+++++++++++++++++++++++++++++++++++++++++ Solution: +++++++++++++++++++++++++++++++++++++++++ Several options to investigate that I had not found previously. No solid solution as yet. +++++++++++++++++++++++++++++++++++++++++ Responses: +++++++++++++++++++++++++++++++++++++++++ ---------------------------------------------------------------------------- --------------- Dirk the Daring (dirk@psicorps.org) ---------------------------------------------------------------------------- --------------- Have you considered implementing something like Novell Directory Services (NDS)? It runs natively on Solaris, uses the PAM interface, and would offer you the degree of control RE: lockouts that you're looking for. It also runs on Windows in conjunction with Novell Account Manager. Anyway, NDS runs quite nicely on Solaris - v2.6 thru v2.9, as I recall. You can place an NDS replica on the Solaris box, and a NetWare box is *not* required to administrate the environment. The administration tool, ConsoleOne, is written in Java. NDS also runs natively on W2K - I hope you don't expect Micro$oft to ever put ActiveDirectory on Solaris. ---------------------------------------------------------------------------- --------------- Debbie Tropiano (debbiet@arlut.utexas.edu) ---------------------------------------------------------------------------- --------------- You might want to look at SEAM (Sun's implementation of MIT kerberos). It does quite a bit more than what you're looking for. It's standard with Solaris 9 and can be added to Solaris 8 (altho' I've forgotten now where I got the packages -- possibly on one of the installation CDs). ---------------------------------------------------------------------------- --------------- Glenn Harrison (glennharrison@amcorp.com.au) ---------------------------------------------------------------------------- --------------- Well, part 1 I can answer I think. pam_passwdqc should plug into the existing PAM setup on Solaris 8/9 to give you configurable password complexity. <http://www.openwall.com/passwdqc/> As for the timed password lockout stuff, sorry, I haven't seen anything about that around the place. ---------------------------------------------------------------------------- --------------- Martin Hepworth (martinh@solid-state-logic.com) ---------------------------------------------------------------------------- --------------- there's a free version of passwd that has rules with it. Also the Sun version of passwd can do alot of this - see the Solaris FAQ. IF you want a commercial varient see Keon Unix Security from tfstech.com +++++++++++++++++++++++++++++++++++++++++ Original Questions: +++++++++++++++++++++++++++++++++++++++++ Has anyone found any methods to enforce password composition/complexity in a Solaris environment? We are using versions 2.6 through 9, though will be moving to 8 and 9 only in the near future (software requirements force us to maintain a maximum of Solaris 8). By composition / complexity, I mean things like forcing upper and lower case, use of numeric/symbol characters, and possibly a method to do a dictionary check on the password. The dictionary check would be nice to ensure that the password, or any part of the password, is not a common English word, and is optional to my needs, but would be a bonus. My other query is about auto-lockouts after a number of invalid login attempts. I know about the /etc/default/login, but that doesn't really suite my needs. I'd like it so that if there are three bad password attempts on a given account within a given, arbitrary, amount of time, the account is locked from further use until administrator intervention. This can be done in Windows NT/2000 (sorry for mentioning the 'W' word), so I hope there is a method to do this in Solaris as well. We are currently using static passwd/shadow files on each system, though we are working on migrating to LDAP for authentication across Windows and Solaris to get a single username/password-type setup. _______________________________________________ sunmanagers mailing list sunmanagers@sunmanagers.org http://www.sunmanagers.org/mailman/listinfo/sunmanagersReceived on Thu Mar 27 08:05:19 2003
This archive was generated by hypermail 2.1.8 : Thu Mar 03 2016 - 06:43:07 EST