Solaris let me in with different password with the same 8 first characters
The operating system stores a hash of the password in /etc/shadow
(or, historically, /etc/passwd
; or a different location on some other Unix variants). Historically, the first widespread password hash was a DES-based scheme which had the limitation that it only took into account the first 8 characters of the password. In addition, a password hashing algorithm needs to be slow; the DES-based scheme was somewhat slow when it was invented but is insufficient by today's standards.
Since then, better algorithms have been devised. But Solaris 10 defaults to the historical DES-based scheme. Solaris 11 defaults to an algorithm based on iterated SHA-256 which is up to modern standards.
Unless you need historical compatibility with ancient systems, switch to the iterated SHA-256 scheme. Edit the file /etc/security/policy.conf
and change the CRYPT_DEFAULT
setting to 5 which stands for crypt_sha256
. You may also want to set CRYPT_ALGORITHMS_ALLOW
and CRYPT_ALGORITHMS_DEPRECATE
.
Once you've changed the configuration, run passwd
to change your password. This will update the password hash with the currently configured scheme.
This is expected, at least on a default Solaris 10 and older configuration.
Your system is using the legacy Unix crypt_unix
algorithm which indeed limit the number of characters used to eight.
This is documented in the passwd
manual page:
Passwords must be constructed to meet the following requirements: Each password must have PASSLENGTH characters, where PASSLENGTH is defined in /etc/default/passwd and is set to 6. Setting PASSLENGTH to more than eight characters requires configuring policy.conf(4) with an algorithm that supports greater than eight characters.
As this algorithm is essentially obsolete. You should switch to something better (available values listed in the crypt.conf
manual page) by setting the CRYPT_ALGORITHMS_DEPRECATE
and CRYPT_DEFAULT
entries the /etc/security/policy.conf
file.
See http://docs.oracle.com/cd/E19253-01/816-4557/concept-63/index.html
See this thread on Oracle forums:
The behavior you describe is expected when using the default "crypt_unix" password encryption scheme. This scheme will only encrypt the first eight characters of a password, and thus only the first eight characters need to match when the password is typed in again. It is not a "bug", but a known limitation of the algorithm - it is largely kept around for backward compatibility, and unfortunately is set as the default on Solaris systems when installed.
To resolve this, set your OS to use MD5 or Blowfish algorithms instead of crypt_unix.
This can be changed in the /etc/security/policy.conf file. You can set crypt algorithms to allow, and there is also a setting to deprecate (forbid) the use of the "crypt_unix" algorithm and change the default to a more secure one.
See your "Solaris 10 System Administration Guide: Security Services" for more information.
See also Changing the Password Algorithm (Task Map) and especially How to Specify an Algorithm for Password Encryption:
Specify the identifier for your chosen encryption algorithm.
...
Type the identifier as the value for the CRYPT_DEFAULT variable in the /etc/security/policy.conf file.
...
For more information on configuring the algorithm choices, see the
policy.conf(4)
man page.