Manualshelf

User's Manual

ManualsBrandsSolaris ManualsWokSolaris Wok CX-310-301 1
51525354555657585960
Solaris 9 Security CX-310-301 51
Another aspect of password aging is to be able to control how frequently a user may change their own
password. One popular scenario is to make a user change the password, only for the user to immediately
change it back. For this reason, an option to specify the minimum number of days before a password can be
changed is implemented with Solaris 9, as is the number of days’ warning a user receives before a
password change is required.
The example below shows the command to implement password aging for the user account temptest, so
that the password must be changed every 90 days, the user can’t change it again for 30 days and will
receive a warning each day for 10 days prior to the password needing to be changed:
# passwd –x 90 –n 30 –w 10 temptest
The password aging information is stored in the /etc/shadow file with the details for each user account.
Password Cracking Tools
There are many password cracking tools available that can easily be downloaded and installed. The system
administrator should make use of these tools periodically, with the knowledge of management and users, to
test the integrity of passwords. If the system administrator can break the passwords with these tools, then an
attacker certainly can too – but the administrator can address weak passwords by locking the affected
account until a new password is chosen by the user.
It should be noted that these tools are of limited use to the attacker as it is necessary to have access to the
/etc/shadow file where the encrypted passwords are stored for each user.
TIP: If you are running NIS, then the passwd map contains the details from both the /etc/passwd file and
the /etc/shadow file, a well known vulnerability with NIS.
The two most popular password cracking utilities are John The Ripper and Crack.
You can obtain these from:
¾ John The Ripperhttp://www/sunfreeware.com
¾ Crack – ftp://ftp.cerias.purdue.edu/pub/tools/unix/pwdutils/crack/
For this example, use John The Ripper and follow these steps:
¾ Download the package from www.sunfreeware.com
¾ Unpack the package using gzip
¾ Install the package using pkgadd
¾ John is installed by default into /usr/local/run, so go to this directory and prepare the password file
by running
# ./unshadow /etc/passwd /etc/shadow > passwd.guess