Changing default password encryption in Solaris

Quick answer: You can use MD5 passwords in Solaris 10 just like FreeBSD/Linux do by changing this in /etc/security/policy.conf

#CRYPT_DEFAULT=__unix__
CRYPT_DEFAULT=1

Now when you type passwd(1) crypt will create MD5 passwords for you. Personally, I leave CRYPT_ALGORITHMS_ALLOW=1,2a,md5 like it is so you can still use DES crypts where you want to (importing a shadow line from an old Solaris system, etc.). Also note that you can copy MD5 entries right into a Solaris shadow file from FreeBSD/Linux and they’ll just work without doing the above change.

Background: For presumably historical reasons Solaris continues to store passwords in DES format in /etc/shadow. DES is pretty weak by today’s standards, and the traditional UNIX crypt is even worse since it can only take passwords up to 8 characters in length (go ahead and try it - you can enter a longer password but only the first 8 chars are used). If you’re installing Solaris fresh, you can and should change the default password mechanism.

The various free UNIX implementations like FreeBSD and Linux have, for about a decade, used MD5 (or blowfish in OpenBSD’s case) instead of DES for password crypts. Solaris supports MD5 passwords using the same mechansim the BSDs pioneered: MD5 passwords start with a $1$ and have a longer hash than the old DES entries:

# tail -2 /etc/shadow
foobar:HsECSeplz9eyU:13088::::::
spaz:$1$h1u21LfX$xocfFEbqZ2FO0HrSJxYRt0:13088::::::

One of the first things I do on a fresh Solaris 10 install is update /etc/security/policy.conf then change root’s password. Storing a root password as an 8 character DES is just lame. Of course, I also change root’s home directory to /root and, gasp, switch the shell to bash… So maybe I’m just CRAZY.