security-improv...ns/i028.05.html

HTH

[ Post a follow-up to this message ]

In article <1131871757.588874.169790@f14g2000cwb.googlegroups.com>,
"gmburns@gmail.com" <gmburns@gmail.com> wrote:

> Bora,
>
> Take a look at npasswd:
> http://www.cert.org/security-improv...ns/i028.05.html
>
> HTH

Does this work with SSH?  I'd heard not.

--
DeeDee, don't press that button!  DeeDee!  NO!  Dee...

[ Post a follow-up to this message ]

Yes I've heard npasswd but couldn't see SSH in the docs. I believe it's
not supported.

-Bora

[ Post a follow-up to this message ]

In article <1131908675.979787.90030@g14g2000cwa.googlegroups.com>,
BoraBaysal <bora_baysal@hotmail.com> wrote:
| Yes I've heard npasswd but couldn't see SSH in the docs. I believe it's
| not supported.
|
| -Bora

All npasswd does is check the quality of passwords for you when your
users change their passwords.  This checking can certainly work in the
context of SSH use.

The real question is, 'where are your passwords stored'?  npasswd
comes with support for /etc/passwd, /etc/shadow, and NIS use, as I
understand it.  It does not support NIS+, and it won't support LDAP
out-of-the-box.

On the other hand, npasswd does come with the support necessary to use
it as a library.  We have incorporated npasswd password checking into
our network information management system here
(http://www.arlut.utexas.edu/gash2/), and it does very well for us in
checking password quality, tracking attempts at password re-use, etc.

We depend on our Ganymede software to get the passwords where we need
them to go (NIS, Active Directory, RADIUS, tacacs+, etc.),
however.. npasswd doesn't do any of that.

Jon

--
----------------------------------------------------------------------------
---
Jonathan Abbey 				              jonabbey@arlut.utexas.edu
Applied Research Laboratories                 The university of Texas at Aus
tin
GPG Key: 71767586 at keyserver pgp.mit.edu, [url]http://www.ganymeta.org/workkey.gpg[/u
rl]

[ Post a follow-up to this message ]

Thanks for the reply.

All we need to check is password quality checking on UNIX systems
(mainly Solaris 8/9 boxes and some Tru64 & HP-UX boxes) for now.

We also have a Novell's IDM (Identity Mgmt) project in progress in
order to manage all identities enterprise-wide. It's a long process and
before integrating UNIX identities into IDM, we're trying to find a
quick way to implement just password quality checking on UNIX boxes
which would conform the policy IS department wants from us.

I believe npasswd would do the job.

-Bora

[ Post a follow-up to this message ]

In article <1132141259.163273.61260@g14g2000cwa.googlegroups.com>,
BoraBaysal <bora_baysal@hotmail.com> wrote:
| Thanks for the reply.
|
| All we need to check is password quality checking on UNIX systems
| (mainly Solaris 8/9 boxes and some Tru64 & HP-UX boxes) for now.
|
| We also have a Novell's IDM (Identity Mgmt) project in progress in
| order to manage all identities enterprise-wide. It's a long process and
| before integrating UNIX identities into IDM, we're trying to find a
| quick way to implement just password quality checking on UNIX boxes
| which would conform the policy IS department wants from us.
|
| I believe npasswd would do the job.

npasswd works quite well, but be warned that it is actually pretty
ruthless about password quality checking.  Lots of our users have
complained about how anal it is.

Jon

| -Bora

--
----------------------------------------------------------------------------
---
Jonathan Abbey 				              jonabbey@arlut.utexas.edu
Applied Research Laboratories                 The university of Texas at Aus
tin
GPG Key: 71767586 at keyserver pgp.mit.edu, [url]http://www.ganymeta.org/workkey.gpg[/u
rl]

[ Post a follow-up to this message ]