Hi Guys,
I'm setting up iPlanet Directory Server 5.1.3 and I need to configure it to enforce a password rule which says that you must have at least one letter and one number in your password. I've searched the documentation and googled the heck out of it, but I can't seem to find any reference as to how to do that. Does anybody have any info on if this is possible and where I might look for some info on how to do it?
Thanks,
Mike
i was hoping someone else would answer this one, with some help for this guy.
but i guess the answers therefore the same as i thought, you cant out of the box.
password rules are limited to setting the min characters under solaris out of the box. (/etc/default/*)
the only way to improve on this is to write a custom pam module to insist on a better password.
there may even be some out there in the public domain, however ive never come across one.
what you can do however is write a script to compare all the ppls password encryption strings in /etc/shadow, and if any of them are the same, enforce a password change at next logon, at least then if everyone is sticking to the obvious stupid ones, like password or me
then it will help to eradicate them.
otherwise, use crack 5.0 periodicly and only run it for a maximum of 24 hours, any that are discovered force a password change at login.
running crack longer than 24 hours is pointless as on modern hardware all unix passwords will all be discovered eventualy.
it does not matter what password storage system you are using, ldap, nis, or any other, as the password change is done at the client machine, and its this machines rules, that dictate how the user will be enforced to enter a sensible password.
regards peter
For SUN ONE DS5.2 (Not sure if DS5.1 has password policy) has password policy (account management) support, on a Global or PerUser basis.
Everything you can do with this so called "password policy" is viewable at "dn: cn=Password Policy,cn=config" (the Global one, format is the same as the Per-User one). There is no complicated password character combination/variation check.
To further your security efforts, I think you could use "pam_cracklib" for Solaris, stack it somewhere in /etc/pam.conf. "pam_cracklib" is a standard feature in LinuxPAM.
http://unix.freshmeat.net/projects/pam_cracklib/
Anyone had used pam_cracklib for Solaris bother to say something?
Gary
Thanks gary, excelent find, ive just installed it on solaris 10.
heres what happened when i tried to use a password
test
then tester
then tester1
$ passwd
passwd: Changing password for admin
Enter existing login password:
New Password:
passwd: Password too short - must be at least 6 characters.
Please try again
New Password:
passwd: The password must contain at least 1 numeric or special character(s).
Please try again
New Password:
Re-enter new Password:
Your new password was rejected for the following reason:
it is based on a dictionary word
Permission denied
to build get hold of pam_cracklib.tar.gz, from sourceforge and
cracklib,2.7.tar.gz
first cracklib, change the DICTPATH in the Makefile for
/usr/dict/pw_dict
do
CC=/opt/sfw/bin/gcc; export CC
and in the utils directory change the make file so all the cc's are gcc
then
make all
now cd cracklib and cp libcrack.a /usr/lib and packer.h to /usr/include
cd to the utils directory and copy all the binaries to /usr/bin
cp mkdict testlib testnum teststr unpacker /usr/bin
now move on to the pam part
unpack and cd to pam_cracklib
edit the GNUmakefile as follows or use this GNUmakefile
# !!! Hello !!!
# Make sure you are using GNU Make, and not some cheap imitation.
# !!! Thank you !!!
OS=$(shell uname)
ARCH=$(shell uname -p)
CRACKLIB_TARGET=pam_cracklib.so
DESTDIR=/usr/lib/security
PERMS=0700
PASSWORD_SRCS=pam_password.c
COMMON_SRCS=pam_module.c logging.c util.c
CRACKLIB_SRCS=cracklib.c $(COMMON_SRCS) $(PASSWORD_SRCS)
CRACKLIB_OBJS=$(CRACKLIB_SRCS:.c=.o)
DICTPATH="/usr/dict/pw_dict"
INCL=
LIBS=-lpam
CRACK_LIBS=-lcrack
CC=gcc
CFLAGS=-g -Wall -fPIC -D$(OS) -D$(ARCH)
LD=ld
ifeq ($(OS),SunOS)
LDFLAGS=-G -z redlocsym -L/usr/lib -R/usr/lib
else
LDFLAGS=-x --shared -L/usr/lib -R/usr/lib
endif
RM=rm
FORCE_REBUILD=
password:$(CRACKLIB_TARGET)
# We will use this when cproto(1) stops sucking
# %.h : %.c $(FORCE_REBUILD) # A ".o" file depends on the corresponding ".c" fil
e
#cproto -E 0 $<
%.o : %.c $(FORCE_REBUILD) # A ".o" file depends on the corresponding ".c" file
$(CC) $(INCL) $(CFLAGS) -c $< -o $@
% : %.o # override default linking rule just in case
@echo
@echo $@ is not a valid target
@echo
$(CRACKLIB_TARGET) : CFLAGS += -DMODULE_NAME=\"$(CRACKLIB_TARGET)\" -DCRACKLIB_
DICTPATH=\"$(DICTPATH)\"
$(CRACKLIB_TARGET) : $(FORCE_REBUILD) $(CRACKLIB_OBJS)
$(LD) $(LDFLAGS) -o $@ $(CRACKLIB_OBJS) $(LIBS) $(CRACK_LIBS)
@echo
@echo $@ built successfully!
@echo
# Need -O so the inline "stat()" gets compiled, grr
$(DESTDIR)/$(CRACKLIB_TARGET) : $(CRACKLIB_TARGET)
@echo installing...
test -d $(DESTDIR) || mkdir -p $(DESTDIR)
cp $(CRACKLIB_TARGET) $(DESTDIR)
chown root $(DESTDIR)/$(CRACKLIB_TARGET)
chgrp root $(DESTDIR)/$(CRACKLIB_TARGET)
chmod $(PERMS) $(DESTDIR)/$(CRACKLIB_TARGET)
$(FORCE_REBUILD):
@echo rebuilding...
install: $(DESTDIR)/$(CRACKLIB_TARGET)
rebuild:
$(MAKE) $(MOREMAKEFLAGS) "FORCE_REBUILD=REBUILD"
clean:
$(RM) -f $(CRACKLIB_TARGET)
$(RM) -f $(CRACKLIB_OBJS)
$(RM) -f #*
$(RM) -f *~
now run gmake
and gmake install
edit /etc/pam.conf as follows
95 #
96 otherpassword requiredpam_dhkeys.so.1
97 otherpassword requisitepam_authtok_get.so.1
98 otherpassword requisitepam_cracklib.so
99 otherpassword requisitepam_authtok_check.so.1
100 otherpassword requiredpam_authtok_store.so.1
101 #
102 # Support for Kerberos V5 authentication and example configurations can
103 # be found in the pam_krb5(5) man page under the "EXAMPLES" section.
104 #
this is adding line 98 and save the file
thats it
regards peter
Is there any way to specify another password policy? I accidently stumbeled across the 'cn=Password Policy,cn=config' object today.
Previosly I've created a password policy object just below my root branch, specified to USE this policy in the root branch ('Set Password Policy' on/in my root branch). But I never got it working.
The reason why I want a (number of) specific policies is that below my root branch, I have four orgianizations and I want the possibility to have different policies for each of them...
This was very helpful and most appreciated.
It seems to work fine with the default options built into the module; 8 characters, one numeric digit, etc. My problem is that it won't recognize any of the published options: dcredit, ucredit, lcredit, ocredit.
Any ideas on making it accept options?
Or does any one else have other ideas on enforcing password rules.
Thanks!
Bill
