> Message: 1 > Date: Tue, 06 Nov 2007 10:22:30 +0000 > From: Darren J Moffat <Darren.Moffat at Sun.COM> > Subject: [security-discuss] Proposal for stronger default password > checks (pre-ARC review) > > > I'm submitting the following for community review before I start an ARC > case on this. Time out for community review is Wednesday 14th November > 2007. > > --- BEGIN PROPOSAL --- > The pam_authtok_check module has the abilty to enforce much stronger > rules than the current default OpenSolaris configuration. > > This case proposes to update the default password checking rules to > enforce stronger rules by default. Specifically the following changes: > > 1) Password history will now be on by default and set with a low number > of saved passwords by default - we don't want to be too anoying. > /etc/default/passwd:HISTORY=2 > > 2) The minimum length will be changed from 6 to 8 > /etc/default/passwd:PASSLENGTH=8 > > 3) Dictionary checking with crack will be enabled by default > /etc/default/passwd:DICTIONDBDIR=/var/passwd > > 4) The default crypt algorithm changes from __unix__ to sha256 > /etc/security/policy.conf:CRYPT_DEFAULT=5 > What about applications that cannot handle cryptography stronger than __unix__ ? . Is there an error message that points to the stronger cryptography as the issue? . Is the workaround to change the default algorithm back to __unix__?
-- Sharon > This specific change depends on PSARC/2007/XXX and may not ship > before it. > > This case does not enable password aging or account locking on failed > attempts > by default and leaves all the other rules as they currently are - see > pam_authtok_check(5). > > This case only changes the defaults for a new install and does not > make any changes to the rules on upgrade - since we can not safely > know what the admins intention was. > > Minor release binding is requested. > The taxonomy of the knobs being twiddled is defined in their original cases. > > > --- END PROPOSAL --
