[security-discuss] Proposal for stronger default password checks (pre-ARC review)

Tue, 6 Nov 2007 12:01:06 -0800 (PST) 

> The pam_authtok_check module has the abilty to enforce much stronger
> rules than the current default OpenSolaris configuration.

        How do these changes align with what SST (nee JASS) does?

> This case proposes to update the default password checking rules to
> enforce stronger rules by default.  Specifically the following changes:
> 
> 1) Password history will now be on by default and set with a low number
>     of saved passwords by default - we don't want to be too anoying.
>          /etc/default/passwd:HISTORY=2

        I presume there will be no updates to the implemention by
        this case.  It should be noted that history only applies
        to the files repository.  It would be good to apply to all
        repositories.  That would be a much larger project than
        just changing one line in /etc/default/passwd.  Duckwater
        should make it less of a project, but still more than a
        configuration change.

> 4) The default crypt algorithm changes from __unix__ to sha256
>          /etc/security/policy.conf:CRYPT_DEFAULT=5

        How about also changing CRYPT_ALGORITHMS_DEPRECATE to read:
        CRYPT_ALGORITHMS_DEPRECATE=__unix__

        Will the CRYPT_DEFAULT=5 also apply to root during install?
        I hope the installer is now using crypt(3C) and getpassphrase().
        There was a time that it had its own builtin unix crypt %^{

Darrenm says:
> Sharon Veach wrote:
> > I'm thinking of the Solaris Management Console, the required 
> > administrative tool for a network
> > of Solaris Trusted Extensions systems.  -- Sharon
> 
> That is a known bug that it doesn't call crypt(3C) directly and attempts 
> to do it on its own.  I believe a fix is in development - if not then it 
> will be a requirement of this case to fix it.

        P2/S2 4760846 smc and the enhanced crypt(3c) seem to be incompatible

        If you wait for it to be fixed, this case will never integrate
        until SMC is removed from all distributions of Solaris.
        Is this project team stepping up to fix it?  If so -- yaaaaaa,
        otherwise, NO ONE cares if this is fixed.  9 escalations and 25
        call records can't get managements attention.
        I, for one, am willing to force the situation.

Gary..

Reply via email to