44

I don't know if this is normal, but the thing is, let's say I have a Solaris user called gloaiza and its password is password2getin

I'm logging into the server with PuTTY, I just put 192.168.224.100 and it prompts a windows asking for an user, so I type gloaiza, then it asks for a password and let's say I type password2geti by mistake, and it worked! I'm IN the server!

Is that normal? It also works if I put something like password2getin2.

I'm not a native English speaker, so, in case there's something you can't understand please ask me

OS: Oracle Solaris 10 1/13

Improve this question
6
  • 4
    What happens under eight characters? Does passwork get you in? Commented Aug 9, 2016 at 22:35
  • @thrig Ok, my actual password is 9 character long, so let's say the password is pass2word, then it works with pass2wor, pass2word1, pass2worr1, and so on... I think it works with everything once you type pass2wor I don't think it is a big problem, but isn't good either. Commented Aug 9, 2016 at 22:43
  • 3
    As long as you get the first 8 characters right, it will let you in. Unfortunately, generating a password has using encrypt in older solaris releases, disregards character 9 and afterwards. Commented Aug 9, 2016 at 22:45
  • 15
    Gentle reminder for all the embedded devs here thinking, "this could never happen on my system:" busybox will silently fall back to DES if you don't have all the right crypto options enabled in its .config and your libc. Maybe take a minute today to double-check your passwd/shadow files? ;) Commented Aug 9, 2016 at 23:09
  • 11
    @drewbenn - who the hell thought that silently degrading security is a good idea? Jesus Christ. Commented Aug 10, 2016 at 4:58

4 Answers 4

Reset to default
65

The operating system stores a hash of the password in /etc/shadow (or, historically, /etc/passwd; or a different location on some other Unix variants). Historically, the first widespread password hash was a DES-based scheme which had the limitation that it only took into account the first 8 characters of the password. In addition, a password hashing algorithm needs to be slow; the DES-based scheme was somewhat slow when it was invented but is insufficient by today's standards.

Since then, better algorithms have been devised. But Solaris 10 defaults to the historical DES-based scheme. Solaris 11 defaults to an algorithm based on iterated SHA-256 which is up to modern standards.

Unless you need historical compatibility with ancient systems, switch to the iterated SHA-256 scheme. Edit the file /etc/security/policy.conf and change the CRYPT_DEFAULT setting to 5 which stands for crypt_sha256. You may also want to set CRYPT_ALGORITHMS_ALLOW and CRYPT_ALGORITHMS_DEPRECATE.

Once you've changed the configuration, run passwd to change your password. This will update the password hash with the currently configured scheme.

Improve this answer
3
  • 1
    Thank you for the answer. When you said "Unless you need historical compatibility with ancient systems" you really mean it, what I mean is... Is it possible to really need the DES-based scheme, and not being able to change to SHA-256, for some reason? Commented Aug 9, 2016 at 23:12
  • 11
    @gloaiza You might if your password hash file is shared with NIS or some other method with a machine running a truly ancient operating system (like Solaris 2.x). Otherwise, no. Commented Aug 9, 2016 at 23:17
  • 1
    Algorithm 2a (bcrypt) may be the best choice. Commented Aug 10, 2016 at 15:03
21

This is expected, at least on a default Solaris 10 and older configuration.

Your system is using the legacy Unix crypt_unix algorithm which indeed limit the number of characters used to eight.

This is documented in the passwd manual page:

 Passwords must be constructed to meet the following requirements: Each password must have PASSLENGTH characters, where PASSLENGTH is defined in /etc/default/passwd and is set to 6. Setting PASSLENGTH to more than eight characters requires configuring policy.conf(4) with an algorithm that supports greater than eight characters.

As this algorithm is essentially obsolete. You should switch to something better (available values listed in the crypt.conf manual page) by setting the CRYPT_ALGORITHMS_DEPRECATE and CRYPT_DEFAULT entries the /etc/security/policy.conf file.

See http://docs.oracle.com/cd/E19253-01/816-4557/concept-63/index.html

Improve this answer
2
  • 1
    It is not true that "the higher the better". Algorithm 2a (bcrypt) may be the best. Commented Aug 10, 2016 at 14:48
  • @OrangeDog Point taken, advice removed Commented Aug 10, 2016 at 15:02
7

See this thread on Oracle forums:

The behavior you describe is expected when using the default "crypt_unix" password encryption scheme. This scheme will only encrypt the first eight characters of a password, and thus only the first eight characters need to match when the password is typed in again. It is not a "bug", but a known limitation of the algorithm - it is largely kept around for backward compatibility, and unfortunately is set as the default on Solaris systems when installed.

To resolve this, set your OS to use MD5 or Blowfish algorithms instead of crypt_unix.

This can be changed in the /etc/security/policy.conf file. You can set crypt algorithms to allow, and there is also a setting to deprecate (forbid) the use of the "crypt_unix" algorithm and change the default to a more secure one.

See your "Solaris 10 System Administration Guide: Security Services" for more information.

See also Changing the Password Algorithm (Task Map) and especially How to Specify an Algorithm for Password Encryption:

Specify the identifier for your chosen encryption algorithm.

...

Type the identifier as the value for the CRYPT_DEFAULT variable in the /etc/security/policy.conf file.

...

For more information on configuring the algorithm choices, see the policy.conf(4) man page.

Improve this answer
2

Just FYI, this also happens on IBM AIX systems up until version 7.1.

It's funny, because this system I worked with has a "cannot reuse any of the last 10 passwords" policy that does take into account the whole password lenght, but then only checks the first 8 characters when logging in. So you could set your passwords like easypass_%$xZ!01, easypass_%&ssY!02, easypass_%$33zoi@@, ... for every mandatory password change, effectively keeping easypass as your password for years.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.