Solaris & MD5 Passwords ?

Similar Messages

• Solaris 10 openldap authentication with md5 passwords

  Hello to everyone,
  We are trying to enable ldap authentication with pam_ldap and md5 passwords on a Solaris 10 system to an openldap server. If passwords are stored using crypt, everything works correctly. But if the password in openldap is in md5, then authentication fails.
  We have installed openldap client along with pam_ldap and nss_ldap from padl (http://www.padl.com/pam_ldap.html)
  The error messages when trying to 'su -' to the ldap user are:
  Jun  1 18:35:23 servername su: [ID 896952 auth.debug] pam_unix_auth: entering pam_sm_authenticate()
  Jun  1 18:35:23 servername su: [ID 810491 auth.crit] 'su ldapuser' failed for mike on /dev/pts/4and for ssh:
  Jun  1 18:35:54 servername sshd[14197]: [ID 896952 auth.debug] pam_unix_auth: entering pam_sm_authenticate()
  Jun  1 18:35:54 servername sshd[14191]: [ID 800047 auth.error] error: PAM: Authentication failed for ldapuser from pc7395.sa.example.int
  Jun  1 18:36:00 servername sshd[14224]: [ID 896952 auth.debug] pam_unix_auth: entering pam_sm_authenticate()
  Jun  1 18:36:00 servername sshd[14191]: [ID 800047 auth.error] error: PAM: Authentication failed for ldapuser from pc7395.sa.example.int
  Jun  1 18:36:02 servername sshd[14278]: [ID 800047 auth.info] Accepted publickey for scponly from 10.24.4.52 port 35390 ssh2
  Jun  1 18:36:04 servername sshd[14270]: [ID 896952 auth.debug] pam_unix_auth: entering pam_sm_authenticate()
  Jun  1 18:36:04 servername sshd[14191]: [ID 800047 auth.error] error: PAM: Authentication failed for ldapuser from pc7395.sa.example.int
  Jun  1 18:36:04 servername sshd[14191]: [ID 800047 auth.info] Failed keyboard-interactive/pam for ldapuser from 192.168.1.25 port 41075 ssh2
  Jun  1 18:36:08 servername sshd[14191]: [ID 896952 auth.debug] pam_unix_auth: entering pam_sm_authenticate()
  Jun  1 18:36:08 servername sshd[14191]: [ID 800047 auth.info] Failed password for ldapuser from 192.168.1.25 port 41075 ssh2
  Jun  1 18:36:12 servername sshd[14191]: [ID 896952 auth.debug] pam_unix_auth: entering pam_sm_authenticate()
  Jun  1 18:36:12 servername sshd[14191]: [ID 800047 auth.info] Failed password for ldapuser from 192.168.1.25 port 41075 ssh2
  Jun  1 18:36:17 servername sshd[14191]: [ID 896952 auth.debug] pam_unix_auth: entering pam_sm_authenticate()
  Jun  1 18:36:17 servername sshd[14191]: [ID 800047 auth.info] Failed password for ldapuser from 192.168.1.25 port 41075 ssh2Below are the configuration files (pam.conf, nsswitch.conf, ldap.conf) and anything else that I imagine could help (comments of the files have been removed).
  Please feel free to ask for any other configuration file:
  */etc/pam.conf*
  login   auth requisite        pam_authtok_get.so.1
  login   auth required         pam_dhkeys.so.1
  login   auth required         pam_unix_cred.so.1
  login   auth required         pam_dial_auth.so.1
  login   auth sufficient       pam_unix_auth.so.1  server_policy debug
  login   auth required           /usr/lib/security/pam_ldap.so.1 debug
  rlogin auth sufficient       pam_rhosts_auth.so.1
  rlogin auth requisite        pam_authtok_get.so.1
  rlogin auth required         pam_dhkeys.so.1
  rlogin auth required         pam_unix_cred.so.1
  rlogin  auth required          pam_unix_auth.so.1 use_first_pass
  rsh    auth sufficient       pam_rhosts_auth.so.1
  rsh    auth required         pam_unix_cred.so.1
  rsh    auth required         pam_unix_auth.so.1
  ppp     auth requisite        pam_authtok_get.so.1
  ppp     auth required         pam_dhkeys.so.1
  ppp     auth required         pam_dial_auth.so.1
  ppp     auth sufficient       pam_unix_auth.so.1 server_policy
  other   auth sufficient         /usr/lib/security/pam_ldap.so.1 debug
  other   auth required           pam_unix_auth.so.1 use_first_pass debug
  passwd  auth sufficient          pam_passwd_auth.so.1 server_policy
  passwd  auth required           /usr/lib/security/pam_ldap.so.1 debug
  cron    account required      pam_unix_account.so.1
  other   account requisite     pam_roles.so.1
  other   account sufficient       pam_unix_account.so.1 server_policy
  other   account required        /usr/lib/security/pam_ldap.so.1 debug
  other   session required      pam_unix_session.so.1
  other   password required     pam_dhkeys.so.1
  other   password requisite    pam_authtok_get.so.1
  other   password requisite    pam_authtok_check.so.1
  other   password required     pam_authtok_store.so.1 server_policy*/etc/ldap.conf*
  base ou=users,ou=Example,dc=staff,dc=example
  ldap_version 3
  scope sub
  pam_groupdn [email protected],ou=groups,ou=Example,dc=staff,dc=example
  pam_member_attribute memberUid
  nss_map_attribute uid displayName
  nss_map_attribute cn sn
  pam_password_prohibit_message Please visit https://changepass.exapmle.int/ to change your password.
  uri ldap://ldapserver01/
  ssl no
  bind_timelimit 1
  bind_policy soft
  timelimit 10
  nss_reconnect_tries 3
  host klnsds01
  nss_base_group         ou=system_groups,ou=Example,dc=staff,dc=example?sub
  pam_password md5*/etc/nsswitch.conf*
  passwd:     files ldap
  group:      files ldap
  hosts:      files dns
  ipnodes:   files dns
  networks:   files
  protocols:  files
  rpc:        files
  ethers:     files
  netmasks:   files
  bootparams: files
  publickey:  files
  netgroup:   files
  automount:  files
  aliases:    files
  services:   files
  printers:       user files
  auth_attr:  files
  prof_attr:  files
  project:    files
  tnrhtp:     files
  tnrhdb:     files*/etc/security/policy.conf*
  AUTHS_GRANTED=solaris.device.cdrw
  PROFS_GRANTED=Basic Solaris User
  CRYPT_ALGORITHMS_DEPRECATE=__unix__
  LOCK_AFTER_RETRIES=YES
  CRYPT_ALGORITHMS_ALLOW=1,2a,md5
  CRYPT_DEFAULT=1Thanks in advance for any response...!!

  Thanks you for your reply.
  Our openldap version is openldap-2.3.39
  And all passwords are encrypted with : Base 64 encoded md5
  Below is a sample password:
  {md5}2FeO34RYzgb7xbt2pYxcpA==Thanks again for any help..

• Sun Management Console doesn't support MD5 passwords?

  I recently converted all our Sun systems to use MD5 passwords, using the Linux-BSD algorithm. I chose the Linux-BSD algorithm for compatibility reasons. After giving root a new password, now stored in MD5 format, I can no longer log in to the Sun Management Console (smc). I had the same problem with DB2. Switching root's password back to CRYPT fixed the issue.
  Is this a known problem that Sun is working on? And how does this happen? Shouldn't the application leave authentication to the OS?
  Mark

  IIRC the Solaris 10 Basic admin guide talks about this issue.
  alan

• LDAP authentication with MD5 passwords

  Hi,
  in one of our Linux servers we have MD5 passwords stored in /etc/shadow. We want to implement pam_ldap on that machine, and move passwords to an LDAP database.
  I know it is to be done with {crypt} storage scheme.
  This works with DS 5.2 running on a Linux box, but under Solaris 8 I couldn't get it working. I know that Solaris 8 doesn't support MD5 passwords in its crypt(3) function, and I suppose Directory Server uses that. Somewhere I read that, however crypt() in Solaris 9 does support MD5.
  Can you confirm that after upgrading to Solaris 9, authentication with MD5-hashed passwords will be possible? Has anyone tried it?
  Thanks in advance,
  Kristof

  Thanks you for your reply.
  Our openldap version is openldap-2.3.39
  And all passwords are encrypted with : Base 64 encoded md5
  Below is a sample password:
  {md5}2FeO34RYzgb7xbt2pYxcpA==Thanks again for any help..

• IDS 5.0 SP2 + Solaris 8 password problem

  Iplanet version : iDS 5.0 SP2 + Solaris 8
  Password:
  user must change password after reset : yes
  user may change password : yes
  allow changes in 0 days
  keep password history : yes
  remeber 6 password
  Password expires after 90 days
  send warning 7 days before password expires
  check password syntax : yes
  password min length : 6
  Account lockout:
  Account maybe lockout : yes
  Lockout account after 3 login failures
  reset failure count after 525600 minutes
  Lockout forever : yes
  We discovered that when the user password is expired due to the field 'passwordexpirationtime' is past, there are two types of password expiration within iplanet ldap. One type of expiration will allow user to change the password by themselves, however, the other type did not
  We discovered that when we put a 'Z' on the field passwordexpirationtime, it will show the first type of password expiration that user can change their password. When we remove the 'Z' from the field passwordexpirationtime. it will not allow the user to change the password by themselves, we provide a screen dump at the end.
  Moreover, the problem may be triggered by other event instead of adding a 'Z' on the passwordexpirationtime field
  Here is the screen dump for you to investigate, you can see that the output with 'DSA is unwilling to perform' is the type where user can change their password, while the output with 'Invalid credentials' is the type where user CANNOT change their password.
  Case 1
  ======
  %ldapsearch -p 3389 -b o=orange,c=us uid=john passwordexpirationtimeuid=john,o=jpmorgan,c=us
  passwordexpirationtime=19900101000000Z
  %ldapsearch -v -p 3389 -D uid=john,o=orange,c=us -w abc123 -b o=jpmorgan,c=us uid=john
  ldap_init(localhost, 3389)
  filter pattern: uid=john
  returning: ALL
  filter is: (uid=john)
  ldap_search: DSA is unwilling to perform
  0 matches
  Case 2
  ======
  %ldapsearch -p 3389 -b o=orange,c=us uid=john passwordexpirationtimeuid=john,o=jpmorgan,c=us
  passwordexpirationtime=19900101000000
  %ldapsearch -v -p 3389 -D uid=john,o=orange,c=us -w abc123 -b o=jpmorgan,c=us uid=john
  ldap_init(localhost, 3389)
  ldap_simple_bind: Invalid credentials
  ldap_simple_bind: additional info: password expired!
  I know there's nothing to do with 'zuru' suffix, ldap schema supports both of attribute
  values format. But this happen in my LDAP. Any hints?
  Question:
  - Under what condition the LDAP will complain "DSA is unwilling to perform" or
  "Invalid credentials"
  - Any hints to resolve the problem

  If something had changed recently, drill into that.
  Do a hardware RAM test to confirm HW level soundness.
  You may capture the core dump or similar information and send it to Microsoft for analysis.
  They may ask you to do the usual thing: apply W2KSP4 and/or OS and security patches.
  You also have the option of migrating IDS5.0/Windows to IDS5.2Patch3 (also as Sun Java System DirSvr 5.2) running on Solaris10 x86.
  Gary

• How to recover sun solaris 10 password

  i have install virtual machine some day back and set password for user name root. today when i try to login on that machine i forget the password.what should i do in order to recover the password for root.

  Use Google:
  keywords "+solaris root password+"
  See more than 4000 search results.
  Alternative?
  Start all over again and reinstall the OS from the beginning.

• MD5 Password Support in DS5.2

  I need to import accounts form an Oracle Directory (OID) to the Sun Directory 5.2p6. The passwords in the accounts use MD5. From what I read, MD5 is supported, but I am not finding how to configure it to work :).
  I do see a plugin called:NS-MTA-MD5, but not just MD5. I tried using NS-MTA-MD5 but that does not work.
  An example MD5 password is: {MD5}SCyBHaXVtLxtSX/6mEkeOA==
  cleartext: password123
  Any help is appreciated.
  Thanks,
  Eric

  There is no default support for an MD5 hashing scheme.
  Provided the algorithm used by Oracle Directory is publicly documented, it should be pretty straightforward to implement a new Password Storage Scheme Plug-in to support both Authentication and hashing new passwords in MD5 format.
  Directory Server ships with a sample plug-in that can be used as a template.
  Regards,
  Ludovic.

• Migrating Linux shadow-file MD5 passwords to Sun DSEE for Solaris/SunMail

  Hello all,
  We are about to undertake migration of an outdated mail server based on RedHat 7.2 and Sendmail/ipop3d to Sun Messaging Server (JCS6u2). While the filesystem/mail are not a problem, we're stuck at the question of how to best migrate old users' identities.
  The old Linux system used user names and password hashes stored in /etc/passwd and /etc/shadow files. Hashes are mostly MD5 and a few seem like crypt.
  Question is: are there known incompatibilities between password hashes (algorithms, expected format) in Linux and Sun products - Solaris/DSEE/SunMail?
  That is, if we just take strings like these:
  usemd5:$1$Wu7IqFT5$TeUht3OMdeSSBB3Vab4dB.:11262:0:::::134540116
  usecrypt:DD2kEwCD8nies:10220::::::
  Can we simply place the second column as the userPassword attribute in Sun DSEE and expect that users would be able to log in to LDAP-enabled Solaris and Sun Mail with their old passwords knownst only to them?
  If not, is there some simple modification/translation of such hashes to a format accepted by Sun products?
  Or are these formats/algorithms known to be incompatible somehow in a fatal manner, so our only option would be generation of new passwords for Sun DSEE and its clients?
  Thanks,
  //Jim

  Just to reclarify or throw more information:
  a password - cleartext value - testuser1 has 32-digit HEX value as - 41da76f0fc3ec62a6939e634bfb6a342
  Same password when converted to Base64 pattern becomes - Qdp28Pw+xippOeY0v7ajQg==
  But when I use pwdhash utility in DSE after configuring CRYPT to use MD5 hashes it becomes -
  {crypt}$md5$$LiB/H70zXr3xfQPoXVuUQ1
  I used below command :
  pwdhash -D /opt/SUNWdsee/dsee6/ds6/slapd-oha-dev -s CRYPT testuser1
  Actual hash value of pwdhash is -LiB/H70zXr3xfQPoXVuUQ1 with rest of the prefix is to meet RFC standard and salt and algo name separator.
  I am wondering if Sun MD5 default uses any salt even when I haven't used or DS does it. Or if any other MD5 option is there which can be used.
  Thanks,
  Gaurav

• Migration Users with MD5 Passwords to Directory Server 6.1 on Solaris 10

  Hi,
  We are currently in a requirement of migrating some users to a application database to inside LDAP. Currently Application maintained the passwords in the MD5 hash form. Typical 32 digit Hex value - 41da76f0fc3ec62a6939e634bfb6a342
  Is there a way we can migrate these Users password to directory Server as-is so that they don't end up facing the prospect of resetting post migration.
  I have done some of the initial ground work but seems to be missing other critical info if at all it's possible.
  I believe it's possible to have CRYPT password policy (which directory server uses from underlying OS) as one of the plug-ins to configure in a way that underlying CRYPT utility starts to process/provide/support MD5 hashes. I got it to work, my using the below command on DSEE instance:
  dsconf set-plugin-prop -p 389 CRYPT argument:'$md5$'
  But for some reasons the MD5 hash (Sun MD5 library) provides does not match with the original hash value. It's 22 char long (as I have not specified any salt length) so I am assuming it's Base64 encoded. I have a perl script which converts the original 32-digit hex values to a base64 encoded representation (which I have also verified with other open source tools)
  Is there a way I can tweak CRYPT utility or something so that it understands typical standard MD5 hashes. (Confused between Sun MD5 and BSD (Linux) MD5 - none of them seems to match standard MD5 generated value).
  Any leads on this would be really helpful ?

  Just to reclarify or throw more information:
  a password - cleartext value - testuser1 has 32-digit HEX value as - 41da76f0fc3ec62a6939e634bfb6a342
  Same password when converted to Base64 pattern becomes - Qdp28Pw+xippOeY0v7ajQg==
  But when I use pwdhash utility in DSE after configuring CRYPT to use MD5 hashes it becomes -
  {crypt}$md5$$LiB/H70zXr3xfQPoXVuUQ1
  I used below command :
  pwdhash -D /opt/SUNWdsee/dsee6/ds6/slapd-oha-dev -s CRYPT testuser1
  Actual hash value of pwdhash is -LiB/H70zXr3xfQPoXVuUQ1 with rest of the prefix is to meet RFC standard and salt and algo name separator.
  I am wondering if Sun MD5 default uses any salt even when I haven't used or DS does it. Or if any other MD5 option is there which can be used.
  Thanks,
  Gaurav

• Solaris root password is working with extra char/chars appended with it

  Dear forum,
  In our production server, I can login as root with extra char appended end of the actual password
  Exmaple:
  Suppose my password is `hello123`
  But during login all below combinations are working and allowing to login
  hello123*456*
  hello123*4*
  hello123*hello*
  That is, login is not checking further chars after the exact macth with the actuall pass.
  1) But why?
  2) How to prevent this.... any file need to change /etc/default
  NB:
  Dear Nik if you are reading this post... please reply
  Edited by: Myth on Jan 29, 2012 10:28 PM

  It might be worth to note that you will get the crypto algorithm which is defined in /etc/security/crypto.conf
  The default of the crypto.conf is:
  1 crypt_bsdmd5.so.1
  2a crypt_bsdbf.so.1
  md5 crypt_sunmd5.so.1
  5 crypt_sha256.so.1
  6 crypt_sha512.so.1.. if you set CRYPT_DEFAULT in policy.conf to "md5", you will use the crypto algorithm crypto_sunmd5.so.1, if you set CRYPT_DEFAULT to "1" you will get crypt_bsdmd5.so.1.
  Its also worth to notice that the default in Solaris 11 is
  CRYPT_DEFAULT=5
  i.e "crypt_sha256.so.1".
  .7/M.

• Logging in with md5 passwords.

  Hi,
  How is it possible to allow users to login when their passwords, have been encrypted into md5?
  Thank you.

  You encrypt the submitted value and compare it to the stored value.
  The way I do this with the Dreamweaver Log In User server behavior is to add this at the top of the login page:
  if (isset($_POST['password'])) {
    $_POST['password'] = md5($_POST['password']);

• MD5 passwords in PostgreSQL Database

  Hi!
  I have to store some MD5 hashed passwords in a table in a my PostgreSQL Database. The problem is that when I try to store those "hashed" Strings with an INSERT Statement I get the error: java.sql.SQLException: ERROR: parser: parse error at or near "��������h".
  This happens not always when I hash and store a clear text String with the MD5 algorithm. Some Strings work fine others not! I think it has something to do with the character encoding in my JDBC Driver. I use the ISO-8859-15 encoding.
  Please give me some hints to solve this problem!
  Thx

  I'm not an MD5 expert, but as far as I know the MD5 code is "binary" meaning, it can contain values below 32 which are non-printable characters (and even negativ values as they are bytes). I think you have to encode the MD5 checksum as e.g. Base64
  Thomas

• NDS 4.16 Auth Solaris 8, password aging support or not?

  I have set up a Netscape Directory Server from version 4.13 to 4.16 for auth Solaris 8. I find the password policy do not affect to the Solaris users. Also, the group of the LDAP show in the number.
  -rw-r--r-- 1 test2 11 0 Nov 21 16:26 test2
  The number 11 should be the group name refer to LDAP but the user test2 is a LDAP's user and group policy is working.
  Please help!!
  Lucas

  The Solaris 8 authentication through LDAP does not support the Password Policy yet.
  Ludovic.

• Solaris 8 Password Expiration

  We've just encountered a problem with servers expiring the root password without us previously being notified that the password is about to expire.
  When you use su to get to root, (we use SSH to connect to remote servers and deny root access by default - you have to login with normal username and then su as root) are you supposed to get the warnings that the password is going to expire? If you are, then we didn't and now we are stuck until someone can get to the server and boot off CD. Bit of a blow as the server is a few hundred miles down the road! Are there any patches that fix this 'bug'?
  Cheers,
  Mark.

  I'm still struggling to get password expiration and inactivation to work with DS 6.3.1 and Solaris 10 5/08. When accounts are expired or inactivated (nsAccountLock) users can still login via ssh. But when accounts are temporarily locked (pwdAccountLockedTime) ssh does the right thing and won't let them log in.
  Things work properly when I have
  passwd: files ldap
  in nsswitch.conf, but when I go to compatibility mode:
  passwd: compat
  passwd_compat: ldap
  ssh 'ignores' expiration and inactivation status of accounts.
  Following the advice of your last comment here (4.5 years ago!) I took away all access to the 'userPassword' attribute for the proxy account, but nothing changed (I did an 'ldapsearch' as the proxy account to ensure that the aci was working as expected and denying all access to the attribute).
  Would you, akillenb, or anyone, be so kind as to give any information that will let a Solaris 10 client work properly with the enhanced account management facilities of the Sun DSEE 6.3.1 LDAP server? Copies of pam.conf and nsswitch.conf and details on LDAP aci's would be most gratefully received!!!

• Solaris root password & installer

  I have installed oracle solaris 11 exp, but :
  I have difficulties finding root password, have tried solaris & my user password but it's not going,
  during the installation I have used solaris passwrd for the partition manager and it worked, but no later,
  I also would like to ERASE ALL PASSWORDS of the system, ... give password, give password, give password, it gives you a headache,
  and by the way, do I have to buy an application installer or I have with the package?
  thank in advance,
  max.

  root is a role by default in Solaris 11, so i don't think it actually have a password, or am i wrong here? You can set a password by running pfexec passwd rood from the user who you created as an administrative user..
  .7/M.