Using SHA1 for passwords in Solaris 10

Similar Messages

• Pam.conf does not use ldap for password length check when changing passwd

  I have already posted this in the directory server forum but since it is to do with pam not using ldap I thought there might be some pam experts who check this forum.
  I have dsee 6.0 installed on a solaris 10 server (client).
  I have a solaris 9 server (server) set up to use ldap authentication.
  bash-2.05# cat /var/ldap/ldap_client_file
  # Do not edit this file manually; your changes will be lost.Please use ldapclient (1M) instead.
  NS_LDAP_FILE_VERSION= 2.0
  NS_LDAP_SERVERS= X, Y
  NS_LDAP_SEARCH_BASEDN= dc=A,dc= B,dc= C
  NS_LDAP_AUTH= tls:simple
  NS_LDAP_SEARCH_REF= FALSE
  NS_LDAP_SEARCH_SCOPE= one
  NS_LDAP_SEARCH_TIME= 30
  NS_LDAP_SERVER_PREF= X.A.B.C, Y.A.B.C
  NS_LDAP_CACHETTL= 43200
  NS_LDAP_PROFILE= tls_profile
  NS_LDAP_CREDENTIAL_LEVEL= proxy
  NS_LDAP_SERVICE_SEARCH_DESC= passwd:ou=People,dc=A,dc=B,dc=com?one
  NS_LDAP_SERVICE_SEARCH_DESC= group:ou=People,dc=A,dc=B,dc=C?one
  NS_LDAP_SERVICE_SEARCH_DESC= shadow:ou=People,dc=A,dc=B,dc=C?one
  NS_LDAP_BIND_TIME= 10
  bash-2.05# cat /var/ldap/ldap_client_cred
  # Do not edit this file manually; your changes will be lost.Please use ldapclient (1M) instead.
  NS_LDAP_BINDDN= cn=proxyagent,ou=profile,dc=A,dc=B,dc=C
  NS_LDAP_BINDPASSWD= {NS1}6ff7353e346f87a7
  bash-2.05# cat /etc/nsswitch.conf
  # /etc/nsswitch.ldap:
  # An example file that could be copied over to /etc/nsswitch.conf; it
  # uses LDAP in conjunction with files.
  # "hosts:" and "services:" in this file are used only if the
  # /etc/netconfig file has a "-" for nametoaddr_libs of "inet" transports.
  # the following two lines obviate the "+" entry in /etc/passwd and /etc/group.
  passwd: files ldap
  group: files ldap
  # consult /etc "files" only if ldap is down.
  hosts: files dns
  ipnodes: files
  # Uncomment the following line and comment out the above to resolve
  # both IPv4 and IPv6 addresses from the ipnodes databases. Note that
  # IPv4 addresses are searched in all of the ipnodes databases before
  # searching the hosts databases. Before turning this option on, consult
  # the Network Administration Guide for more details on using IPv6.
  #ipnodes: ldap [NOTFOUND=return] files
  networks: files
  protocols: files
  rpc: files
  ethers: files
  netmasks: files
  bootparams: files
  publickey: files
  netgroup: ldap
  automount: files ldap
  aliases: files ldap
  # for efficient getservbyname() avoid ldap
  services: files ldap
  sendmailvars: files
  printers: user files ldap
  auth_attr: files ldap
  prof_attr: files ldap
  project: files ldap
  bash-2.05# cat /etc/pam.conf
  #ident "@(#)pam.conf 1.20 02/01/23 SMI"
  # Copyright 1996-2002 Sun Microsystems, Inc. All rights reserved.
  # Use is subject to license terms.
  # PAM configuration
  # Unless explicitly defined, all services use the modules
  # defined in the "other" section.
  # Modules are defined with relative pathnames, i.e., they are
  # relative to /usr/lib/security/$ISA. Absolute path names, as
  # present in this file in previous releases are still acceptable.
  # Authentication management
  # login service (explicit because of pam_dial_auth)
  login auth requisite pam_authtok_get.so.1 debug
  login auth required pam_dhkeys.so.1 debug
  login auth required pam_dial_auth.so.1 debug
  login auth binding pam_unix_auth.so.1 server_policy debug
  login auth required pam_ldap.so.1 use_first_pass debug
  # rlogin service (explicit because of pam_rhost_auth)
  rlogin auth sufficient pam_rhosts_auth.so.1
  rlogin auth requisite pam_authtok_get.so.1
  rlogin auth required pam_dhkeys.so.1
  rlogin auth binding pam_unix_auth.so.1 server_policy
  rlogin auth required pam_ldap.so.1 use_first_pass
  # rsh service (explicit because of pam_rhost_auth,
  # and pam_unix_auth for meaningful pam_setcred)
  rsh auth sufficient pam_rhosts_auth.so.1
  rsh auth required pam_unix_auth.so.1
  # PPP service (explicit because of pam_dial_auth)
  ppp auth requisite pam_authtok_get.so.1
  ppp auth required pam_dhkeys.so.1
  ppp auth required pam_dial_auth.so.1
  ppp auth binding pam_unix_auth.so.1 server_policy
  ppp auth required pam_ldap.so.1 use_first_pass
  # Default definitions for Authentication management
  # Used when service name is not explicitly mentioned for authenctication
  other auth requisite pam_authtok_get.so.1 debug
  other auth required pam_dhkeys.so.1 debug
  other auth binding pam_unix_auth.so.1 server_policy debug
  other auth required pam_ldap.so.1 use_first_pass debug
  # passwd command (explicit because of a different authentication module)
  passwd auth binding pam_passwd_auth.so.1 server_policy debug
  passwd auth required pam_ldap.so.1 use_first_pass debug
  # cron service (explicit because of non-usage of pam_roles.so.1)
  cron account required pam_projects.so.1
  cron account required pam_unix_account.so.1
  # Default definition for Account management
  # Used when service name is not explicitly mentioned for account management
  other account requisite pam_roles.so.1 debug
  other account required pam_projects.so.1 debug
  other account binding pam_unix_account.so.1 server_policy debug
  other account required pam_ldap.so.1 no_pass debug
  # Default definition for Session management
  # Used when service name is not explicitly mentioned for session management
  other session required pam_unix_session.so.1
  # Default definition for Password management
  # Used when service name is not explicitly mentioned for password management
  other password required pam_dhkeys.so.1 debug
  other password requisite pam_authtok_get.so.1 debug
  other password requisite pam_authtok_check.so.1 debug
  other password required pam_authtok_store.so.1 server_policy debug
  # Support for Kerberos V5 authentication (uncomment to use Kerberos)
  #rlogin auth optional pam_krb5.so.1 try_first_pass
  #login auth optional pam_krb5.so.1 try_first_pass
  #other auth optional pam_krb5.so.1 try_first_pass
  #cron account optional pam_krb5.so.1
  #other account optional pam_krb5.so.1
  #other session optional pam_krb5.so.1
  #other password optional pam_krb5.so.1 try_first_pass
  I can ssh into client with user VV which does not exist locally but exists in the directory server. This is from /var/adm/messages on the ldap client):
  May 17 15:25:07 client sshd[26956]: [ID 634615 auth.debug] pam_authtok_get:pam_sm_authenticate: flags = 0
  May 17 15:25:11 client sshd[26956]: [ID 896952 auth.debug] pam_unix_auth: entering pam_sm_authenticate()
  May 17 15:25:11 client sshd[26956]: [ID 285619 auth.debug] ldap pam_sm_authenticate(sshd VV), flags = 0
  May 17 15:25:11 client sshd[26956]: [ID 509786 auth.debug] roles pam_sm_authenticate, service = sshd user = VV ruser = not set rhost = h.A.B.C
  May 17 15:25:11 client sshd[26956]: [ID 579461 auth.debug] pam_unix_account: entering pam_sm_acct_mgmt()
  May 17 15:25:11 client sshd[26956]: [ID 724664 auth.debug] pam_ldap pam_sm_acct_mgmt: illegal option no_pass
  May 17 15:25:11 client sshd[26956]: [ID 100510 auth.debug] ldap pam_sm_acct_mgmt(VV), flags = 0
  May 17 15:25:11 client sshd[26953]: [ID 800047 auth.info] Accepted keyboard-interactive/pam for VV from 10.115.1.251 port 2703 ssh2
  May 17 15:25:11 client sshd[26953]: [ID 914923 auth.debug] pam_dhkeys: no valid mechs found. Trying AUTH_DES.
  May 17 15:25:11 client sshd[26953]: [ID 499478 auth.debug] pam_dhkeys: get_and_set_seckey: could not get secret key for keytype 192-0
  May 17 15:25:11 client sshd[26953]: [ID 507889 auth.debug] pam_dhkeys: mech key totals:
  May 17 15:25:11 client sshd[26953]: [ID 991756 auth.debug] pam_dhkeys: 0 valid mechanism(s)
  May 17 15:25:11 client sshd[26953]: [ID 898160 auth.debug] pam_dhkeys: 0 secret key(s) retrieved
  May 17 15:25:11 client sshd[26953]: [ID 403608 auth.debug] pam_dhkeys: 0 passwd decrypt successes
  May 17 15:25:11 client sshd[26953]: [ID 327308 auth.debug] pam_dhkeys: 0 secret key(s) set
  May 17 15:25:11 client sshd[26958]: [ID 965073 auth.debug] pam_dhkeys: cred reinit/refresh ignored
  If I try to then change the password with the `passwd` command it does not use the password policy on the directory server but the default defined in /etc/default/passwd
  bash-2.05$ passwd
  passwd: Changing password for VV
  Enter existing login password:
  New Password:
  passwd: Password too short - must be at least 8 characters.
  Please try again
  May 17 15:26:17 client passwd[27014]: [ID 285619 user.debug] ldap pam_sm_authenticate(passwd VV), flags = 0
  May 17 15:26:17 client passwd[27014]: [ID 509786 user.debug] roles pam_sm_authenticate, service = passwd user = VV ruser = not set rhost = not set
  May 17 15:26:17 client passwd[27014]: [ID 579461 user.debug] pam_unix_account: entering pam_sm_acct_mgmt()
  May 17 15:26:17 client passwd[27014]: [ID 724664 user.debug] pam_ldap pam_sm_acct_mgmt: illegal option no_pass
  May 17 15:26:17 client passwd[27014]: [ID 100510 user.debug] ldap pam_sm_acct_mgmt(VV), flags = 80000000
  May 17 15:26:17 client passwd[27014]: [ID 985558 user.debug] pam_dhkeys: entered pam_sm_chauthtok()
  May 17 15:26:17 client passwd[27014]: [ID 988707 user.debug] read_authtok: Copied AUTHTOK to OLDAUTHTOK
  May 17 15:26:20 client passwd[27014]: [ID 558286 user.debug] pam_authtok_check: pam_sm_chauthok called
  May 17 15:26:20 client passwd[27014]: [ID 271931 user.debug] pam_authtok_check: minimum length from /etc/default/passwd: 8
  May 17 15:26:20 client passwd[27014]: [ID 985558 user.debug] pam_dhkeys: entered pam_sm_chauthtok()
  May 17 15:26:20 client passwd[27014]: [ID 417489 user.debug] pam_dhkeys: OLDRPCPASS already set
  I am using the default policy on the directory server which states a minimum password length of 6 characters.
  server:root:LDAP_Master:/var/opt/SUNWdsee/dscc6/dcc/ads/ldif#dsconf get-server-prop -h server -p 389|grep ^pwd-
  pwd-accept-hashed-pwd-enabled : N/A
  pwd-check-enabled : off
  pwd-compat-mode : DS6-mode
  pwd-expire-no-warning-enabled : on
  pwd-expire-warning-delay : 1d
  pwd-failure-count-interval : 10m
  pwd-grace-login-limit : disabled
  pwd-keep-last-auth-time-enabled : off
  pwd-lockout-duration : disabled
  pwd-lockout-enabled : off
  pwd-lockout-repl-priority-enabled : on
  pwd-max-age : disabled
  pwd-max-failure-count : 3
  pwd-max-history-count : disabled
  pwd-min-age : disabled
  pwd-min-length : 6
  pwd-mod-gen-length : 6
  pwd-must-change-enabled : off
  pwd-root-dn-bypass-enabled : off
  pwd-safe-modify-enabled : off
  pwd-storage-scheme : CRYPT
  pwd-strong-check-dictionary-path : /opt/SUNWdsee/ds6/plugins/words-english-big.txt
  pwd-strong-check-enabled : off
  pwd-strong-check-require-charset : lower
  pwd-strong-check-require-charset : upper
  pwd-strong-check-require-charset : digit
  pwd-strong-check-require-charset : special
  pwd-supported-storage-scheme : CRYPT
  pwd-supported-storage-scheme : SHA
  pwd-supported-storage-scheme : SSHA
  pwd-supported-storage-scheme : NS-MTA-MD5
  pwd-supported-storage-scheme : CLEAR
  pwd-user-change-enabled : off
  Whereas /etc/default/passwd on the ldap client says passwords must be 8 characters. This is seen with the pam_authtok_check: minimum length from /etc/default/passwd: 8
  . It is clearly not using the policy from the directory server but checking locally. So I can login ok using the ldap server for authentication but when I try to change the password it does not use the policy from the server which says I only need a minimum lenght of 6 characters.
  I have read that pam_ldap is only supported for directory server 5.2. Because I am running ds6 and with password compatability in ds6 mode maybe this is my problem. Does anyone know of any updated pam_ldap modules for solaris 9?
  Edited by: ericduggan on Sep 8, 2008 5:30 AM

  you can try passwd -r ldap for changing the ldap passwds...

• SAP IDM : Using regex for password

  Hi experts,
  I need your help about regex.
  We are trying to use this to be sure that password set in Web inteface by users are correct according to the company policies :
  - The first character cannot be a number
  - The three first characters cannot be the same
  We finally found the following expression to test what we want (reponse is "true" when one of the policies is ok) :
  (.)(1)|(d)
  But IDM never accept any password with that expression.
  So my questions are :
  1) Does IDM need a special regex language or is it the same than PERL language for example?
  2) Does anybody know how to use regex in our policies case?
  Thanks a lot for your response.
  Regards.
  Jérémy.

  Thanks a lot for your answers.
  Actually, i am already doing my test on another attribut which is not encrypted. but yeah its a good point to know about the encryption.
  I also tried to use evaluators on internet and my expression looks good if i want to catch cases that i dont want in my password...
  as a reminder : (.)(\1)|(\d)
  So if i write :
  "1password"   >> result : true
  "password"     >> result : false
  "pppassword" >> result : true
  "password01" >> result : false
  "passwooord" >> result : false
  but finally if i put that expression in the field "regex" of my attribut, IDM never let me save my new password because it's not a "correct value".
  So im disapointed because i don't how to solve it in IDM but i feel like i found the good expression...
  Any another idea?
  Regards
  Jeremy

• Use OIM 11g UI directly for password resets

  1. What is the best practice in using OIM for password resets? Two options that i have usually heard of are writing a custom app or UI and use OIM APIs for password resets. The other is use OIM UI directly.
  Are there any other options.
  2. Of the two options mentioned above, are there any concerns if we want to expose the OIM UI password reset link to internet- example, post the OIM UI link across the company's website which is available to everybody?
  Regards,
  Anand

  People,
  Any help will be really appreciated. I am looking for some suggestions in this regards. Thanks
  Anand

• I want to use wifi for Apple TV, but it doesn't prompt for a password, so never connects.  What am I missing?  Can I only use it via a non-password-protected wifi connection?

  I want to use wifi for Apple TV, but it doesn't prompt for a password, so never connects.  What am I missing?  Can I only use it via a non-password-protected wifi connection?

  Hi - you might want to post this question on the Apple TV area - you would probably get a quicker response - if you have a specific question relating to Apple routers then post back here

• I used the wrong password for my belkin wifi. Now that I know the correct password I can not get pass the unable to connect or join message. I have turned off all the options such as wifi and join and also put my touch to sleep.. but nothing seems to work

  I used the wrong password to join my new belkin wifi. Now that I have the correct password, I can not get the to the join screen with the space to type in the password. I continue to get the unable to join message.  I have put the touch to sleep and I have turned on and off the wifi and join options on the Network screen page.  Does anyone know how to get pass this block of the wrong password to a new page that will allow me to type in the correct password.  I see there is a option that asks if I want to reset the network settings.. is that what I should do? and what does it erase when I do that?  Thanks for any input anyone has.

  Yes.  Reset network settings. Head to Settings -> General -> Reset and tap Reset Network Settings.
  B-rock

• HT201415 I want to purchase a month of cellular service for my IPAD2.  When I use my ITunes password,  it states that I have the wrong password but does not offer a way to reset my password.  Please advise.

  I want to purchase a month of cellular service for my IPAD2.  When I use my ITunes password,  it states that I have the wrong password but does not offer a way to reset my password.  Please advise.

  Read through this link and maybe you'll see something that will help you:
  http://www.tech-recipes.com/rx/5827/ipad-3g-activating-purchasing-att-cellular-d ata-for-the-ipad-3gwifi/

• Not able to open mail from my mac, gmail repeatedly asking for password. but using same password able to open gmail on safari

  not able to open mail from my mac, gmail repeatedly asking for password. but using same password able to open gmail on safari

  okay well they got me to take out some .plist files to see if that would help it didn't. I'm not sure what ones that they deleted for my self maybe someone here would be abel to tell you what ones to take out but didn't work the one that came close to working was this going into keychain and deleting the account(s) then reading them again.
  if you are to do this please back up first with Time Machine. You can do this with a usb drive.
  Okay so go back to where you had internet accounts and make sure mail is shut. click the - on the account your having problems with then quit system preferences.
  Okay so then press cmd and space bar at the same time then type 'keychain access' into the search then click on 'keychain access'
  once it is open go to the top of the window and put your email address that you are having problems with.
  once you have put in your full email, have a look at what comes up i deleted things in the kind colome with 'internet password' and anything with under name that had smtp.gmail.com or imap.gmail.com so it would look like this, map.gmail.com - internet password.
  right click and delete them. make sure not to touch any other files that dont say them things on them.
  Once you have done this quit keychain access and then restart the computer, once the computer is restarted go back to system preferences and internet accounts and re-add the account.
  Hope this helps. if something is not clear just ask.

• Passing a login and password while using JNDI  for RT jobs

  Why can we not pass a user name and password when using JNDI for Real Time jobs?  Can it be passed in the URL line or somewhere else that I'm missing?  This is frustrating as we actually have to connect using Anonymous with no password which opens up so many security holes that we simply can't go to production with this.  Please advise.

  you can set the login using the JNDI properties file and create the file in the classpath, but again the password will be in plain text
  please file a case with Support I think this can be added to JMS adapter operation (user credentials)

• Do I use the same password for apple ID and for iCloud?

  I am not getting mail on my iphone or my ipad air!
  When I put the password for my apple ID into icloud- it keeps reverting to another password. i.e. doesn't hold the apple ID password.
  Is this a problem keeping the mail from getting to my phone and ipad?
  DO I USE THE SAME PASSWORD FOR APPLE ID AND ICLOUD?
  Help. and MERRY CHRISTMAS

  What are you trying to do when you say "When I put the password for my apple ID into icloud- it keeps reverting to another password"?
  Where are you doing when you try to enter your password?

• I have a TBI. Password security is hard for me. How do I find someonne to let me use my own passwords w/o writing them down or storing them on a computer??

  I have always used the same 3 passwords for everything. 3 are too many for me. I forget them and need to reset. Now, I can no longer use passwords I know and can remember. The new requirements for length, types of characters and stuff is really hard. I came up with a good one, but because it was new, I forgot. Then they say you can't reuse your passwords! Everytime I forget, I have to make-up something new to forget.
  I have a request for reasonable accomodation under the ADA.  I need an exception on my account that will let me use a recent password. I do not mind going through security questions.  I can remember the answers to those!  I am disabled.  I need this assistance for account accessibility.  I do not believe accomodating my problems from traumatic brain injury would be unreasonable.
  Apple can't pay for enough peoople to actually do customer assistance, I guess. They just think we all have the same issues, they've heard it all before, and you can hunt and find your answer.  This forum was all I saw that could lead to human interaction about this.
  I'd also love advice for other popular sites, if you have any.
  I put this under physical and motor skills because my brain has been physically damaged.  Notice they don't even have a category for mental and learning disabilities.
  Sorry for the "rant," but I have cried over my keyboard too many times now. Added to all the other stress of a TBI, now my ability to use the Internet is going down the toilet. It is my only interaction with the world beyond my walls and family.

  This is designed to be a user discussion area. To provide feedback directly to Apple you can go to http://www.apple.com/feedback/
  There are a few applications out now that may be able to help you out. 1Password and LastPass are both password vault or lockers. They allow you to save passwords for applications and websites. That way you have a single password you use to keep the vault/locker secure and then all of your other passwords are stored for you so you don't have to write them down or try to remember them all.
  https://agilebits.com/onepassword
  https://lastpass.com/index.php

• I cannot access my old email address anymore, however I have used it for my apple ID and now I want to delete it because the account has never been verified in the first place so my password for it doesn't work. What do I do?

  I cannot access my old email address anymore, however I have used it for my apple ID and now I want to delete it because the account has never been verified in the first place so my password for it doesn't work. So when I want to download apps I have to sign in with apple id but I can't so I made a new one, However I can't seem to be able to delete the old one. What do I do?

  You can't merge Apple IDs.  You also can't cancel (delete) and existing ID, you can only choose to stop using it.
  If your old ID was compromised and you can no longer access it, you'll have to contact Apple for assistance.  Go to https://expresslane.apple.com ; click 'See all products and services' at the bottom of the page. In the next page click 'More Products and Services, then 'Apple ID'. In the next page select 'Other Apple ID Topics' then then 'Apple ID account Security’.

• HT204053 I had to create an Apple ID to open a cloud account. For some time prior to this, I had an account for my iPod. Today I was unable to update apps using the old password. My Apple ID will not do it either. ???

  I had to create an Apple ID to open a cloud account some time ago. For some time prior to this, I had an account for my iPod. Today I did a sync and was notified of two app updates, but was unable to use my old password and was notified to use my Apple ID. However, when I log in with my Apple ID, the store tells me that I do not own the apps.
  How can I get this system to update my iPod apps.
  Thanks for any help you can provide.
  Certainly not happy with this situation, as Apple expects me to pay for help on this.
  Geo32

  1. Don't confuse "Apple ID" with iTunes Account ID.  You can have many Apple IDs but only one iTunes account active at a time.
  2. If you "changed" your iTunes account ID, you actually have 2 accounts - one under the old name plus the new name.
  3. You can't merge the accounts - they remain separate.  Apps purcahsed under the old account name will update ONLY WHEN THE PHONE IS SIGNED IN TO THE OLD ACCOUNT NAME  and visa versa.
  4. Likewise, you can sync only the apps, music, media purchased under the account the phone AND iTunes are signed in to.

• I have bought an iPhone4 and to be able to use it for the first time I connected into a friends itunes. Now when I want to buy itunes stuff on the phone it asks me her password. How can I set up again my itunes account?

  I have bought an iPhone4 and to be able to use it for the first time I connected into a friends' itunes. Now when I want to buy itunes stuff on the phone it asks me her password. How can I set up again my itunes account?
  Now I also have a macbook where I can sync my iphone but it doesn't allow me

  first of all only sync it with 1 computers itune account
  second settings->general->store click the appleID box with her appleID in it and log out

• "itunes could not restore the iphone because the password was incorrect" I know for a fact im using the correct password. and it has previously worked. is anyone else having this issue.

  "itunes could not restore the iphone because the password was incorrect" I know for a fact im using the correct password. and it has previously worked. is anyone else having this issue.

  Hi, I also get the message "itunes could not restore the iphone because the password was incorrect" though I am never prompted to enter a password anywhere! Nor was the backup password encrypted to begin with! Really strange, any pointers will be greatly appriciated!