Unix, Xenix and ODT General FAQ

This article is from a FAQ concerning SCO operating systems. While some of the information may be applicable to any OS, or any Unix or Linux OS, it may be specific to SCO Xenix, Open There is lots of Linux, Mac OS X and general Unix info elsewhere on this site: Search this site is the best way to find anything.

How can I increase the number of characters that are significant in passwords (Old Sco Unix)?

This is an ancient post with no relevance to modern systems.

(This applies to 3.2v4.x and up)

Two factors control passwords: the maximum length that a generated password can be, and how much of a password is significant.

Both parameters are in /etc/auth/system/default.


 default:\
        :d_name=default:\
        :u_pwd=*:\
        :u_priority#0:u_cmdpriv=audittrail,su,queryspace,printqueue,mem,terminal:\
        :u_syspriv=execsuid,nopromain,chmodsugid,chown:\
        :u_minchg#0:u_maxlen#80:u_exp#0:u_life#0:\
        :u_pickpw:u_genpwd:u_restrict@:u_nullpw:\
        :u_suclog#0:u_unsuclog#0:u_maxtries#99:u_lock:\
        :u_singleuserpswd:u_secclass=c2:u_integrity@:u_tcbpw@:\
        :u_pwseg#2:\
        :t_logdelay#1:t_maxtries#99:t_login_timeout#60:\
        :chkent:
 

In the above example, u_maxlen#80 means that generated passwords can be up to 80 characters long. That affects the password generator program only. The u_pwseg#2 limits the significance to 2 segments or 16 bytes (2 * 8). If you wanted 24 characters to be significant, you'd change it to u_pwseg#3.

Note that the u_maxlen doesn't stop you from telling the password program that you have a longer password-you can enter whatever you like. Also, if you aren't using the generator, all you need to change is u_pwseg to have more significant characters.

Thanks to Roger Cornelius for pointing out inaccuracies in the original article. I had thought that u_maxlen had to be equal or greater than u_pwseg * 8; they are completely unrelated.

You are supposed to be able to use useradd or usermod to change the significant segments for a specific user. According to the man page for useradd, this should work:

usermod -x "{ passwdSignificantSegments 2 }"  username
 

But I've found it just complains that there is no attribute "passwdSignificantSegments".

Recently Gerald Monds explained why I had that problem:

From the man pages... changing "passwdSignificantSegments"
is a system default change and not user specific. The
man pages say it cannot be used without "-D" So the
correct syntax should be

usermod -D -x "{passwdSignificantSegments 2}"

You wouldn't think that increasing password security would necessarily cause a confusing login problem, but it did.

What happened was this: users were, in fact, using longer passwords, but the system was set to only pay attention to the first eight characters. When this was changee, users who were using the longer passwords now suddenly could not log in.

From: spcecdt@deeptht.armory.com. (John DuBois)
Newsgroups: comp.unix.sco.misc
Subject: Re: password bug!
Date: Tue, 13 Apr 1999 01:05:36 GMT
References: <j0pQ2.22087$LX.8581155@WReNphoon3> 

In article <j0pQ2.22087$LX.8581155@WReNphoon3>,
clive keough <clivekeough@yahoo.com> wrote:
>Although I've never seen it posted. Is it well known that only the
>first 8 characters of the password count on SCO openserver. It doesn't
>just occur on one machine or one version here either. I wasn't aware
>that this was a problem/bug and I've not seen it written elsewhere.

Only the first 8 characters count *by default*.  It's easy to change.  The part
of a password that is significant is set in "segments" of 8 characters.  To
e.g. increase the significant length to 32 characters, do (on a 5.0 system):

usermod -D -x '{passwdSignificantSegments 4}'

MAJOR caveat:
Only the significant part of a password is stored, AND
only the significant part is compared.  So, if you have
the significant segments set to 1, you may have users
using >8-character passwords; the password routines
just ignore the extra characters.  But when you increase
the significant segments beyond 1, suddenly all those
users will not be able to log in... because now more than
8 characters of the password they enter are being compared
against the 8 characters stored in the password database.
I learned this the hard way when I bumped segments up
from 1 to 4 shortly after moving from XENIX to UNIX.
The solution was to put a notice in /etc/issue.  These days
you'd do better to put it in BANNER in /etc/default/issue.

        John
-- 
John DuBois    spcecdt@armory.com.    KC6QKZ   http://www.armory.com./~spcecdt/




Got something to add? Send me email.





(OLDER) <- More Stuff -> (NEWER)    (NEWEST)   

Printer Friendly Version

->
-> (SCO Unix) How can I increase the number of characters that are significant in a password?



Increase ad revenue 50-250% with Ezoic

Kerio Samepage


Have you tried Searching this site?

Support Rates

This is a Unix/Linux resource website. It contains technical articles about Unix, Linux and general computing related subjects, opinion, news, help files, how-to's, tutorials and more.

Contact us





Any teacher that can be replaced with a computer, deserves to be (David Thornburg)





This post tagged:

FAQ