SA-200-S10
System Administration for the Oracle Solaris 10 OS Part 1

Menu

Introduction

Introducing the Oracle Solaris 10 OS Directory Hierarchy

Managing Local Disk Devices

Describing Interface Configurations

Managing USF File Systems

ZFS File System

Performing Mounts and Unmounts

Performing Package Administration

Managing Software Patches

Using Boot PROM Commands

Using the Grand Unified Bootloader (GRUB)

Performing Legacy Boot and Shutdown Procedures

Service Management Facility (SMF)

Performing User Administration

Controlling System Processes

Oracle Solaris 10 Operating System Installation Requirements

Backing Up a Mounted File System With a UFS Snapshot

Performing File System Backups

Performing File System Restores

Performing User Administration
 

Oracle Documentation

Managing User Accounts and Groups

Chapter 1 Solaris Management Tools (Road Map)

Chapter 2 Working With the Solaris Management Console (Tasks)

other:

UNIX shell differences and how to change your shell

In Unix, what are some common dot files?

Encryption Algorithms

The maximum number of characters allowed for passwords is only useful in the contexts of password encryption algorithms that support passwords of a length greater than eight characters.
Changing password algorithms is described in Password Encryption.

Four algorithms are included with Solaris:

  • Standard crypt(3C)
  • Blowfish
  • BSD/Linux md5
  • Solaris md5

    • Dictionary Checks

    Solaris 10 includes a dictionary check for new passwords. A dictionary database is configured and all newly selected passwords are checked against the dictionary. The database location is defined by setting one of two variables in the /etc/default/password file.

  • Variable DICTIONLIST is list of comma separated dictionary files. Each dictionary file contains multiple lines and each line consists of a word and a "NEWLINE" character (similar to /usr/share/lib/dict/words.) You must specify full pathnames. The words from these files are merged into a database that is used to determine whether a password is based on a dictionary word.

    • The dictionary files are in the same form as crack dictionary files. Crack dictionaries can be found many places on the net, this German site is just an example.

  • Variable DICTIONDBDIR is directory where the generated dictionary databases reside. Defaults to /var/passwd but is commented in the /etc/default/passwd file.

    • The passwd command performs dictionary lookups if DICTIONLIST or DICTIONDBDIRis defined. If the password database does not yet exist, it is created by passwd. A dictionary can be generated using the mkpwdict(1) command. (Note - The /etc/default/password file indicates the mkdict(1) command. That is a typo, mkdict does not exist.)

    Complexity Constraints

    In addition Solaris 10 passwords must meet the configured complexity constraints specified in /etc/default/passwd. They are:

  • MINDIFF - Minimum differences required between an old and a new password. Default is 3.
  • MINNONALPHA - Minimum number of non-alpha (including numeric and special) required. Default is 1.
  • MINALPHA - Minimum number of alpha character required. Default is 2.
  • MINUPPER - Minimum number of upper case letters required. Default isno checks.
  • MINLOWER - Minimum number of lower case letters required. Defaultis no checks.

  • MAXREPEATS - Maximum number of allowable consecutive repeating characters. Default is no checks.
  • MINSPECIAL - Minimum number of special (non-alpha and non-digit) characters required. Default is no checks.
  • MINDIGIT - Minimum number of digits required. Default is no checks.
  • WHITESPACE - Determine if whitespace characters are allowed in passwords. Valid values are YES and NO. Default is whitespace characters are allowed.

    • The password should contain at least the minimum number of characters described by the parameters MINALPHA, MINNONALPHA, MINDIGIT, and < b>MINSPECIAL. Note that MINNONALPHA describes the same character classes as MINDIGIT and MINSPECIAL combined; therefore the user cannot specify both MINNONALPHA and MINSPECIAL (or MINDIGIT). The user must choose which of the two options to use.

    Solaris 10 Account Lockout

    The number of login attempts before lockout is set in the /etc/default/login file using the variable RETRIES=. 

    # RETRIES determines the number of failed logins that will be
# allowed before login exits. Default is 5 and maximum is 15.
# If account locking is configured (user_attr(4)/policy.conf(4))
# for a local user's account (passwd(4)/shadow(4)), that account
# will be locked if failed logins equals or exceeds RETRIES.
#
#RETRIES=5

    To enable the lockout feature the LOCK_AFTER_RETRIES variable is un-commented and set to YES. The variable is found in the /etc/security/policy.conf file. 

    # LOCK_AFTER_RETRIES specifies the default account locking policy for local
# user accounts (passwd(4)/shadow(4)).  The default may be overridden by
# a user's user_attr(4) "lock_after_retries" value.
# YES enables local account locking, NO disables local account locking.
# The default value is NO.
#
#LOCK_AFTER_RETRIES=NO

    After the user fails to login the RETRIES number of times the account is locked in the /etc/shadow file. 

    tim:*LK*aMgcYs.Gg0xLo:13026::::::5
    essful login. Last login: Thu Sep 25 13:22:12 from localhost

    This warning message is available for interactive login services (not FTP) and is very helpful in providing warning to users who may not have been responsible for the failed authentication attempts. It is important that you educate your users to not simply ignore these messages as they could be a symptom of an ongoing attack on their account.