OpenSolaris

1. Community: OS/Net (ON)
   1. Blogs
   2. Development Process
   3. Developer's Reference
      1. Introduction
      2. Prerequisites
      3. The Source Tree, part 1
      4. The Source Tree, part 2
      5. Building OpenSolaris
      6. Installing and Testing OpenSolaris
      7. Integration Procedure
      8. Best Practices and Requirements
      9. Glossary
   4. Discussions
   5. Installation (from source) Quickstart
      1. Annotated nightly(1) Mail Example
   6. Currently Known Issues
   7. CRT
      1. Advocates & Sponsors
      2. Becoming a CRT Advocate
      3. Charter
      4. RTI nits to avoid
      5. Sponsor Tasks
      6. Becoming a Sponsor
   8. Schedule
   9. ONNV Flag Days, Heads Ups, and Project Integration History
      1. All
      2. Builds 106-110
      3. Builds 101-105
      4. Builds 96-100
      5. Builds 91-95
      6. Builds 86-90
      7. Builds 81-85
      8. Builds 76-80
      9. Builds 71-75
      10. Builds 66-70
      11. Builds 61-65
      12. Builds 56-60
      13. Builds 51-55
      14. Builds 46-50
      15. Builds 41-45
      16. Builds 36-40
      17. Builds 31-35
      18. Builds 26-30
      19. Builds 21-25
   10. Leaders
   11. Observers
   12. Putback Logs
   13. Developing Solaris
       1. Quality Death Spiral
   14. wx
   15. findunref and unreferenced files
   16. Bourne/Korn Shell Coding Conventions

Heads up: PASSREQ is being enforced (snv_104)

Date: Sat, 15 Nov 2008 21:56:28 +0100
From: Joep Vesseur <Joep.Vesseur at sun dot com>
To: onnv-gate at onnv dot eng dot sun dot com, on-all at sun dot com,
Subject: Heads up: PASSREQ is being enforced (snv_104)

Nevada folks,

The integration of

   PSARC 2007/700 Enforcement of PASSREQ=YES
   4652487 pam_unix_account does not honor PAM_DISALLOW_NULL_AUTHTOK for
           root
   5070350 pam_unix account allows users with blank passwords if aging
           prevents change
   6494527 PASSREQ not always enforced

into snv_104 enforces the long standing intended, but never quite
implemented, behavior of PASSREQ as defined in /etc/default/login:

   "If PASSREQ is set to YES (or yes), accounts without a password[1]
    are *not* allowed to login to the system"

[1] No password means accounts listed as "NP" by "passwd -s"

By default, /etc/default/login contains "PASSREQ=YES". If PASSREQ is not
defined, "PASSREQ=NO" is implied. This has always been the case and is
not changed by this putback.

SERVICES IMPACTED

Services that read PASSREQ and enforce this rule are
   - login (and thus telnet and rlogin)
   - rexec
   - rsh
   - ssh
   - su

FIXING LOCKOUTS

Whenever a user is denied access because his account lacks a password,
a log message is generated. As always, the user himself is not informed
of the reason for denied access.

Users no longer able to login will have to have a password set by the
administrator. Administrators locked out by this change will have to
boot the system in single-user mode and set the root password before
proceeding to multi-user mode. (Single user login (sulogin) does not
read PASSREQ from /etc/default/login. It does have a similar variable in
/etc/default/sulogin which has a different meaning. See sulogin(1) for
more details).

HOW TO PREVENT BEING LOCKED OUT

On initial install, the installer asks for a root password. The text
based installer will warn about empty root passwords and will suggest
to either set a password or change PASSREQ before rebooting.

Using jumpstart, set a root password using the "root_password"
keyword in the sysidcfg file. See sysidcfg(4) for more information.
If you absolutely don't want a root password, use a finish-script to
edit /etc/default/login on the installed system.

On an upgrade, the system will warn about password-less accounts if
/etc/default/login contains PASSREQ=YES. As always, check the
upgrade_cleanup log to see if post-upgrade actions are required.

FORCING PASSWORD CHANGES

The side effect of the incomplete implementation of PASSREQ handling
up to this moment was that users were forced to set a password if they
had none. The only supported way to force users to change their password
is to user "passwd -f". This used to work and still works. It is now the
only way to force users to set a new password.

Joep