SUMMARY: MD5 Passwd's on Solaris 9

From: Hobbs, Richard <>
Date: Thu Feb 27 2003 - 07:11:50 EST

Following a lengthy, but productive conversation with Casper about enabling MD5
passwd/shadow files on Solaris 9, we have decided that it would be beneficial to
the members of SunManagers if i summarised our entire conversation for those who
are interested to keep for the future. This conversation has also been
summarised here:

Richard Hobbs:

I have a NIS server set up and working perfectly on my network, but my solaris
machine is using old-style passwords (maximum 8 chars). My NIS server (being
debian linux) is using MD5 passwds (out of choice), so i'd like to enable this
on Solaris 9, so it can successfully use NIS for authentication on my LAN.

I originally had Solaris 8 on this machine, and i was told that MD5 passwords
didn't exist, so i put Solaris 9 on instead. I think Solaris 10 uses MD5 by
default, but in Solaris 9 it needs enabling, whereas in Solaris 8 it wasn't even
an option.

Does anyone know how i can enable it?

Casper Dik:
required: Solaris 9 update 2 (or Solaris 9 + current patches).

use: automatic (Solaris 9u2 understands *BSD and Linux password hashes)

use as default: edit /etc/security/policy.conf

Richard Hobbs:
Thanks for the info... but which patches specifically? I have Solaris 9 09/02
with no extra patches installed at the moment... but how do i find out which
patches i need to install exactly??

Can i just download a "service pack" from somewhere?? (sorry to use Micro$not

Casper Dik:
----------- "Recommended &Security" patch bundle has everything,

NOTE 2: To get the complete Flexible Crypt feature, please install the
following patches:

113475-01      (or newer)      libsecurity crypt
113476-01      (or newer)
113480-01      (or newer)      pam_unix Patch
113481-01      (or newer)      nispasswdd
113482-01      (or newer)      rpc.ypasswd
113483-01      (or newer)      sbin/sulogin
112874-06        (or newer)        libc patch

You can also register and download the maintenance update patch bundle from

Richard Hobbs:
I have another small problem... not only am i unable to download the specific
patches you mentioned previously, i'm unable to install the main Recommended &
Security Patch Cluster. For each and every package i receive:

Patch 112834-02 failed to install due to a failure produced by pkgadd.

and when i check the logfile to see what failed exactly, i see this:

This appears to be an attempt to install the same architecture and version of a
package which is already installed.  This installation will attempt to overwrite
this package.

cannot open pkgadd: ERROR: checkinstall script did not complete successfully
Dryrun complete.
No changes were made to the system.

so it seems that the entire contents of the update package are already
installed... surely this can't be right... i think i'm doing something stupid,
but i can't work out what! lol

Casper Dik:
Might be the standard checkinstall problem:

The solaris FAQ says:

5.59) Patch installation often fails with "checkinstall" errors.

When installing a patch, the Solaris 2.5+ patch installation procedure will
execute the script "checkinstall" with uid nobody.

If any of the patch files or if any part of the path leading up to the patch
directory cannot be read by nobody, an error similar to the following will appear:

patchadd .                                # or ./installpatch .
Generating list of files to be patched...
Verifying sufficient filesystem capacity (exhaustive method) ...
Installing patch packages...
pkgadd: ERROR: checkinstall script did not complete successfully....

You can workaround this in two ways, one is to make sure that the user "nobody"
can read all patch files and execute a "pwd" in the patch directory or add an
account "install" to /etc/passwd:

  install:x:0:1:installpatch braindamage:/:/bin/true

Installpatch and patchadd use "nobody" as a fallback if it cannot find the
"install" user.

--- end of excerpt from the FAQ

The most recently posted version of the FAQ is available from:

Casper Dik:
>> You can also register and download the maintenance update patch
>> bundle from
>Do i need this to enable MD5, or is it merely recommended?

It includes the above patches for those w/o support contract.

(So you can download the maintenance update and just install the necessary
patches from it)

(the solregis command should take care of registering)

Richard Hobbs:
> NOTE 2: To get the complete Flexible Crypt feature, please install the
>        following patches:

Does this mean flexible in the way that i cn choose whether i want to use MD5 or

> (the solregis command should take care of registering)

why do i need to do this though?

Casper Dik:
>> NOTE 2: To get the complete Flexible Crypt feature, please install the
>>        following patches:
>Does this mean flexible in the way that i cn choose whether i want to
>use MD5 or not?

The implementation allows you to select a default hash algorithm (default still
standard crypt).  In all cases the implementation will look at the hash to see
what algporithm to use; the supported algorithms are __unix__ and:


I believe that "1" is the md5 algorithm used by Linux; "2a" is the BSD blowfish
based algorithm and "md5" is a Sun md5 variant.

You can also write your own crypt module and "plug it in" if you want to.

Encrypted passwords using all algorithms can coexist as the used algorithm is
encoded in the the crypt output string.

>> (the solregis command should take care of registering)
>why do i need to do this though?

To get login access to which has the maintenance

Richard Hobbs:
Ah..... so when i install the patches from, i will be able to
change to md5... cool!

I tried to run the solregis command, but i'm currently unable to export my
DISPLAY from home to work (cos i SSH into my gateway, and then SSH into my
Solaris box, so the X-Tunelling gets broken). I'll run this command when i get home.

What file contains the following stuff though? Should i just search /etc/for
files containing "crypt_"??


Casper Dik:
Patch 113475-02 has the crypt modules.
Patch 112874-09 (libc) has /etc/security/crypt.conf

Those two combined, I think, give the necessary client side support for using
but not changing the passwords.
(And you can't use them for root because of statically linked /sbin/sulogin)

113480-01 might be needed, but I think not.

Richard Hobbs:

In that case, i shall register and then install patches 113475-02 and 112874-09.
Just to finally confirm... if i install these patches and configure, my Solaris
box will recognise the MD5-encrypted passwords served by my NIS server, but the
users won't be able to change their passwords from this machine... they will
have to log into a different machine to do that... that's fine for what i need.

>Correct; but you can just as well install all of the needed patches (all
>are part of MU2)

One other point is that i don't need to enhance the encryption on the root
password, as it already allows passwords above 8 chars for the root password.
Whether this uses advanced encryption, i'm not sure (although i doubt it), but
the only reason for needing better encryption was to make the user accounts
compatible with my NIS server, and as the root account isn't taken from NIS,
this isn't a problem.

Thanks a lot for your help.


The end of the story is that i think i'm gonna try to get hold on Solaris 9
12/02 first, but if not, this will all come in very useful, so a *BIG* thank you
to Casper for all his help with this.

Richard Hobbs |

"There's only one way of life, and that's your own" - The Levellers

Send all your jokes to !!
To subscribe, email:
sunmanagers mailing list
Received on Thu Feb 27 07:21:59 2003

This archive was generated by hypermail 2.1.8 : Thu Mar 03 2016 - 06:43:04 EST