After trying to get MD5 passwords working in Solaris, i finally discovered it thanks to Casper from the sunmanagers mailing list!

FYI - here's a conversation i had with Casper from the SunManagers mailing list:

QUOTE ("fishsponge")

Hello, I have a NIS server set up and working perfectly on my network, but my solaris machine is using old-style passwords (maximum 8 chars). My NIS server (being debian linux) is using MD5 passwds (out of choice), so i'd like to enable this on Solaris 9, so it can successfully use NIS for authentication on my LAN. I originally had Solaris 8 on this machine, and i was told that MD5 passwords didn't exist, so i put Solaris 9 on instead. I think Solaris 10 uses MD5 by default, but in Solaris 9 it needs enabling, whereas in Solaris 8 it wasn't even an option. Does anyone know how i can enable it?

QUOTE ("Casper")

required: Solaris 9 update 2 (or Solaris 9 + current patches). use: automatic (Solaris 9u2 understands *BSD and Linux password hashes) use as default: edit /etc/security/policy.conf

QUOTE ("fishsponge")

Thanks for the info... but which patches specifically? I have Solaris 9 09/02 with no extra patches installed at the moment... but how do i find out which patches i need to install exactly?? Can i just download a "service pack" from somewhere?? (sorry to use Micro$not terminology).

QUOTE ("Casper")

sunsolve.sun.com "Recommended &Security" patch bundle has everything, NOTE 2: To get the complete Flexible Crypt feature, please install the         following patches:         113475-01      (or newer)      libsecurity crypt         113476-01      (or newer)      passwdutil.so.1         113480-01      (or newer)      pam_unix Patch         113481-01      (or newer)      nispasswdd         113482-01      (or newer)      rpc.ypasswd         113483-01      (or newer)      sbin/sulogin         112874-06        (or newer)        libc patch You can also register and download the maintenance update patch bundle from access1.sun.com

QUOTE ("fishsponge")

I have another small problem... not only am i unable to download the specific patches you mentioned previously, i'm unable to install the main Recommended & Security Patch Cluster. For each and every package i receive: CODE Patch 112834-02 failed to install due to a failure produced by pkgadd. and when i check the logfile to see what failed exactly, i see this: CODE This appears to be an attempt to install the same architecture and version of a package which is already installed.  This installation will attempt to overwrite this package. /root/9_Recommended/113068-01/SUNWcarx.u/install/checkinstall:  /root/9_Recommended/113068-01/SUNWcarx.u/install/checkinstall: cannot open pkgadd: ERROR: checkinstall script did not complete successfully Dryrun complete. No changes were made to the system. so it seems that the entire contents of the update package are already installed... surely this can't be right... i think i'm doing something stupid, but i can't work out what! lol

QUOTE ("Casper")

Might be the standard checkinstall problem: The solaris FAQ says: 5.59) Patch installation often fails with "checkinstall" errors.     When installing a patch, the Solaris 2.5+ patch installation procedure will execute the script "checkinstall" with uid nobody.     If any of the patch files or if any part of the path leading up to the patch directory cannot be read by nobody, an error similar to the following will appear:     patchadd .                                # or ./installpatch .     Generating list of files to be patched...     Verifying sufficient filesystem capacity (exhaustive method) ...     Installing patch packages...     pkgadd: ERROR: checkinstall script did not complete successfully....     You can workaround this in two ways, one is to make sure that the user "nobody" can read all patch files and execute a "pwd" in the patch directory or add an account "install" to /etc/passwd:         install:x:0:1:installpatch braindamage:/:/bin/true     Installpatch and patchadd use "nobody" as a fallback if it cannot find the "install" user.     --- end of excerpt from the FAQ The most recently posted version of the FAQ is available from http://www.science.uva.nl/pub/solaris/solaris2/

QUOTE ("Casper")

>> You can also register and download the maintenance update patch >> bundle from access1.sun.com > >Do i need this to enable MD5, or is it merely recommended? It includes the above patches for those w/o support contract. (So you can download the maintenance update and just install the necessary patches from it) (the solregis command should take care of registering)

QUOTE ("fishsponge")

> NOTE 2: To get the complete Flexible Crypt feature, please install the >        following patches: Does this mean flexible in the way that i cn choose whether i want to use MD5 or not? > (the solregis command should take care of registering) why do i need to do this though?

QUOTE ("Casper")

>> NOTE 2: To get the complete Flexible Crypt feature, please install the >>        following patches: > >Does this mean flexible in the way that i cn choose whether i want to use MD5 or >not? The implementation allows you to select a default hash algorithm (default still standard crypt).  In all cases the implementation will look at the hash to see what algporithm to use; the supported algorithms are __unix__ and: 1        crypt_bsdmd5.so.1 2a        crypt_bsdbf.so.1 md5        crypt_sunmd5.so.1 I believe that "1" is the md5 algorithm used by Linux; "2a" is the BSD blowfish based algorithm and "md5" is a Sun md5 variant. You can also write your own crypt module and "plug it in" if you want to. Encrypted passwords using all algorithms can coexist as the used algorithm is encoded in the the crypt output string. >> (the solregis command should take care of registering) > >why do i need to do this though? To get login access to access1.sun.com/solarissolve which has the maintenance updates.

QUOTE ("fishsponge")

Ah..... so when i install the patches from access1.sun.com, i will be able to change to md5... cool! I tried to run the solregis command, but i'm currently unable to export my DISPLAY from home to work (cos i SSH into my gateway, and then SSH into my Solaris box, so the X-Tunelling gets broken). I'll run this command when i get home. What file contains the following stuff though? Should i just search /etc/for files containing "crypt_"??   1        crypt_bsdmd5.so.1   2a        crypt_bsdbf.so.1   md5        crypt_sunmd5.so.1

QUOTE ("Casper")

Patch 113475-02 has the crypt modules. Patch 112874-09 (libc) has /etc/security/crypt.conf Those two combined, I think, give the necessary client side support for using but not changing the passwords. (And you can't use them for root because of statically linked /sbin/sulogin) 113480-01 might be needed, but I think not.

QUOTE ("fishsponge")

In that case, i shall register and then install patches 113475-02 and 112874-09. Just to finally confirm... if i install these patches and configure, my Solaris box will recognise the MD5-encrypted passwords served by my NIS server, but the users won't be able to change their passwords from this machine... they will have to log into a different machine to do that... that's fine for what i need. QUOTE ("Casper") Correct; but you can just as well install all of the needed patches (all are part of MU2) One other point is that i don't need to enhance the encryption on the root password, as it already allows passwords above 8 chars for the root password. Whether this uses advanced encryption, i'm not sure (although i doubt it), but the only reason for needing better encryption was to make the user accounts compatible with my NIS server, and as the root account isn't taken from NIS, this isn't a problem. Thanks a lot for your help.

i hope this helps for the future!!