Solaris Root Password Protection.
Results 1 to 4 of 4

Thread: Solaris Root Password Protection.

  1. #1
    Senior Member Info Tech Geek's Avatar
    Join Date
    Jan 2003
    Vernon, CT

    Solaris Root Password Protection.

    Can you set the ROOT password on a solaris system to expire after X amount of days. Also, what action does it take on expiration? Does it force the user to change the password on logon or does it lock the account?

    If you can.. How?

  2. #2
    Jaded Network Admin nebulus200's Avatar
    Join Date
    Jun 2002
    It depends on which version of Solaris, but most should have /etc/default/passwd, here is a Solaris 9 version:

    #ident "@(#)passwd.dfl 1.3 92/07/14 SMI"
    Minweeks = minimum number of weeks that must pass before password can be changed
    Maxweeks = maximum number of weeks that must pass before password must be changed
    Warnweeks= number of weeks warning the user should receive to change password
    Passlength = minimum number of characters in password

    My understanding is that it applies to all users. That minweeks must pass before the password can change, and that maxweeks will force a password change. The user will get warnings about changing their password, but if they miss it, they will be prompted with a dialog asking for their old password and then a new one if they log in after maxweeks. Note that this works with telnet, but I have seen it lock people out of ssh...telnet being what it is, safest place to change is on the console or to have some automated process such that you don't need the settings...

    There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.

    (Merovingian - Matrix Reloaded)

  3. #3
    These programs will do that, npasswd and passwd+ but neither will do password
    aging on SunOS 4.1.x and NIS. Read up on this . and this. is a great solaris site for security and other solaris misc material.

  4. #4
    Senior Member
    Join Date
    Mar 2003
    See the man pages for 'passwd' 'shadow' 'useradd' 'userdel' 'usermod' and 'vipw' (if installed,
    typically in /usr/ucb) on your system.

    A shadow entry for a user will look like....

    spurious:<Encrypted String>:12351:1:120:21:7:14974:

    Field 1) Username
    Field 2) Password in encrypted form
    Field 3) Password last changed, represented as number of days since January 1 1970
    Field 4) Minimum change days, i.e. how long the user must keep the password before changing it.
    Field 5) Maximum change days, i.e. how long the user can keep the password before they _must_
    change it.
    Field 6) Number of warning days, i.e. when to start bugging the user that their password is going
    to expire.
    Field 7) Number of inactive days, i.e. number of days after the password expires before the account
    status is set to inactive.
    Field 8) Date the account will expire
    Field 9) Not used, reserved for a future purpose.

    The root account does become Locked (which you can check with 'passwd -s username'),
    however expired accounts can still be su'd to.

    Post if you need more help.

    -- spurious

    Note: BSD and many Linux systems include the 'chage' command, which allows the Admin to
    modify password aging only for an account.
    Get OpenSolaris

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts