Solaris password requirements not enforced
Darren J Moffat
Darren.Moffat at Sun.COM
Thu Aug 12 04:18:45 EST 2004
On Thu, 2004-07-29 at 04:28, Darren Tucker wrote:
> Srinivas Gopaladasu wrote:
> > The Solaris password requirements like
> > a. no empty password
> > b. minimum 6 chars
> > etc for a regular user are not enforced when a password expired user is
> > changing password at the SSH login prompt.
>
> It would appear that those restrictions are implemented in
> /usr/bin/passwd and not the PAM modules.
Not true they are implemented in pam_unix or pam_authtok_check (which
you have depends on your Solaris 8 patch level).
> Since sshd just calls
> pam_chauthtok(), if PAM allows changing to a short or empty password,
> then that's what happens. This is probably a bug or design misfeature
> in the Solaris PAM module (others, eg LinuxPAM, enforce such restrictions).
Or a bug in how OpenSSH calls PAM on Solaris and a design difference
between the Solaris and LinuxPAM modules.
If OpenSSH is calling pam_chauthtok when its real uid is 0 then the
Solaris pam_unix and pam_authtok_check modules assume that this is root
changing a users password and thus the restrictions need not apply so
the checks are not run.
--
Darren J Moffat
More information about the openssh-unix-dev
mailing list