SUMMARY (2) : Password Composition/Complexity and Auto-lockout

From: Faulconer, Steven M. <>
Date: Mon Mar 31 2003 - 20:02:21 EST
I have received a few more messages, so I wanted to send out that
information in case anyone needs it. Thank you to everyone who responded.
>From the looks of things, I'm leaning towards npasswd, but need to look into
things a bit more.



Try PowerPassword. It does lots of things, including password checks and
locking out accounts.

David Foster []

Look at npasswd, a 3rd party utility that allows you this
kind of flexibility. Not sure if it plays well with NIS/NIS+.

Boothby Don []

I have been struggling with this. I am using ssh, so this might not apply to
you. However, I'm using npasswd which supports everything including the
option of locking out a user after 3 (configurable) attempts. The web site
for this is: <>
If you want to use the LDAP solution, I'm afraid I can't help. I inquired
about it and there is an internal Sun web site that shows how to do it, but
they won't release the info to the public until next month. I got an
internal web site address, but I don't have access to their internal site.
P.S. I had gotten npasswd to work without ssh. I'm in the middle of getting
it to work with ssh which is my latest project. If you need it to work with
ssh, there are some added complexities.
Zaigui Wang []

There seems to be two possible solutions:
1. use LDAP. Sun's recently LDAP enhancement to
Solaris 8 has make the Password policy management
fully functional.

2. apply, again, the latest LDAP enhancement (only to
Solaris 8 and 9) and tweak the new pam.conf file and
insert your own password variation checking module.
While it seems complex, there are examples you can
follow. Refer to Sun blueprint 10/02 on PAM. It has
sample code "comparison.c". If you have problem find
the source code, let me know. I do have a copy. You
can just compile that and install as instructed.

Neither solution will help you though on solair
systems below 8.

Original Questions:

Has anyone found any methods to enforce password composition/complexity in a
Solaris environment? We are using versions 2.6 through 9, though will be
moving to 8 and 9 only in the near future (software requirements force us to
maintain a maximum of Solaris 8). By composition / complexity, I mean things
like forcing upper and lower case, use of numeric/symbol characters, and
possibly a method to do a dictionary check on the password. The dictionary
check would be nice to ensure that the password, or any part of the
password, is not a common English word, and is optional to my needs, but
would be a bonus.

My other query is about auto-lockouts after a number of invalid login
attempts. I know about the /etc/default/login, but that doesn't really suite
my needs. I'd like it so that if there are three bad password attempts on a
given account within a given, arbitrary, amount of time, the account is
locked from further use until administrator intervention. This can be done
in Windows NT/2000 (sorry for mentioning the 'W' word), so I hope there is a
method to do this in Solaris as well. We are currently using static
passwd/shadow files on each system, though we are working on migrating to
LDAP for authentication across Windows and Solaris to get a single
username/password-type setup.
sunmanagers mailing list
Received on Mon Mar 31 20:06:34 2003

This archive was generated by hypermail 2.1.8 : Thu Mar 03 2016 - 06:43:07 EST