SUMMARY: Password Composition/Complexity and Auto-lockout

From: Faulconer, Steven M. <STEVEN.M.FAULCONER_at_saic.com>
Date: Thu Mar 27 2003 - 08:00:59 EST
+++++++++++++++++++++++++++++++++++++++++
Solution:
+++++++++++++++++++++++++++++++++++++++++

Several options to investigate that I had not found previously. No solid
solution as yet.

+++++++++++++++++++++++++++++++++++++++++
Responses:
+++++++++++++++++++++++++++++++++++++++++

----------------------------------------------------------------------------
---------------
Dirk the Daring (dirk@psicorps.org)
----------------------------------------------------------------------------
---------------
Have you considered implementing something like Novell Directory
Services (NDS)? It runs natively on Solaris, uses the PAM interface, and
would offer you the degree of control RE: lockouts that you're looking
for. It also runs on Windows in conjunction with Novell Account Manager.

Anyway, NDS runs quite nicely on Solaris - v2.6 thru v2.9, as I recall.
You can place an NDS replica on the Solaris box, and a NetWare box is
*not* required to administrate the environment. The administration tool,
ConsoleOne, is written in Java. NDS also runs natively on W2K - I hope you
don't expect Micro$oft to ever put ActiveDirectory on Solaris.

----------------------------------------------------------------------------
---------------
Debbie Tropiano (debbiet@arlut.utexas.edu)
----------------------------------------------------------------------------
---------------
You might want to look at SEAM (Sun's implementation of MIT kerberos).
It does quite a bit more than what you're looking for.  It's standard
with Solaris 9 and can be added to Solaris 8 (altho' I've forgotten now
where I got the packages -- possibly on one of the installation CDs).

----------------------------------------------------------------------------
---------------
Glenn Harrison (glennharrison@amcorp.com.au)
----------------------------------------------------------------------------
---------------
Well, part 1 I can answer I think. pam_passwdqc should plug into the
existing PAM setup on Solaris 8/9 to give you configurable password
complexity.
<http://www.openwall.com/passwdqc/> 
As for the timed password lockout stuff, sorry, I haven't seen anything
about that around the place. 

----------------------------------------------------------------------------
---------------
Martin Hepworth (martinh@solid-state-logic.com)
----------------------------------------------------------------------------
---------------
there's a free version of passwd that has rules with it. Also the Sun 
version of passwd can do alot of this - see the Solaris FAQ.

IF you want a commercial varient see Keon Unix Security from tfstech.com

+++++++++++++++++++++++++++++++++++++++++
Original Questions:
+++++++++++++++++++++++++++++++++++++++++

Has anyone found any methods to enforce password composition/complexity in a
Solaris environment? We are using versions 2.6 through 9, though will be
moving to 8 and 9 only in the near future (software requirements force us to
maintain a maximum of Solaris 8). By composition / complexity, I mean things
like forcing upper and lower case, use of numeric/symbol characters, and
possibly a method to do a dictionary check on the password. The dictionary
check would be nice to ensure that the password, or any part of the
password, is not a common English word, and is optional to my needs, but
would be a bonus.

My other query is about auto-lockouts after a number of invalid login
attempts. I know about the /etc/default/login, but that doesn't really suite
my needs. I'd like it so that if there are three bad password attempts on a
given account within a given, arbitrary, amount of time, the account is
locked from further use until administrator intervention. This can be done
in Windows NT/2000 (sorry for mentioning the 'W' word), so I hope there is a
method to do this in Solaris as well. We are currently using static
passwd/shadow files on each system, though we are working on migrating to
LDAP for authentication across Windows and Solaris to get a single
username/password-type setup.
_______________________________________________
sunmanagers mailing list
sunmanagers@sunmanagers.org
http://www.sunmanagers.org/mailman/listinfo/sunmanagers
Received on Thu Mar 27 08:05:19 2003

This archive was generated by hypermail 2.1.8 : Thu Mar 03 2016 - 06:43:07 EST