login password length

Open forum for security issues and info.
Forum rules
Any posts concerning pirated software or offering to buy/sell/trade commercial software are subject to removal.
User avatar
irixpgmr
Posts: 54
Joined: Mon Jun 13, 2005 9:22 am

login password length

Unread postby irixpgmr » Sat Dec 10, 2005 3:30 pm

Does anyone have any ideas on how to get around the password length problem. I would like to increase my usable password length to more than 8 characters. Has anyone figured out how to do this?

User avatar
foetz
Moderator
Moderator
Posts: 6542
Joined: Mon Apr 14, 2003 4:34 am
Contact:

Unread postby foetz » Sat Dec 10, 2005 8:54 pm

you could crypt on your own and paste it into shadow...

User avatar
irixpgmr
Posts: 54
Joined: Mon Jun 13, 2005 9:22 am

login password length

Unread postby irixpgmr » Sat Dec 10, 2005 10:17 pm

foetz wrote:you could crypt on your own and paste it into shadow...


Actually, I talked to a person at SGI. The problem is not the password program, it is the login program. Login only looks at the first 8 characters regardless of how many are set by passwd. He suggested that pam might help with this, but he wasn't sure. I have next to no exprerience setting up pam.

Perhaps there is another way, which I am unaware.

User avatar
foetz
Moderator
Moderator
Posts: 6542
Joined: Mon Apr 14, 2003 4:34 am
Contact:

Re: login password length

Unread postby foetz » Sun Dec 11, 2005 10:06 am

irixpgmr wrote:
foetz wrote:you could crypt on your own and paste it into shadow...


Actually, I talked to a person at SGI. The problem is not the password program, it is the login program. Login only looks at the first 8 characters regardless of how many are set by passwd. He suggested that pam might help with this, but he wasn't sure. I have next to no exprerience setting up pam.

Perhaps there is another way, which I am unaware.


well, depends on which auth. mechanism you rely.
however i think a good 8 chars password should be sufficient. there're many other more critical things to do first and if you're that paranoid you have to use trusted irix anyway :D

jasper
Posts: 13
Joined: Tue Jan 03, 2006 10:45 am
Location: Gorinchem, The Netherlands
Contact:

Re: login password length

Unread postby jasper » Tue Jan 03, 2006 1:13 pm

irixpgmr wrote:
foetz wrote:you could crypt on your own and paste it into shadow...


Actually, I talked to a person at SGI. The problem is not the password program, it is the login program. Login only looks at the first 8 characters regardless of how many are set by passwd.

If I remember correctly, old versions of Solaris have the same "problem", I haven't verified it with recent ( >8.0) version.
Humppa is a serious thing!

User avatar
Hakimoto
Moderator
Moderator
Posts: 2580
Joined: Sun Mar 30, 2003 4:29 am
Location: Nijmegen, Netherlands, Europe
Contact:

Unread postby Hakimoto » Tue Jan 03, 2006 2:38 pm

I'll be putting Sol 9 on my server soon, I can check it then if I don't forget...
The Bandito wrote:In a few years, no doubt, you'll be able to buy a computer,
software and operating system that will match the capabilities
of your current Amiga at about the price you paid for the
Amiga way back when. But you can smile to yourself, knowing
that you were touching the future years before the rest of
the world. And that other computers and operating systems
will do with brute force what the Amiga did years before with
grace, elegance and style.


Eroteme.ch - my end of the internet...

jasper
Posts: 13
Joined: Tue Jan 03, 2006 10:45 am
Location: Gorinchem, The Netherlands
Contact:

Unread postby jasper » Tue Jan 03, 2006 3:04 pm

If you'd like to, yes please. I haven't got a Solaris box around.
Humppa is a serious thing!

unixmuseum
Posts: 2783
Joined: Mon Apr 19, 2004 4:25 pm
Location: Los Angeles, CA

Unread postby unixmuseum » Tue Jan 03, 2006 3:27 pm

From Solaris 10 passwd man:
Each password must have PASSLENGTH characters, where PASSLENGTH is defined in /etc/default/passwd and is set to 6.
Setting PASSLENGTH to more than eight characters requires configuring policy.conf(4) with an algorithm that supports greater than eight characters.

User avatar
Hakimoto
Moderator
Moderator
Posts: 2580
Joined: Sun Mar 30, 2003 4:29 am
Location: Nijmegen, Netherlands, Europe
Contact:

Unread postby Hakimoto » Wed Jan 04, 2006 4:47 am

unixmuseum, great stuff. can you post the relevant policy.conf sections by any chance? Would be good to see if this stuff is commented or not...
The Bandito wrote:In a few years, no doubt, you'll be able to buy a computer,
software and operating system that will match the capabilities
of your current Amiga at about the price you paid for the
Amiga way back when. But you can smile to yourself, knowing
that you were touching the future years before the rest of
the world. And that other computers and operating systems
will do with brute force what the Amiga did years before with
grace, elegance and style.


Eroteme.ch - my end of the internet...

User avatar
josehill
Moderator
Moderator
Posts: 3302
Joined: Mon Jun 06, 2005 9:53 pm
Location: New England, USA
Contact:

Unread postby josehill » Wed Jan 04, 2006 11:35 am

Hakimoto wrote:unixmuseum, great stuff. can you post the relevant policy.conf sections by any chance? Would be good to see if this stuff is commented or not...

I'm not sure if this is what you are looking for, but the man pages for several Solaris (back to version 2.4!) are searchable at http://docs.sun.com, and you can browse to the man page for policy.conf in the Solaris 10 "Reference Manual" section.

User avatar
stuart
Posts: 912
Joined: Mon Aug 23, 2004 5:37 pm
Location: Cambridge, UK
Contact:

Re: login password length

Unread postby stuart » Wed Jan 04, 2006 7:04 pm

irixpgmr wrote:Does anyone have any ideas on how to get around the password length problem. I would like to increase my usable password length to more than 8 characters. Has anyone figured out how to do this?


IIRC, the GUI password/secuirty tools limit you to 8 characters, but the good old UNIX "passwd" utility doesn't impose any arbitrary* length restrictions.

So, the best thing to do is probably to run "pwconv" (to setup/synchronise shadow passwords) and then use "passwd" to set the passwords for any accounts you need.

* although I think there is still a maximum of 255 characters

unixmuseum
Posts: 2783
Joined: Mon Apr 19, 2004 4:25 pm
Location: Los Angeles, CA

Unread postby unixmuseum » Wed Jan 04, 2006 7:18 pm

Hakimoto wrote:unixmuseum, great stuff. can you post the relevant policy.conf sections by any chance? Would be good to see if this stuff is commented or not...
Here ya go, straight from /etc/security/policy.conf:

#
# Copyright 2004 Sun Microsystems, Inc. All rights reserved.
# Use is subject to license terms.
#
# /etc/security/policy.conf
#
# security policy configuration for user attributes. see policy.conf(4)
#
#ident "@(#)policy.conf 1.11 04/09/27 SMI"
#
AUTHS_GRANTED=solaris.device.cdrw
PROFS_GRANTED=Basic Solaris User

# crypt(3c) Algorithms Configuration
#
# CRYPT_ALGORITHMS_ALLOW specifies the algorithms that are allowed to
# be used for new passwords. This is enforced only in crypt_gensalt(3c).
#
CRYPT_ALGORITHMS_ALLOW=1,2a,md5

# To deprecate use of the traditional unix algorithm, uncomment below
# and change CRYPT_DEFAULT= to another algorithm. For example,
# CRYPT_DEFAULT=1 for BSD/Linux MD5.
#
#CRYPT_ALGORITHMS_DEPRECATE=__unix__

# The Solaris default is the traditional UNIX algorithm. This is not
# listed in crypt.conf(4) since it is internal to libc. The reserved
# name __unix__ is used to refer to it.
#
CRYPT_DEFAULT=__unix__
#
# These settings determine the default privileges users have. If not set,
# the default privileges are taken from the inherited set.
# There are two different settings; PRIV_DEFAULT determines the default
# set on login; PRIV_LIMIT defines the Limit set on login.
# Individual users can have privileges assigned or taken away through
# user_attr. Privileges can also be assigned to profiles in which case
# the users with those profiles can use those privileges through pfexec(1m).
# For maximum future compatibility, the specifications should
# always include "basic" or "all"; privileges should then be removed using
# the negation. E.g., PRIV_LIMIT=all,!sys_linkdir takes away only the
# sys_linkdir privilege, regardless of future additional privileges.
# Similarly, PRIV_DEFAULT=basic,!file_link_any takes away only the
# file_link_any privilege from the basic privilege set; only that notation
# is immune from a future addition of currently unprivileged operations to
# the basic privilege set.
# NOTE: removing privileges from the the Limit set requires EXTREME care
# as any set-uid root program may suddenly fail because it lacks certain
# privilege(s).
#
#PRIV_DEFAULT=basic
#PRIV_LIMIT=all
#
# LOCK_AFTER_RETRIES specifies the default account locking policy for local
# user accounts (passwd(4)/shadow(4)). The default may be overridden by
# a user's user_attr(4) "lock_after_retries" value.
# YES enables local account locking, NO disables local account locking.
# The default value is NO.
#
#LOCK_AFTER_RETRIES=NO

User avatar
irixpgmr
Posts: 54
Joined: Mon Jun 13, 2005 9:22 am

Re: login password length

Unread postby irixpgmr » Mon Jan 09, 2006 7:11 pm

stuart wrote:
irixpgmr wrote:Does anyone have any ideas on how to get around the password length problem. I would like to increase my usable password length to more than 8 characters. Has anyone figured out how to do this?


IIRC, the GUI password/secuirty tools limit you to 8 characters, but the good old UNIX "passwd" utility doesn't impose any arbitrary* length restrictions.

So, the best thing to do is probably to run "pwconv" (to setup/synchronise shadow passwords) and then use "passwd" to set the passwords for any accounts you need.

* although I think there is still a maximum of 255 characters

Actually, the login program truncates at 8 characters. I set the password to a password longer than 8 characters. I then put in the password with junk characters after the first 8 and I was logged in.

User avatar
foetz
Moderator
Moderator
Posts: 6542
Joined: Mon Apr 14, 2003 4:34 am
Contact:

Unread postby foetz » Mon Jan 09, 2006 8:29 pm

well i have to wonder a bit.
do you really think a password beyond 8 chars will significantly increase security?
i have to repeat "a good 8 chars password should be sufficient. there're many other more critical things to do first and if you're that paranoid you have to use trusted irix".

sunjnky
Posts: 1
Joined: Mon Dec 04, 2006 11:17 am

Re: Solaris 10 - enabling long passwords (PASSLENGTH)

Unread postby sunjnky » Mon Dec 04, 2006 11:21 am

For Solaris 10, to enable longer passwords, edit /etc/security/policy.conf
and change:
CRYPT_DEFAULT=__unix__
to:
CRYPT_DEFAULT=md5

Then update /etc/default/passwd by changing the PASSLENGTH= to a value higher than the standard "6"

This solves the problem wherein a password can be long but that only the first 8 characters are used.

http://www.vmunix.com/mark/blog/archive ... n-solaris/


Return to “SGI: Security”

Who is online

Users browsing this forum: No registered users and 2 guests