Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Enforcing password policy on Solaris 8/9

2 views
Skip to first unread message

BoraBaysal

unread,
Nov 12, 2005, 7:31:29 AM11/12/05
to
Hi,

We're looking at the possibilities to implement our "Authentication and
Password Policy" on Solaris systems. We have mainly Solaris 8 systems
much more than Solaris 9 systems.

My question is if it is possible to implement such policy stated below:

--
Passwords that validate a candidate username's access to <ourCompany>
systems shall be at a minimum six characters in length for functional
users, 8 characters for administrators. Passwords shall include at
least two alphabetic, one numeric or special character (e.g., an
asterisk or a dash), and may contain at least one upper case and one
lower case character. Systems shall prohibit the use of simpler
passwords.
--

I wonder if anyone has experience with this kind of implementation on
Solaris 8/9 systems. If yes, would you recommend local solution (via
PAM modules) or
Identity Management (i.e. LDAP autentication) usage?

Thanks in advance,

-Bora

gmb...@gmail.com

unread,
Nov 13, 2005, 3:49:23 AM11/13/05
to
Message has been deleted

BoraBaysal

unread,
Nov 13, 2005, 2:04:36 PM11/13/05
to
Yes I've heard npasswd but couldn't see SSH in the docs. I believe it's
not supported.

-Bora

Jonathan Abbey

unread,
Nov 15, 2005, 6:29:57 PM11/15/05
to
In article <1131908675....@g14g2000cwa.googlegroups.com>,

All npasswd does is check the quality of passwords for you when your
users change their passwords. This checking can certainly work in the
context of SSH use.

The real question is, 'where are your passwords stored'? npasswd
comes with support for /etc/passwd, /etc/shadow, and NIS use, as I
understand it. It does not support NIS+, and it won't support LDAP
out-of-the-box.

On the other hand, npasswd does come with the support necessary to use
it as a library. We have incorporated npasswd password checking into
our network information management system here
(http://www.arlut.utexas.edu/gash2/), and it does very well for us in
checking password quality, tracking attempts at password re-use, etc.

We depend on our Ganymede software to get the passwords where we need
them to go (NIS, Active Directory, RADIUS, tacacs+, etc.),
however.. npasswd doesn't do any of that.

Jon

--
-------------------------------------------------------------------------------
Jonathan Abbey jona...@arlut.utexas.edu
Applied Research Laboratories The University of Texas at Austin
GPG Key: 71767586 at keyserver pgp.mit.edu, http://www.ganymeta.org/workkey.gpg

BoraBaysal

unread,
Nov 16, 2005, 6:40:59 AM11/16/05
to
Thanks for the reply.

All we need to check is password quality checking on UNIX systems
(mainly Solaris 8/9 boxes and some Tru64 & HP-UX boxes) for now.

We also have a Novell's IDM (Identity Mgmt) project in progress in
order to manage all identities enterprise-wide. It's a long process and
before integrating UNIX identities into IDM, we're trying to find a
quick way to implement just password quality checking on UNIX boxes
which would conform the policy IS department wants from us.

I believe npasswd would do the job.

-Bora

Jonathan Abbey

unread,
Nov 16, 2005, 6:36:10 PM11/16/05
to
In article <1132141259....@g14g2000cwa.googlegroups.com>,

npasswd works quite well, but be warned that it is actually pretty
ruthless about password quality checking. Lots of our users have
complained about how anal it is.

Jon

| -Bora

0 new messages