Hi Rudolf,
Rudolf Kutina wrote: > Hi Dave, Dan and Jan, > > I recently use both DC and AI 200906 versions and here are some my > security related concerns: > > 1. I saw in both AI and DC processes so old old style UNIX crypt > password are used: > > <propval name="username" type="astring" > value="jack"/> > <propval name="userpass" type="astring" > value="9Nd/cwBcNWFZg"/> > <propval name="description" type="astring" > value="default_user"/> > > This is against info in this bug ids: > > 4246 The user and root password are not encrypted in SC manifest > http://defect.opensolaris.org/bz/show_bug.cgi?id=4246 > > OpenSolaris should use SHA256 password Hashing > http://defect.opensolaris.org/bz/show_bug.cgi?id=178 > In it is: > > Users provisioned by the distro-construction process (the 'root', > and 'jack' users) will have SHA256 hashed passwords. Looking at AI default manifest, SHA256 is used only for root password, not for jack's one - I assume was likely oversight when fixing 4246. > > 3174 Only 8 character of the password are checked > http://defect.opensolaris.org/bz/show_bug.cgi?id=3173 From crypt(3C) and shadow(4) man pages, AI should be able to use any algorithm defined in crypt.conf(4) - shadow(4) man page states: ... The encrypted password consists of at most CRYPT_MAXCIPHERTEXTLEN characters chosen from a 64-character alphabet (., /, 0-9, A-Z, a-z). Two additional special char- acters, "$" and ",", can also be used and are defined in crypt(3C). To update this file, use the passwd(1), useradd(1M), usermod(1M), or userdel(1M) commands. ... And from crypt(3C) man page: ... If the first character of salt is "$", crypt() uses crypt.conf(4) to determine which shared module to load for the encryption algorithm. The algorithm name crypt() uses to search in crypt.conf is the string between the first and second "$", or between the first "$" and first "," if a "," comes before the second "$". If the first character of salt is not "$", the algorithm described on crypt_unix(5) is used. ... > > 2. In AI docs is stated just to copy encrypted password from shadow > > http://www.opensolaris.org/os/project/caiman/files/AIinstall2.pdf > > In this docs is not stated to use OpenSolaris 200811 or later with > sha256 password or to check by $N$ if you have right strong password. > > Also to change password on next bot is not forced, so old style > passwords will not by update to system default setting. > > "12. How do I Generate Encrypted Passwords? > > One method of generating encrypted passwords for the OpenSolaris OS is > to create a user of the > intended name and password on the OpenSolaris OS, copy the password > from the /etc/shadow > file between the 1st and 2nd colons of the user's record" > > PS: Section say "One method", looks like incomplete section when there > are other methods scripted from docs ? I agree with you that from current wording it might be inferred that more than one method are available even if there is currently only one captured in doc (as far as I am aware of) - could you please file bug against documentation for this ? > > 3. Will be ideal to port or make tool like 'mkpasswd' in Linux, where > you can chose what type password to generate despite of actual system > setting, see: > > mkpasswd - Overfeatured front end to crypt(3) > http://itupstart.com/home/node/48 It would be nice to have such tool in order to provide user with better user experience - I am not sure if appropriate RFE exists - if not, I could file one. Thank you, Jan
