May 27, 2009, 7:23 PM — On older Solaris systems, you would only see a few tunable parameters for controlling passwords. MINWEEKS determined the number of weeks that a user was required to keep his password. MAXWEEKS determined how many weeks could go by before he was forced to change it. And PASSLENGTH, of course, determined the minimum number of characters a password had to have to be accepted by the system. These settings limited the time that a user could keep a password and potentially kept him from changing his password on expiration and immediately changing it back to its original setting.
These settings are stored in several fields of the /etc/shadow file. The record below, for example, shows a password which just recently expired. It was last changed a little over a month ago (date), but was set to expire after 28 days (max). The user was prevented from changing his password within two weeks of setting it (min).
shs:K6be11OCyAwAY:14355:14:28:::: ^ ^ ^ | | | date min max
These settings might look like this in the /etc/default/passwd file:
MAXWEEKS=4 MINWEEKS=2 PASSLENGTH=6
Beyond this, the passwd command required that users include at least two letters and at least one number of special character. If a user trying to change his password didn't follow these rules, he would see a message such as this one:
passwd: The first 6 characters of the password must contain at least two alphabetic characters and at least one numeric or special character.
Solaris 10 offers a suite of settings that provide a lot more control over users' password choices. These settings, stored in the /etc/default/passwd file, allow you to your own rules.
On installation, the /etc/default/passwd file on a Solaris 10 system will have this group of settings all commented out.
These settings give you a lot of control over how passwords are set. The fields are used like this:
MINDIFF - Defines the minimum number of differences required between old and new passwords. If not set, it defaults to 3.
MINALPHA - Defines the minimum number of alphabetic characters. If not set, it defaults to 2.
MINNONALPHA - Defines the minimum number of non-alphabetic characters. In other words, digits and special characters. The default is one.
MINUPPER and MINLOWER - Define the minimum number of uppercase and lowercase characters required. Both default to 0. In other words, we might still require letters, but their case is not evaluated unless one of these settings is used.
MAXREPEATS - Determines the number of times you can consecutively use the same character (e.g., 111 or xxx). This is not checked by default.
MINDIGIT - Determines how many digits are required. If not set, no digits are required. However, we still likely have a MINNONALPHA setting, so one digit or one special character is likely required.
MINSPECIAL - In similar manner to MINDIGIT, MINSPECIAL determines how many special characters are needed and defaults to none.
WHITESPACE - Determines whether whitespace characters (blanks and tabs) are allowed.
We still have the MAXWEEKS and MINWEEKS settings and also the PASSLENGTH that earlier versions of Solaris include.
The Solaris 10 /etc/default/passwd file also contains a setting for NAMECHECK. This is the setting that allows or disallows passwords which are the same as or a circular shift of the username. This is not new, you say? Ah, yes, you're right. What is new is that this allows you to turn this checking off. Not that you'd want to, but you can if you are so inclined.
There's also a WARNWEEKS setting that can be used to determine when a user will be warned about when his password will expire. You might, for example, want to warn him a week or two ahead of time.
The other new and interesting setting is one called HISTORY. This setting allows you to prevent the user from repeating passwords. You set a depth, say 8, which would mean that the system would "remember" the user's last eight passwords and would not allow a new password to be a repeat of any in this set. The passwords themselves are kept in hash form in a file called /etc/security/passhistory. It might look something like this:
Now, how clever is that? Maybe we'll finally outsmart our more stubborn users.