7.10 Ensure Password Encryption Uses SHA algorithms 'CRYPT_ALGORITHMS_ALLOW'

Information

Solaris supports several different algorithms for password storage, including unix crypt, SHA256 and SHA512. The CRYPT_DEFAULT determines the default encryption algorithm used, while CRYPT_ALGORITHMS_ALLOW determines algorithms allowed by the system for new passwords.

By default Solaris uses the old unix crypt algorithm for password storage. Unix crypt is easy to crack with readily available tools. Using a more advanced algorithm decreases the capability of cracking passwords on the system.

Solution

Edit the /etc/security/policy.conf file and set the CRYPT_ALGORITHMS_ALLOW setting as follows: CRYPT_ALGORITHMS_ALLOW=5,6

See Also

https://workbench.cisecurity.org/files/614

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-13

Plugin: Unix

Control ID: 1ed08d6ba2243c8caae8036067083d880810711f9a7888f3d6b9070a798400e4