Hi everyone,
I'm not sure if this is the right forum, but this is as close as I could tell.
I'm having the following issue on Solaris9:
I have Soalris9 4/03 with PatchPro 2.1 installed. I would like to use md5 crypted passwords for the root account as well, but when I change the password from the standard unix crypt, PatchPro can no longer authenticate the root password. I'm inclined to think that they hardcoded the use of unix crypt when checking the password, but I couldn't find anything on the net regarding this issue, or anyone else complaining about it.
My workaround for the moment is to use the old crypted root password, while other accounts' passwords get MD5-ed.

Any feedback is appreciated; thanks.

i had a similar problem...... (well, a different problem that could be caused by the same thing)......

i assume you originally changed the password format by editing "/etc/security/policy.conf" and "/etc/security/crypt.conf":

CODE

bash-2.05# cat /etc/security/crypt.conf # # Copyright 2002 Sun Microsystems, Inc.  All rights reserved. # Use is subject to license terms. # #ident  "@(#)crypt.conf 1.1     02/06/19 SMI" # # The algorithm name __unix__ is reserved. 1       crypt_bsdmd5.so.1 2a      crypt_bsdbf.so.1 md5     crypt_sunmd5.so.1 bash-2.05#

CODE

bash-2.05# cat /etc/security/policy.conf # # Copyright 1999-2002 Sun Microsystems, Inc.  All rights reserved. # Use is subject to license terms. # # /etc/security/policy.conf # # security policy configuration for user attributes. see policy.conf(4) # #ident  "@(#)policy.conf        1.6     02/06/19 SMI" # AUTHS_GRANTED=solaris.device.cdrw PROFS_GRANTED=Basic Solaris User # crypt(3c) Algorithms Configuration # # CRYPT_ALGORITHMS_ALLOW specifies the algorithms that are allowed to # be used for new passwords.  This is enforced only in crypt_gensalt(3c). # CRYPT_ALGORITHMS_ALLOW=1,2a,md5 # To deprecate use of the traditional unix algorithm, uncomment below # and change CRYPT_DEFAULT= to another algorithm.  For example, # CRYPT_DEFAULT=1 for BSD/Linux MD5. # #CRYPT_ALGORITHMS_DEPRECATE=__unix__ # The Solaris default is the traditional UNIX algorithm.  This is not # listed in crypt.conf(4) since it is internal to libc.  The reserved # name __unix__ is used to refer to it. # #CRYPT_DEFAULT=__unix__ CRYPT_DEFAULT=1 bash-2.05# bash-2.05#

well if you take a look at a line from your "/etc/passwd" file (or "/etc/shadow" file) then it will probably look like this:

CODE

bash-2.05# cat /etc/shadow | grep test test:$1$L6VKsYWY$9H65HQL6tSJY402Vm4WHu0:12132:::::: bash-2.05#

Note the "$1$" at the start of the password... this denotes which encryption method was used to encrypt that particular password.

Take a look at the root password... does it differ from the rest? do they all have "$md5$" in front of them, except the root password?

Chances are that the root password doesn't have any dollar symbols at the start at all - as far as i know, this denotes that the standard UNIX encryption method was used.

One way to maybe get around this would be to create a user, make his password using MD5, and then copy it into the root passwd file. This is definitely not advisable though.

The other issue could be that it's a security feature - can you "su - root" using the MD5-encrypted password? maybe the root account has to use __unix__ encryption...

Just for the record, my Solaris 9 12/02 machine uses MD5 for all users, except root.

Anyway, i know this is a bit of a random ramble, but hopefully some of it'll help!

let us know!! :D

QUOTE

Chances are that the root password doesn't have any dollar symbols at the start at all - as far as i know, this denotes that the standard UNIX encryption method was used. One way to maybe get around this would be to create a user, make his password using MD5, and then copy it into the root passwd file. This is definitely not advisable though. The other issue could be that it's a security feature - can you "su - root" using the MD5-encrypted password? maybe the root account has to use __unix__ encryption...

I have no problem logging in to the root account either when I use standard md5 or unix crypt. I do clear the password (passwd -d) before I change it with a different algorithm, so the new one will take effect (otherwise it just keeps the current format).
I'm going to try a more programmatic approach to this - there is a library /usr/sadm/lib/smc/lib/passauthen.so, which I'm pretty sure that is the one being used by the server to authenticate the user. Perhaps I'll be able to figure out some more, although it will be a pain to start reading PAM documentation and the like.

I have a diff qusestion - as a newbiew admin :unsure: I don't know how does one report bugs to Sun. I've reported this issue several months ago as a patchpro issue (they give an email, on the dld page), but nothing came out of that. Any links would be appreciated.

QUOTE (dinoklein @ Jul 27 2003, 09:11 PM)

I have a diff qusestion - as a newbiew admin :unsure:  I don't know how does one report bugs to Sun. I've reported this issue several months ago as a patchpro issue (they give an email, on the dld page), but nothing came out of that. Any links would be appreciated.

hmm.... i don't know the official procedure, but as i currently work for them, gimme the details and i'll log it internally if u like. i'm not sure how i would keep you updated on it's progress though, as i don't think we're allowed to add external email addresses to the interest list... i'll see what i can do though.

if you would like me to log the bug for ya, start a new topic under the appropriate category... lets keep it separate from this topic :D