Less known Solaris features: On passwords - Part 2: Using stronger password hashing

Quicksearch

Disclaimer

The individual owning this blog works for Oracle in Germany. The opinions expressed here are his own, are not necessarily reviewed in advance by anyone but the individual author, and neither Oracle nor any other party necessarily agrees with them.

Navigation

< Less known Solaris features: On passwords - Part 1: Introduction | Less known Solaris features: On passwords - Part 3: Using a password policy >

Less known Solaris features: On passwords - Part 2: Using stronger password hashing

Thursday, May 29. 2008

Many people are unaware of the fact, that only the first eight characters of a password are used in the default configuration of Solaris. Don´t believe it? Let´s try it.

Testing the relevant password length for standard crypt

Okay, i´ve logged into my test machine and change my password:

bash-3.2$ passwd jmoekamp Enter existing login password: oldpassword New Password: aa3456789 Re-enter new Password: aa3456789 passwd: password successfully changed for jmoekamp bash-3.2$

Now let´s try a password that´s different at the ninth character by logging into the Solaris system from remote:

mymac:~ joergmoellenkamp$ ssh jmoekamp@10.211.55.200 Password: aa3456780 Last login: Wed May 28 11:24:05 2008 from 10.211.55.2 Sun Microsystems Inc. SunOS 5.11 snv_84 January 2008

I´ve told you ... only the first eight characters are relevant.

Stronger hash algorithms

But it´s not that way, that Solaris can´t do better than that. It´s just the binary compatibility guarantee again. You can´t simply change the mechanism encrypting the password. There may be scripts that still need the old unix crypt variant. But in case you are sure, that you haven´t such an application you can change it, and it´s really simple to do.

When you look into the file /etc/security/crypt.conf you will find the additional modules for password encryption.

# The algorithm name _unix_ is reserved. 1 crypt_bsdmd5.so.1 2a crypt_bsdbf.so.1 md5 crypt_sunmd5.so.1

The hashing mechanisms are loaded as libraries in the so-called Solaris Pluggable Crypt Framework. It´s even possible to develop your own crypting mechanism in the case you don´t trust the implementations delivered by Sun.

Short	Algorithm	Description
unix	standard unix crypt	The standard unix crypt mechanism. It´s not loaded as a module, as it´s part of the `libc`
1	BSD alike,md5 based	The `crypt_bsdmd5` module is a one-way password hashing module for use with `crypt(3C)` that uses the MD5 message hash algorithm. The output is compatible with `md5crypt` on BSD and Linux systems.
2a	BSD alike, blowfish based	The `crypt_bsdbf` module is a one-way password hashing module for use with `crypt(3C)` that uses the Blowfish cryptographic algorithm.
md5	Sun, md5 based	The \verb=crypt_sunmd5= module is a one-way password hashing module for use with \verb=crypt(3C)= that uses the MD5 message hash algorithm. This module is designed to make it difficult to crack passwords that use brute force attacks based on high speed MD5 implementations that use code inlining, unrolled loops, and table lookup

Each of the last three mechanisms support passwords with up to 255 characters. It´s important to know, that the different hashing algorithm can coexist in your password databases. The password hashing for a password will be changed when user change his or her password.

Changing the default hash mechanism

Let´s use the md5 algorithm in our example. But before that, we should look into the actual \verb=/etc/shadow=

# grep "jmoekamp" /etc/shadow jmoekamp:nM2/fPrCTe3F6:14027::::::

It´s simple to enable a different encryption algorithm for password. You have just to change a single line in /etc/security/policy.conf. To edit this file you have to login as root:

CRYPT_DEFAULT=md5

Okay, now let´s change the password.

# passwd jmoekamp New Password: aa1234567890 Re-enter new Password: aa1234567890 passwd: password successfully changed for jmoekamp

When you look in the /etc/shadow for the user, you will see a slighly modified password field. It´s much longer and between the first and the second $ you seee the used encryption mechanism:

# grep "jmoekamp" /etc/shadow jmoekamp:$md5$vyy8.OVF$$FY4TWzuauRl4.VQNobqMY.:14027::::::

Now let´s try the login:mymac:~ joergmoellenkamp$ ssh jmoekamp@10.211.55.200

Password: aa1234567890

Last login: Wed May 28 11:38:24 2008 from 10.211.55.2

Sun Microsystems Inc.   SunOS 5.11      snv_84  January 2008

$ exit

Connection to 10.211.55.200 closed.

mymac:~ joergmoellenkamp$ ssh jmoekamp@10.211.55.200

Password: aa1234567891

Password: aa1234567892

Password: aa1234567893

Permission denied (gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive).

mymac:~ joergmoellenkamp$
You see, the correctness of the complete password is tested, not just the first 8 characters.


            
            
            
                Posted by Joerg Moellenkamp
                                   in English, Solaris                
                                    at
                 06:52

                                                            | Comments (0)
                                    
                                                            | Trackback (1)
                                    
                
                Defined tags for this entry: lksf, password, security, solaris
Related entries by tags: Less known Solaris Features: CPU resource Pools
 At the GUUG Spring symposium  
 Less known Solaris features - logadm
 Less known Solaris features - IP Multipathing (Appendix A): if_mpadm
 Less known Solaris features - Persistant routes 

View as PDF: This entry | This month | Full blog


        
        

















 





                    
            
            
            
            
            
                

                
                Trackbacks
                    
                        Trackback specific URI for this entry
                    
                    

                            
        
        
            Less known Solaris features: On passwords

            The JET tutorial isn´t complete, but shorten the time a little bit for you, i wrote a tutorial about a small but nevertheless important topic - Passwords: Part 1: Introduction Part 2: Using strong password hashing Part 3: Using a password policy 
        
        
            Weblog: c0t0d0s0.org

            Tracked: May 29, 10:06
                
    

            
        
                    
                

                
                Comments
                Display comments as
                                    (Linear | Threaded)
                                
                

                        No comments


                                

                
                
                

                
	                Add Comment
	                
    
    
    
    
    
        
            Name
            
        

        
            Email
            
        

        
            Homepage
            
        

        
            In reply to
            
        

        
            Comment
            
                

                
E-Mail addresses will not be displayed and will only be used for E-Mail notifications.

To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly.

Enter the string from the spam-prevention image above: 
Standard emoticons like :-) and ;-) are converted to images.
Enclosing asterisks marks text as bold (*word*), underscore are made via _word_.
            
        

        
             
            
                Remember Information? 
                    

                Subscribe to this entry


    
    
    
    
    
    
View as PDF: This entry | This month | Full blog
    
    Competition entry by David Cummins
     powered by Serendipity v1.0