| Skip Navigation Links | |
| Exit Print View | |
|
Oracle Solaris 11.1 Administration: Security Services Oracle Solaris 11.1 Information Library |
| Skip Navigation Links | |
| Exit Print View | |
|
|
Oracle Solaris 11.1 Administration: Security Services Oracle Solaris 11.1 Information Library |
1. Security Services (Overview)
Part II System, File, and Device Security
2. Managing Machine Security (Overview)
3. Controlling Access to Systems (Tasks)
Securing Logins and Passwords (Tasks)
Securing Logins and Passwords (Task Map)
How to Change the root Password
How to Display a User's Login Status
How to Display Users Without Passwords
How to Temporarily Disable User Logins
Changing the Default Algorithm for Password Encryption (Tasks)
How to Specify an Algorithm for Password Encryption
Monitoring and Restricting root Access (Tasks)
How to Monitor Who Is Using the su Command
How to Restrict and Monitor root Logins
Controlling Access to System Hardware (Tasks)
How to Require a Password for SPARC Hardware Access
How to Disable a System's Abort Sequence
4. Virus Scanning Service (Tasks)
5. Controlling Access to Devices (Tasks)
6. Verifying File Integrity by Using BART (Tasks)
7. Controlling Access to Files (Tasks)
Part III Roles, Rights Profiles, and Privileges
8. Using Roles and Privileges (Overview)
9. Using Role-Based Access Control (Tasks)
10. Security Attributes in Oracle Solaris (Reference)
Part IV Cryptographic Services
11. Cryptographic Framework (Overview)
12. Cryptographic Framework (Tasks)
Part V Authentication Services and Secure Communication
14. Using Pluggable Authentication Modules
17. Using Simple Authentication and Security Layer
18. Network Services Authentication (Tasks)
19. Introduction to the Kerberos Service
20. Planning for the Kerberos Service
21. Configuring the Kerberos Service (Tasks)
22. Kerberos Error Messages and Troubleshooting
23. Administering Kerberos Principals and Policies (Tasks)
24. Using Kerberos Applications (Tasks)
25. The Kerberos Service (Reference)
By default, user passwords are encrypted with the crypt_sha256 algorithm. You might want to change the default algorithm to interoperate in a heterogeneous networked environment, such as to log in to frequently used older systems on the network.
In this procedure, the BSD-Linux version of the MD5 algorithm is the default encryption algorithm that is used when users change their passwords. This algorithm is suitable for a mixed network of systems that run the Oracle Solaris, BSD, and Linux versions of UNIX. For a list of password encryption algorithms and algorithm identifiers, see Table 2-1.
Before You Begin
You must assume the root role. For more information, see How to Use Your Assigned Administrative Rights.
Type the identifier as the value for the CRYPT_DEFAULT variable in the /etc/security/policy.conf file.
You might want to comment the file to explain your choice.
# cat /etc/security/policy.conf … CRYPT_ALGORITHMS_ALLOW=1,2a,md5,5,6 # # Use the version of MD5 (5) that works with Linux and BSD systems. # Passwords previously encrypted with SHA256 (1) will be encrypted # with MD5 when users change their passwords. # # #CRYPT_DEFAULT=5 CRYPT_DEFAULT=1
In this example, the algorithms configuration ensures that the sha256 algorithm is not used to encrypt a password. Users whose passwords were encrypted with the sha256 module get a crypt_bsdmd5-encrypted password when they change their passwords.
For more information about configuring the algorithm choices, see the policy.conf(4) man page.
Example 3-4 Constraining Password Encryption Algorithms in a Heterogeneous Environment
In this example, the administrator on a network that includes BSD and Linux systems configures passwords to be usable on all systems. Because some network applications cannot handle SHA512 encryption, the administrator does not include its identifier in the list of allowed algorithms. The administrator retains the SHA256 algorithm, 5, as the value for the CRYPT_DEFAULT variable. The CRYPT_ALGORITHMS_ALLOW variable contains the MD5 identifier, which is compatible with BSD and Linux systems, and the Blowfish identifier, which is compatible with BSD systems. Because 5 is the CRYPT_DEFAULT algorithm, it does not need to be listed in the CRYPT_ALGORITHMS_ALLOW list. However, for maintenance purposes, the administrator places 5 in the CRYPT_ALGORITHMS_ALLOW list and the unused identifiers in the CRYPT_ALGORITHMS_DEPRECATE list.
CRYPT_ALGORITHMS_ALLOW=1,2a,5 #CRYPT_ALGORITHMS_DEPRECATE=__unix__,md5,6 CRYPT_DEFAULT=5
When users in an NIS domain change their passwords, the NIS client consults its local algorithms configuration in the /etc/security/policy.conf file. The NIS client system encrypts the password.
Before You Begin
You must assume the root role. For more information, see How to Use Your Assigned Administrative Rights.
When the LDAP client is properly configured, the LDAP client can use the new password algorithms. The LDAP client behaves just as an NIS client behaves.
Before You Begin
You must assume the root role. For more information, see How to Use Your Assigned Administrative Rights.
Ensure that a comment sign (#) precedes entries that include pam_ldap.so.1. Also, do not use the server_policy option with the pam_authtok_store.so.1 module.
The PAM entries in the client's pam.conf file enable the password to be encrypted according to the local algorithms configuration. The PAM entries also enable the password to be authenticated.
When users in the LDAP domain change their passwords, the LDAP client consults its local algorithms configuration in the /etc/security/policy.conf file. The LDAP client system encrypts the password. Then, the client sends the encrypted password, with a {crypt} tag, to the server. The tag tells the server that the password is already encrypted. The password is then stored, as is, on the server. For authentication, the client retrieves the stored password from the server. The client then compares the stored password with the encrypted version that the client has just generated from the user's typed password.
Note - To take advantage of password policy controls on the LDAP server, use the server_policy option with the pam_authtok_store entries in the pam.conf file. Passwords are then encrypted on the LDAP server. For the procedure, see Chapter 11, Setting Up Oracle Directory Server Enterprise Edition With LDAP Clients (Tasks), in Working With Naming and Directory Services in Oracle Solaris 11.1.
|