As i'm now running Solaris 9, i'd like to enable passwords that are longer than 8 chars... so i can use NIS properly (my NIS server is debian linux, u see, and it's serving MD5-encrypted passwords, which Solaris doesn't use by default).

how do i enable it? i had a problem in Solaris 8, because the MD5 module didn't even exist, but i'm told it exists in Solaris 9, i just have to enable it...

any ideas how??

ahha... i've found something:

http://docs.sun.com/db/doc/816-7173/6md6rl...is+9+md5&a=view

QUOTE ("What's New in the Solaris 9 12/02 Operating Environment")

Enhanced crypt() Function Password encryption protects passwords from being read by intruders. Three strong password encryption modules are now available in the software:  - A version of Blowfish that is compatible with BSD systems - A version of MD5 that is compatible with BSD and Linux systems - A stronger version of MD5 that is compatible with other Solaris 9 12/02 systems

therefore... this feature is available in the 12/02 release of Solaris 9... but i have the 9/02 release... looks like i need an upgrade!

Does anyone know if it's possible to install the necessary packages instead of upgrading my entire OS??

Aye it is, just look on the CDROM in the "Product" directory, and you'll see the pkgs that can be added with pkgadd.
Because of dependencies you'll probably end up installing the lot anyway so the simplest way is just to let the installer do its upgrade business.

If you can't get the real CDROM, you can grab the CDROM images as ISOs internally, and (probably - cant be arsed to check the version) from the sun.com/download website... you can mount them as follows so you don't actually have to burn a copy

> lofiadm /var/tmp/myisofile.iso
/dev/lofi/1
> mount -F hsfs -o ro /dev/lofi/1 /mnt/point

look on what CD-ROM? The Solaris 9 12/02 release i presume...... right?

i'm gonna try something else.... a good person on the sunmanagers list has advised me to install patch 113475-02 (for the crypt modules) and 112874-09 (libc) for '/etc/security/crypt.conf'.

However... this only gives client-side support for the passwords... it doesn't give support for changing passwords, so i'm investigating this further now...

The internal patchdesc says you'll need the following too if you want to change passwords etc:
(note that the part after the - is the version)

112874-06 (or newer) libc
113476-01 (or newer) passwdutil.so.1
113480-01 (or newer) pam_unix Patch
113481-01 (or newer) nispasswdd
113482-01 (or newer) sbin/sulogin
113483-01 (or newer) rpc.yppasswdd

ah, ok... so i now know i need to install:
113475-02
112874-09
112874-06
113476-01
113480-01
113481-01
113482-01
113483-01

this list is getting bigger.... lol. i already knew about the <patchno>-<version> format, but thanks nevertheless :D

I assume the 'nispasswdd' patch allows me to change my password, even if it's being served by my NIS server and not held locally, right? cool! B)

ok, i've decided to work around this by installing Solaris 9 12/02 instead - this has support by default, so i won't need to mess around with packages and patches.

however, FYI - here's a conversation i had with Casper from the SunManagers mailing list:

QUOTE ("fishsponge")

Hello, I have a NIS server set up and working perfectly on my network, but my solaris machine is using old-style passwords (maximum 8 chars). My NIS server (being debian linux) is using MD5 passwds (out of choice), so i'd like to enable this on Solaris 9, so it can successfully use NIS for authentication on my LAN. I originally had Solaris 8 on this machine, and i was told that MD5 passwords didn't exist, so i put Solaris 9 on instead. I think Solaris 10 uses MD5 by default, but in Solaris 9 it needs enabling, whereas in Solaris 8 it wasn't even an option. Does anyone know how i can enable it?

QUOTE ("Casper")

required: Solaris 9 update 2 (or Solaris 9 + current patches). use: automatic (Solaris 9u2 understands *BSD and Linux password hashes) use as default: edit /etc/security/policy.conf

QUOTE ("fishsponge")

Thanks for the info... but which patches specifically? I have Solaris 9 09/02 with no extra patches installed at the moment... but how do i find out which patches i need to install exactly?? Can i just download a "service pack" from somewhere?? (sorry to use Micro$not terminology).

QUOTE ("Casper")

sunsolve.sun.com "Recommended &Security" patch bundle has everything, NOTE 2: To get the complete Flexible Crypt feature, please install the         following patches:         113475-01      (or newer)      libsecurity crypt         113476-01      (or newer)      passwdutil.so.1         113480-01      (or newer)      pam_unix Patch         113481-01      (or newer)      nispasswdd         113482-01      (or newer)      rpc.ypasswd         113483-01      (or newer)      sbin/sulogin         112874-06        (or newer)        libc patch You can also register and download the maintenance update patch bundle from access1.sun.com

QUOTE ("fishsponge")

I have another small problem... not only am i unable to download the specific patches you mentioned previously, i'm unable to install the main Recommended & Security Patch Cluster. For each and every package i receive: CODE Patch 112834-02 failed to install due to a failure produced by pkgadd. and when i check the logfile to see what failed exactly, i see this: CODE This appears to be an attempt to install the same architecture and version of a package which is already installed.  This installation will attempt to overwrite this package. /root/9_Recommended/113068-01/SUNWcarx.u/install/checkinstall:  /root/9_Recommended/113068-01/SUNWcarx.u/install/checkinstall: cannot open pkgadd: ERROR: checkinstall script did not complete successfully Dryrun complete. No changes were made to the system. so it seems that the entire contents of the update package are already installed... surely this can't be right... i think i'm doing something stupid, but i can't work out what! lol

QUOTE ("Casper")

Might be the standard checkinstall problem: The solaris FAQ says: 5.59) Patch installation often fails with "checkinstall" errors.     When installing a patch, the Solaris 2.5+ patch installation procedure will execute the script "checkinstall" with uid nobody.     If any of the patch files or if any part of the path leading up to the patch directory cannot be read by nobody, an error similar to the following will appear:     patchadd .                                # or ./installpatch .     Generating list of files to be patched...     Verifying sufficient filesystem capacity (exhaustive method) ...     Installing patch packages...     pkgadd: ERROR: checkinstall script did not complete successfully....     You can workaround this in two ways, one is to make sure that the user "nobody" can read all patch files and execute a "pwd" in the patch directory or add an account "install" to /etc/passwd:         install:x:0:1:installpatch braindamage:/:/bin/true     Installpatch and patchadd use "nobody" as a fallback if it cannot find the "install" user.     --- end of excerpt from the FAQ The most recently posted version of the FAQ is available from http://www.science.uva.nl/pub/solaris/solaris2/

QUOTE ("Casper")

>> You can also register and download the maintenance update patch >> bundle from access1.sun.com > >Do i need this to enable MD5, or is it merely recommended? It includes the above patches for those w/o support contract. (So you can download the maintenance update and just install the necessary patches from it) (the solregis command should take care of registering)

QUOTE ("fishsponge")

> NOTE 2: To get the complete Flexible Crypt feature, please install the >        following patches: Does this mean flexible in the way that i cn choose whether i want to use MD5 or not? > (the solregis command should take care of registering) why do i need to do this though?

QUOTE ("Casper")

>> NOTE 2: To get the complete Flexible Crypt feature, please install the >>        following patches: > >Does this mean flexible in the way that i cn choose whether i want to use MD5 or >not? The implementation allows you to select a default hash algorithm (default still standard crypt).  In all cases the implementation will look at the hash to see what algporithm to use; the supported algorithms are __unix__ and: 1        crypt_bsdmd5.so.1 2a        crypt_bsdbf.so.1 md5        crypt_sunmd5.so.1 I believe that "1" is the md5 algorithm used by Linux; "2a" is the BSD blowfish based algorithm and "md5" is a Sun md5 variant. You can also write your own crypt module and "plug it in" if you want to. Encrypted passwords using all algorithms can coexist as the used algorithm is encoded in the the crypt output string. >> (the solregis command should take care of registering) > >why do i need to do this though? To get login access to access1.sun.com/solarissolve which has the maintenance updates.

QUOTE ("fishsponge")

Ah..... so when i install the patches from access1.sun.com, i will be able to change to md5... cool! I tried to run the solregis command, but i'm currently unable to export my DISPLAY from home to work (cos i SSH into my gateway, and then SSH into my Solaris box, so the X-Tunelling gets broken). I'll run this command when i get home. What file contains the following stuff though? Should i just search /etc/for files containing "crypt_"??   1        crypt_bsdmd5.so.1   2a        crypt_bsdbf.so.1   md5        crypt_sunmd5.so.1

QUOTE ("Casper")

Patch 113475-02 has the crypt modules. Patch 112874-09 (libc) has /etc/security/crypt.conf Those two combined, I think, give the necessary client side support for using but not changing the passwords. (And you can't use them for root because of statically linked /sbin/sulogin) 113480-01 might be needed, but I think not.

QUOTE ("fishsponge")

In that case, i shall register and then install patches 113475-02 and 112874-09. Just to finally confirm... if i install these patches and configure, my Solaris box will recognise the MD5-encrypted passwords served by my NIS server, but the users won't be able to change their passwords from this machine... they will have to log into a different machine to do that... that's fine for what i need. QUOTE ("Casper") Correct; but you can just as well install all of the needed patches (all are part of MU2) One other point is that i don't need to enhance the encryption on the root password, as it already allows passwords above 8 chars for the root password. Whether this uses advanced encryption, i'm not sure (although i doubt it), but the only reason for needing better encryption was to make the user accounts compatible with my NIS server, and as the root account isn't taken from NIS, this isn't a problem. Thanks a lot for your help.

i hope this helps for the future!!

ok, i now have Solaris 9 12/02 installed... and while it might be using MD5 passwords, it's still only allowing 8 chars. This suggests that it's still stuck to the old passwords by default, so who know how i can enable MD5?

I have the 12/02 release, and according to Sun's web site, MD5 is available in this release... i just don't know how to enable it...

Any ideas??

The man pages for crypt.conf and policy.conf explains it pretty well...

ok... thanks for that... i took a look at the man page, but i'm slightly confused. i have an idea, but not necessarily a correct one. My current '/etc/security/crypt.conf' contains the following:

CODE

# The algorithm name __unix__ is reserver. 1        crypt_bsdmd5.so.1 2a        crypt_bsdbf.so.1 md5        crypt_sunmd5.so.1

and as i understand it, it's currently using __unix__ as it's encryption method... or is it using "crypt_bsdmd5.so.1"?? i can't work it out.

The man page gives the following example:

CODE

Example  1:  Provide  compatibility  for  md5crypt-generated passwords. The  default  configuration  preserves  previous  Solaris behaviour  while  adding compatibility for md5crypt-generated passwords as provided on some BSD and Linux systems. # # crypt.conf # 1 /usr/lib/security/$ISA/crypt_bsdmd5.so Example 2: Use md5crypt to  demonstrate  compatibility  with BSD- and Linux-based systems. The following example lists 4  algorithms  and  demonstrates how  compatibility  with  BSD- and Linux-based systems using md5crypt is made available, using the algorithm names 1  and 2. # # crypt.conf # md5 /usr/lib/security/$ISA/crypt_md5.so rot13 /usr/lib/security/$ISA/crypt_rot13.so # For *BSD/Linux compatibility # 1 is md5,  2 is Blowfish 1 /usr/lib/security/$ISA/crypt_bsdmd5.so 2 /usr/lib/security/$ISA/crypt_bsdbf.so

...but i can't work out exactly what changes i need to make in order to get it working... any suggestions?

i forgot to look in policy.conf... Casper replied again and said:

CODE

/etc/security/policy.conf CRYPT_DEFAULT=md5

so i changed it, and i'm now testing it....................................

it appears to work at the moment, but i'm not sure if it'll work when i hook it up to my linux NIS server... i'll check that when i get home.

well... it won't work when i get it home... i found a problem. On Solaris, a line from '/etc/shadow' looks like:

CODE

hobbs:$md5$abcdefghijklmnop1234567890/:11111::::::

and on Linux, the equivalent line looks like this:

CODE

hobbs:$1$0987654321ponmlkjihgfedcba/:12222:0:99999:7:::

so, as you can see... the specified encryption methods are different... $md5$ vs $1$.

I therefore need to change '/etc/security/policy.conf' to say the following instead:

CODE

CRYPT_DEFAULT=1

This makes the password encryption compatible with linux according to Casper... the most helpful guy i know!

Fishsponge--

Just an aside. I was reading through this thread, and came across this:

i'm currently unable to export my DISPLAY from home to work (cos i SSH into my gateway, and then SSH into my Solaris box, so the X-Tunelling gets broken)

I do this to access my boxes via SSH:

running ipfw + natd on the gateway box, so I have natd forward high-humbered (unpriveleged) ports to port
22 on the LAN boxes, ie

redirect_port tcp 10.0.0.2:22 22002
redirect_port tcp 10.0.0.3:22 22003
...

That way, I can ssh directly into the gateway (port 22 still listening normally) or directly into the LAN boxes.
This type of setup would enable you to utilize X/ssh tunneling [I think].

HTH

Doh! I'll figure this out eventually...Sorry, wrong board!