I don’t know if this is normal, but the thing is, let’s say I have a Solaris user called gloaiza and its password is password2getin
I’m logging into the server with PuTTY, I just put 192.168.224.100 and it prompts a windows asking for an user, so I type gloaiza, then it asks for a password and let’s say I type password2geti by mistake, and it worked! I’m IN the server!
Is that normal? It also works if I put something like password2getin2.
I’m not a native English speaker, so, in case there’s something you can’t understand please ask me
OS: Oracle Solaris 10 1/13
Answers:
Thank you for visiting the Q&A section on Magenaut. Please note that all the answers may not help you solve the issue immediately. So please treat them as advisements. If you found the post helpful (or not), leave a comment & I’ll get back to you as soon as possible.
Method 1
The operating system stores a hash of the password in /etc/shadow (or, historically, /etc/passwd; or a different location on some other Unix variants). Historically, the first widespread password hash was a DES-based scheme which had the limitation that it only took into account the first 8 characters of the password. In addition, a password hashing algorithm needs to be slow; the DES-based scheme was somewhat slow when it was invented but is insufficient by today’s standards.
Since then, better algorithms have been devised. But Solaris 10 defaults to the historical DES-based scheme. Solaris 11 defaults to an algorithm based on iterated SHA-256 which is up to modern standards.
Unless you need historical compatibility with ancient systems, switch to the iterated SHA-256 scheme. Edit the file /etc/security/policy.conf and change the CRYPT_DEFAULT setting to 5 which stands for crypt_sha256. You may also want to set CRYPT_ALGORITHMS_ALLOW and CRYPT_ALGORITHMS_DEPRECATE.
Once you’ve changed the configuration, run passwd to change your password. This will update the password hash with the currently configured scheme.
Method 2
This is expected, at least on a default Solaris 10 and older configuration.
Your system is using the legacy Unix crypt_unix algorithm which indeed limit the number of characters used to eight.
This is documented in the passwd manual page:
Passwords must be constructed to meet the following requirements: Each password must have PASSLENGTH characters, where PASSLENGTH is defined in /etc/default/passwd and is set to 6. Setting PASSLENGTH to more than eight characters requires configuring policy.conf(4) with an algorithm that supports greater than eight characters.
As this algorithm is essentially obsolete. You should switch to something better (available values listed in the crypt.conf manual page) by setting the CRYPT_ALGORITHMS_DEPRECATE and CRYPT_DEFAULT entries the /etc/security/policy.conf file.
See http://docs.oracle.com/cd/E19253-01/816-4557/concept-63/index.html
Method 3
See this thread on Oracle forums:
The behavior you describe is expected when using the default
“crypt_unix” password encryption scheme. This scheme will only encrypt
the first eight characters of a password, and thus only the first
eight characters need to match when the password is typed in again. It
is not a “bug”, but a known limitation of the algorithm – it is
largely kept around for backward compatibility, and unfortunately is
set as the default on Solaris systems when installed.To resolve this, set your OS to use MD5 or Blowfish algorithms instead
of crypt_unix.This can be changed in the /etc/security/policy.conf file. You can set
crypt algorithms to allow, and there is also a setting to deprecate
(forbid) the use of the “crypt_unix” algorithm and change the default
to a more secure one.See your “Solaris 10 System Administration Guide: Security Services”
for more information.
See also Changing the Password Algorithm (Task Map) and especially How to Specify an Algorithm for Password Encryption:
Specify the identifier for your chosen encryption algorithm.
…
Type the identifier as the value for the CRYPT_DEFAULT variable in the
/etc/security/policy.conf file.…
For more information on configuring the algorithm choices, see the
policy.conf(4)man page.
Method 4
Just FYI, this also happens on IBM AIX systems up until version 7.1.
It’s funny, because this system I worked with has a “cannot reuse any of the last 10 passwords” policy that does take into account the whole password lenght, but then only checks the first 8 characters when logging in. So you could set your passwords like easypass_%$xZ!01, easypass_%&ssY!02, easypass_%[email protected]@, … for every mandatory password change, effectively keeping easypass as your password for years.
All methods was sourced from stackoverflow.com or stackexchange.com, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0