Solaris & MD5 Passwords ?
Hi!
We've got a linux NIS domain inhouse, and would like to also integrate our sun boxes to this domain. The Problem is that RedHat Linux uses MD5 encryption for pam password, and it seems that solaris isn't able to encrypt passwords this way...
Anyone knows a solve, or perhaps a lib which supports md5 ?
Thanks...
-- Mirko
One way of doing this:
You have a solaris resource adapater configured and is working properly.
Create a variable and map this variable to the password attribute on the solaris adapater schema mapping.
Within the form that is used when a create or update is processed, add a field with the name of the 'global.YOURVARIABLE'. Within the expansion of this field select expression and use the <script> tag to use the MD5 password javascript for instance.
A better way of doing, is putting the <script> in a rule, test the rule, and call the rule from the expansion.
Good luck!
Elger.
Similar Messages
-
Solaris 10 openldap authentication with md5 passwords
Hello to everyone,
We are trying to enable ldap authentication with pam_ldap and md5 passwords on a Solaris 10 system to an openldap server. If passwords are stored using crypt, everything works correctly. But if the password in openldap is in md5, then authentication fails.
We have installed openldap client along with pam_ldap and nss_ldap from padl (http://www.padl.com/pam_ldap.html)
The error messages when trying to 'su -' to the ldap user are:
Jun 1 18:35:23 servername su: [ID 896952 auth.debug] pam_unix_auth: entering pam_sm_authenticate()
Jun 1 18:35:23 servername su: [ID 810491 auth.crit] 'su ldapuser' failed for mike on /dev/pts/4and for ssh:
Jun 1 18:35:54 servername sshd[14197]: [ID 896952 auth.debug] pam_unix_auth: entering pam_sm_authenticate()
Jun 1 18:35:54 servername sshd[14191]: [ID 800047 auth.error] error: PAM: Authentication failed for ldapuser from pc7395.sa.example.int
Jun 1 18:36:00 servername sshd[14224]: [ID 896952 auth.debug] pam_unix_auth: entering pam_sm_authenticate()
Jun 1 18:36:00 servername sshd[14191]: [ID 800047 auth.error] error: PAM: Authentication failed for ldapuser from pc7395.sa.example.int
Jun 1 18:36:02 servername sshd[14278]: [ID 800047 auth.info] Accepted publickey for scponly from 10.24.4.52 port 35390 ssh2
Jun 1 18:36:04 servername sshd[14270]: [ID 896952 auth.debug] pam_unix_auth: entering pam_sm_authenticate()
Jun 1 18:36:04 servername sshd[14191]: [ID 800047 auth.error] error: PAM: Authentication failed for ldapuser from pc7395.sa.example.int
Jun 1 18:36:04 servername sshd[14191]: [ID 800047 auth.info] Failed keyboard-interactive/pam for ldapuser from 192.168.1.25 port 41075 ssh2
Jun 1 18:36:08 servername sshd[14191]: [ID 896952 auth.debug] pam_unix_auth: entering pam_sm_authenticate()
Jun 1 18:36:08 servername sshd[14191]: [ID 800047 auth.info] Failed password for ldapuser from 192.168.1.25 port 41075 ssh2
Jun 1 18:36:12 servername sshd[14191]: [ID 896952 auth.debug] pam_unix_auth: entering pam_sm_authenticate()
Jun 1 18:36:12 servername sshd[14191]: [ID 800047 auth.info] Failed password for ldapuser from 192.168.1.25 port 41075 ssh2
Jun 1 18:36:17 servername sshd[14191]: [ID 896952 auth.debug] pam_unix_auth: entering pam_sm_authenticate()
Jun 1 18:36:17 servername sshd[14191]: [ID 800047 auth.info] Failed password for ldapuser from 192.168.1.25 port 41075 ssh2Below are the configuration files (pam.conf, nsswitch.conf, ldap.conf) and anything else that I imagine could help (comments of the files have been removed).
Please feel free to ask for any other configuration file:
*/etc/pam.conf*
login auth requisite pam_authtok_get.so.1
login auth required pam_dhkeys.so.1
login auth required pam_unix_cred.so.1
login auth required pam_dial_auth.so.1
login auth sufficient pam_unix_auth.so.1 server_policy debug
login auth required /usr/lib/security/pam_ldap.so.1 debug
rlogin auth sufficient pam_rhosts_auth.so.1
rlogin auth requisite pam_authtok_get.so.1
rlogin auth required pam_dhkeys.so.1
rlogin auth required pam_unix_cred.so.1
rlogin auth required pam_unix_auth.so.1 use_first_pass
rsh auth sufficient pam_rhosts_auth.so.1
rsh auth required pam_unix_cred.so.1
rsh auth required pam_unix_auth.so.1
ppp auth requisite pam_authtok_get.so.1
ppp auth required pam_dhkeys.so.1
ppp auth required pam_dial_auth.so.1
ppp auth sufficient pam_unix_auth.so.1 server_policy
other auth sufficient /usr/lib/security/pam_ldap.so.1 debug
other auth required pam_unix_auth.so.1 use_first_pass debug
passwd auth sufficient pam_passwd_auth.so.1 server_policy
passwd auth required /usr/lib/security/pam_ldap.so.1 debug
cron account required pam_unix_account.so.1
other account requisite pam_roles.so.1
other account sufficient pam_unix_account.so.1 server_policy
other account required /usr/lib/security/pam_ldap.so.1 debug
other session required pam_unix_session.so.1
other password required pam_dhkeys.so.1
other password requisite pam_authtok_get.so.1
other password requisite pam_authtok_check.so.1
other password required pam_authtok_store.so.1 server_policy*/etc/ldap.conf*
base ou=users,ou=Example,dc=staff,dc=example
ldap_version 3
scope sub
pam_groupdn [email protected],ou=groups,ou=Example,dc=staff,dc=example
pam_member_attribute memberUid
nss_map_attribute uid displayName
nss_map_attribute cn sn
pam_password_prohibit_message Please visit https://changepass.exapmle.int/ to change your password.
uri ldap://ldapserver01/
ssl no
bind_timelimit 1
bind_policy soft
timelimit 10
nss_reconnect_tries 3
host klnsds01
nss_base_group ou=system_groups,ou=Example,dc=staff,dc=example?sub
pam_password md5*/etc/nsswitch.conf*
passwd: files ldap
group: files ldap
hosts: files dns
ipnodes: files dns
networks: files
protocols: files
rpc: files
ethers: files
netmasks: files
bootparams: files
publickey: files
netgroup: files
automount: files
aliases: files
services: files
printers: user files
auth_attr: files
prof_attr: files
project: files
tnrhtp: files
tnrhdb: files*/etc/security/policy.conf*
AUTHS_GRANTED=solaris.device.cdrw
PROFS_GRANTED=Basic Solaris User
CRYPT_ALGORITHMS_DEPRECATE=__unix__
LOCK_AFTER_RETRIES=YES
CRYPT_ALGORITHMS_ALLOW=1,2a,md5
CRYPT_DEFAULT=1Thanks in advance for any response...!!Thanks you for your reply.
Our openldap version is openldap-2.3.39
And all passwords are encrypted with : Base 64 encoded md5
Below is a sample password:
{md5}2FeO34RYzgb7xbt2pYxcpA==Thanks again for any help.. -
Sun Management Console doesn't support MD5 passwords?
I recently converted all our Sun systems to use MD5 passwords, using the Linux-BSD algorithm. I chose the Linux-BSD algorithm for compatibility reasons. After giving root a new password, now stored in MD5 format, I can no longer log in to the Sun Management Console (smc). I had the same problem with DB2. Switching root's password back to CRYPT fixed the issue.
Is this a known problem that Sun is working on? And how does this happen? Shouldn't the application leave authentication to the OS?
MarkIIRC the Solaris 10 Basic admin guide talks about this issue.
alan -
LDAP authentication with MD5 passwords
Hi,
in one of our Linux servers we have MD5 passwords stored in /etc/shadow. We want to implement pam_ldap on that machine, and move passwords to an LDAP database.
I know it is to be done with {crypt} storage scheme.
This works with DS 5.2 running on a Linux box, but under Solaris 8 I couldn't get it working. I know that Solaris 8 doesn't support MD5 passwords in its crypt(3) function, and I suppose Directory Server uses that. Somewhere I read that, however crypt() in Solaris 9 does support MD5.
Can you confirm that after upgrading to Solaris 9, authentication with MD5-hashed passwords will be possible? Has anyone tried it?
Thanks in advance,
KristofThanks you for your reply.
Our openldap version is openldap-2.3.39
And all passwords are encrypted with : Base 64 encoded md5
Below is a sample password:
{md5}2FeO34RYzgb7xbt2pYxcpA==Thanks again for any help.. -
IDS 5.0 SP2 + Solaris 8 password problem
Iplanet version : iDS 5.0 SP2 + Solaris 8
Password:
user must change password after reset : yes
user may change password : yes
allow changes in 0 days
keep password history : yes
remeber 6 password
Password expires after 90 days
send warning 7 days before password expires
check password syntax : yes
password min length : 6
Account lockout:
Account maybe lockout : yes
Lockout account after 3 login failures
reset failure count after 525600 minutes
Lockout forever : yes
We discovered that when the user password is expired due to the field 'passwordexpirationtime' is past, there are two types of password expiration within iplanet ldap. One type of expiration will allow user to change the password by themselves, however, the other type did not
We discovered that when we put a 'Z' on the field passwordexpirationtime, it will show the first type of password expiration that user can change their password. When we remove the 'Z' from the field passwordexpirationtime. it will not allow the user to change the password by themselves, we provide a screen dump at the end.
Moreover, the problem may be triggered by other event instead of adding a 'Z' on the passwordexpirationtime field
Here is the screen dump for you to investigate, you can see that the output with 'DSA is unwilling to perform' is the type where user can change their password, while the output with 'Invalid credentials' is the type where user CANNOT change their password.
Case 1
======
%ldapsearch -p 3389 -b o=orange,c=us uid=john passwordexpirationtimeuid=john,o=jpmorgan,c=us
passwordexpirationtime=19900101000000Z
%ldapsearch -v -p 3389 -D uid=john,o=orange,c=us -w abc123 -b o=jpmorgan,c=us uid=john
ldap_init(localhost, 3389)
filter pattern: uid=john
returning: ALL
filter is: (uid=john)
ldap_search: DSA is unwilling to perform
0 matches
Case 2
======
%ldapsearch -p 3389 -b o=orange,c=us uid=john passwordexpirationtimeuid=john,o=jpmorgan,c=us
passwordexpirationtime=19900101000000
%ldapsearch -v -p 3389 -D uid=john,o=orange,c=us -w abc123 -b o=jpmorgan,c=us uid=john
ldap_init(localhost, 3389)
ldap_simple_bind: Invalid credentials
ldap_simple_bind: additional info: password expired!
I know there's nothing to do with 'zuru' suffix, ldap schema supports both of attribute
values format. But this happen in my LDAP. Any hints?
Question:
- Under what condition the LDAP will complain "DSA is unwilling to perform" or
"Invalid credentials"
- Any hints to resolve the problemIf something had changed recently, drill into that.
Do a hardware RAM test to confirm HW level soundness.
You may capture the core dump or similar information and send it to Microsoft for analysis.
They may ask you to do the usual thing: apply W2KSP4 and/or OS and security patches.
You also have the option of migrating IDS5.0/Windows to IDS5.2Patch3 (also as Sun Java System DirSvr 5.2) running on Solaris10 x86.
Gary -
How to recover sun solaris 10 password
i have install virtual machine some day back and set password for user name root. today when i try to login on that machine i forget the password.what should i do in order to recover the password for root.
Use Google:
keywords "+solaris root password+"
See more than 4000 search results.
Alternative?
Start all over again and reinstall the OS from the beginning. -
MD5 Password Support in DS5.2
I need to import accounts form an Oracle Directory (OID) to the Sun Directory 5.2p6. The passwords in the accounts use MD5. From what I read, MD5 is supported, but I am not finding how to configure it to work :).
I do see a plugin called:NS-MTA-MD5, but not just MD5. I tried using NS-MTA-MD5 but that does not work.
An example MD5 password is: {MD5}SCyBHaXVtLxtSX/6mEkeOA==
cleartext: password123
Any help is appreciated.
Thanks,
EricThere is no default support for an MD5 hashing scheme.
Provided the algorithm used by Oracle Directory is publicly documented, it should be pretty straightforward to implement a new Password Storage Scheme Plug-in to support both Authentication and hashing new passwords in MD5 format.
Directory Server ships with a sample plug-in that can be used as a template.
Regards,
Ludovic. -
Migrating Linux shadow-file MD5 passwords to Sun DSEE for Solaris/SunMail
Hello all,
We are about to undertake migration of an outdated mail server based on RedHat 7.2 and Sendmail/ipop3d to Sun Messaging Server (JCS6u2). While the filesystem/mail are not a problem, we're stuck at the question of how to best migrate old users' identities.
The old Linux system used user names and password hashes stored in /etc/passwd and /etc/shadow files. Hashes are mostly MD5 and a few seem like crypt.
Question is: are there known incompatibilities between password hashes (algorithms, expected format) in Linux and Sun products - Solaris/DSEE/SunMail?
That is, if we just take strings like these:
usemd5:$1$Wu7IqFT5$TeUht3OMdeSSBB3Vab4dB.:11262:0:::::134540116
usecrypt:DD2kEwCD8nies:10220::::::
Can we simply place the second column as the userPassword attribute in Sun DSEE and expect that users would be able to log in to LDAP-enabled Solaris and Sun Mail with their old passwords knownst only to them?
If not, is there some simple modification/translation of such hashes to a format accepted by Sun products?
Or are these formats/algorithms known to be incompatible somehow in a fatal manner, so our only option would be generation of new passwords for Sun DSEE and its clients?
Thanks,
//JimJust to reclarify or throw more information:
a password - cleartext value - testuser1 has 32-digit HEX value as - 41da76f0fc3ec62a6939e634bfb6a342
Same password when converted to Base64 pattern becomes - Qdp28Pw+xippOeY0v7ajQg==
But when I use pwdhash utility in DSE after configuring CRYPT to use MD5 hashes it becomes -
{crypt}$md5$$LiB/H70zXr3xfQPoXVuUQ1
I used below command :
pwdhash -D /opt/SUNWdsee/dsee6/ds6/slapd-oha-dev -s CRYPT testuser1
Actual hash value of pwdhash is -LiB/H70zXr3xfQPoXVuUQ1 with rest of the prefix is to meet RFC standard and salt and algo name separator.
I am wondering if Sun MD5 default uses any salt even when I haven't used or DS does it. Or if any other MD5 option is there which can be used.
Thanks,
Gaurav -
Migration Users with MD5 Passwords to Directory Server 6.1 on Solaris 10
Hi,
We are currently in a requirement of migrating some users to a application database to inside LDAP. Currently Application maintained the passwords in the MD5 hash form. Typical 32 digit Hex value - 41da76f0fc3ec62a6939e634bfb6a342
Is there a way we can migrate these Users password to directory Server as-is so that they don't end up facing the prospect of resetting post migration.
I have done some of the initial ground work but seems to be missing other critical info if at all it's possible.
I believe it's possible to have CRYPT password policy (which directory server uses from underlying OS) as one of the plug-ins to configure in a way that underlying CRYPT utility starts to process/provide/support MD5 hashes. I got it to work, my using the below command on DSEE instance:
dsconf set-plugin-prop -p 389 CRYPT argument:'$md5$'
But for some reasons the MD5 hash (Sun MD5 library) provides does not match with the original hash value. It's 22 char long (as I have not specified any salt length) so I am assuming it's Base64 encoded. I have a perl script which converts the original 32-digit hex values to a base64 encoded representation (which I have also verified with other open source tools)
Is there a way I can tweak CRYPT utility or something so that it understands typical standard MD5 hashes. (Confused between Sun MD5 and BSD (Linux) MD5 - none of them seems to match standard MD5 generated value).
Any leads on this would be really helpful ?Just to reclarify or throw more information:
a password - cleartext value - testuser1 has 32-digit HEX value as - 41da76f0fc3ec62a6939e634bfb6a342
Same password when converted to Base64 pattern becomes - Qdp28Pw+xippOeY0v7ajQg==
But when I use pwdhash utility in DSE after configuring CRYPT to use MD5 hashes it becomes -
{crypt}$md5$$LiB/H70zXr3xfQPoXVuUQ1
I used below command :
pwdhash -D /opt/SUNWdsee/dsee6/ds6/slapd-oha-dev -s CRYPT testuser1
Actual hash value of pwdhash is -LiB/H70zXr3xfQPoXVuUQ1 with rest of the prefix is to meet RFC standard and salt and algo name separator.
I am wondering if Sun MD5 default uses any salt even when I haven't used or DS does it. Or if any other MD5 option is there which can be used.
Thanks,
Gaurav -
Solaris root password is working with extra char/chars appended with it
Dear forum,
In our production server, I can login as root with extra char appended end of the actual password
Exmaple:
Suppose my password is `hello123`
But during login all below combinations are working and allowing to login
hello123*456*
hello123*4*
hello123*hello*
That is, login is not checking further chars after the exact macth with the actuall pass.
1) But why?
2) How to prevent this.... any file need to change /etc/default
NB:
Dear Nik if you are reading this post... please reply
Edited by: Myth on Jan 29, 2012 10:28 PMIt might be worth to note that you will get the crypto algorithm which is defined in /etc/security/crypto.conf
The default of the crypto.conf is:
1 crypt_bsdmd5.so.1
2a crypt_bsdbf.so.1
md5 crypt_sunmd5.so.1
5 crypt_sha256.so.1
6 crypt_sha512.so.1.. if you set CRYPT_DEFAULT in policy.conf to "md5", you will use the crypto algorithm crypto_sunmd5.so.1, if you set CRYPT_DEFAULT to "1" you will get crypt_bsdmd5.so.1.
Its also worth to notice that the default in Solaris 11 is
CRYPT_DEFAULT=5
i.e "crypt_sha256.so.1".
.7/M. -
Logging in with md5 passwords.
Hi,
How is it possible to allow users to login when their passwords, have been encrypted into md5?
Thank you.You encrypt the submitted value and compare it to the stored value.
The way I do this with the Dreamweaver Log In User server behavior is to add this at the top of the login page:
if (isset($_POST['password'])) {
$_POST['password'] = md5($_POST['password']); -
MD5 passwords in PostgreSQL Database
Hi!
I have to store some MD5 hashed passwords in a table in a my PostgreSQL Database. The problem is that when I try to store those "hashed" Strings with an INSERT Statement I get the error: java.sql.SQLException: ERROR: parser: parse error at or near "��������h".
This happens not always when I hash and store a clear text String with the MD5 algorithm. Some Strings work fine others not! I think it has something to do with the character encoding in my JDBC Driver. I use the ISO-8859-15 encoding.
Please give me some hints to solve this problem!
ThxI'm not an MD5 expert, but as far as I know the MD5 code is "binary" meaning, it can contain values below 32 which are non-printable characters (and even negativ values as they are bytes). I think you have to encode the MD5 checksum as e.g. Base64
Thomas -
NDS 4.16 Auth Solaris 8, password aging support or not?
I have set up a Netscape Directory Server from version 4.13 to 4.16 for auth Solaris 8. I find the password policy do not affect to the Solaris users. Also, the group of the LDAP show in the number.
-rw-r--r-- 1 test2 11 0 Nov 21 16:26 test2
The number 11 should be the group name refer to LDAP but the user test2 is a LDAP's user and group policy is working.
Please help!!
LucasThe Solaris 8 authentication through LDAP does not support the Password Policy yet.
Ludovic. -
We've just encountered a problem with servers expiring the root password without us previously being notified that the password is about to expire.
When you use su to get to root, (we use SSH to connect to remote servers and deny root access by default - you have to login with normal username and then su as root) are you supposed to get the warnings that the password is going to expire? If you are, then we didn't and now we are stuck until someone can get to the server and boot off CD. Bit of a blow as the server is a few hundred miles down the road! Are there any patches that fix this 'bug'?
Cheers,
Mark.I'm still struggling to get password expiration and inactivation to work with DS 6.3.1 and Solaris 10 5/08. When accounts are expired or inactivated (nsAccountLock) users can still login via ssh. But when accounts are temporarily locked (pwdAccountLockedTime) ssh does the right thing and won't let them log in.
Things work properly when I have
passwd: files ldap
in nsswitch.conf, but when I go to compatibility mode:
passwd: compat
passwd_compat: ldap
ssh 'ignores' expiration and inactivation status of accounts.
Following the advice of your last comment here (4.5 years ago!) I took away all access to the 'userPassword' attribute for the proxy account, but nothing changed (I did an 'ldapsearch' as the proxy account to ensure that the aci was working as expected and denying all access to the attribute).
Would you, akillenb, or anyone, be so kind as to give any information that will let a Solaris 10 client work properly with the enhanced account management facilities of the Sun DSEE 6.3.1 LDAP server? Copies of pam.conf and nsswitch.conf and details on LDAP aci's would be most gratefully received!!! -
Solaris root password & installer
I have installed oracle solaris 11 exp, but :
I have difficulties finding root password, have tried solaris & my user password but it's not going,
during the installation I have used solaris passwrd for the partition manager and it worked, but no later,
I also would like to ERASE ALL PASSWORDS of the system, ... give password, give password, give password, it gives you a headache,
and by the way, do I have to buy an application installer or I have with the package?
thank in advance,
max.root is a role by default in Solaris 11, so i don't think it actually have a password, or am i wrong here? You can set a password by running pfexec passwd rood from the user who you created as an administrative user..
.7/M.
Maybe you are looking for
-
How can I transfer songs from my old Ipod to my new one?
I just bought a new ipod video from apple and I would like to transfer all of my songs from my old 3rd generation ipod to my new one, how can I do this?
-
Error while starting Integrated weblogic server
Hi All, I have installed Jdev11.1.1.4 in a new XP system. when i am trying to run any application or starting the server instance of Integrated weblogic server i am getting below error. Caused by: java.lang.ClassNotFoundException: Data\JDeveloper\sys
-
I want to learn Flex in Flash Build 4.7!!!
Can someone point me in the direction of a tutorial, or book on learning in Flash Builder 4.7? If one even exsists? All I can find is resources to learn in "Design Mode" which was discontinued in 4.7. I REALLY don't want to have to figure out how
-
Printing process used for iPhoto prints?
Hi, Can anyone tell me what printing process is used when ordering enlargements through iPhoto? I've placed one of my photos in a international exhibit (yay!) and in preparation for the show, they want to know the printing process for inclusion on th
-
I always prompt "Update your account" request tim-out...but I already done updating my Game Center email account. What should I do next?