OBSOLETE Patch-ID# 148050-04


Download this patch from My Oracle Support

Your use of the firmware, software and any other materials contained in this update is subject to My Oracle Support Terms of Use, which may be viewed at My Oracle Support.
For further information on patching best practices and resources, please see the following links:
Copyright (c) 2012, Oracle and/or its affiliates. All rights reserved.

Keywords: pam_authtok_check
Synopsis: Obsoleted by: 148050-05 SunOS 5.10_x86: pam_authtok_check patch
Date: Apr/14/2014


Install Requirements: NA

Solaris Release: 10_x86

SunOS Release: 5.10_x86

Unbundled Product:

Unbundled Release:

Xref: This patch available for SPARC as patch 148049

Topic: SunOS 5.10_x86: pam_authtok_check patch

Relevant Architectures: i386

Bugs fixed with this patch:

Sun CR # Bug #
720673215825378
15882895
17278866
17947505
697427715660391
704407515715022
704407815715025


Changes incorporated in this version: 17278866 17947505

Patches accumulated and obsoleted by this patch: 145791-01

Patches which conflict with this patch:

Patches required with this patch: 120012-14 127128-11 137138-09 (or greater)

Obsoleted by:

Files included with this patch:

/etc/default/passwd
/usr/bin/mkpwdict
/usr/lib/security/amd64/pam_authtok_check.so.1
/usr/lib/security/pam_authtok_check.so.1

Problem Description:

17278866 passwords are rejected after installing 148049-03 and using spellchecking dict
17947505 memory leak in authtok_check/packer.c#merge_files
 
(from 148050-03)
 
15825378 passwords are not always rejected when based on dictionary word
 
(from 148050-02)
 
15882895 passwd dumps core when dictionary is less than 512 bytes
 
(from 148050-01)
 
7044075 incorrect syslog format string in authtok_check.c:get_passwd_defaults()
7044078 potential memory leak in check_circular()
 
(from 145791-01)
 
6974277 gdm2-login cannot obey password security rules without a password force_check option


Patch Installation Instructions:
--------------------------------
 
Please refer to the man pages for instructions on using 'patchadd'
and 'patchrm' commands provided with Solaris.
 
The following example installs a patch to a standalone machine:
 
       example# patchadd /var/spool/patch/123456-07
 
The following example removes a patch from a standalone system:
 
       example# patchrm 123456-07
 
For additional examples please see the appropriate man pages. Any
other special or non-generic installation instructions should be
described below as special instructions.


Special Install Instructions:
-----------------------------
 
NOTE 1:  The fix for bug 17278866 (passwords are rejected after installing
         148049-03 and using spellchecking dict) resolves the following
         problem from Sun Alert 1576493.1:
 
         It was not possible to update system passwords on Solaris 10
         with patches 148049-03 (sparc) or 148050-03 (x86) installed
         on systems with password checking functionality enabled with
         a dictionary containing short words, such as 'a' or 'to'.
         All proposed new passwords were rejected.  This issue made it
         impossible for users to login when their passwords have
         expired.  This also affected the root password.
 
         The fix for bug 17278866 introduces a new configuration option
         'DICTIONMINWORDLENGTH' for /etc/default/passwd and a new command
         line option '-l' for mkpwdict(1).  These are used when a password
         dictionary database is constructed, to omit dictionary words
         shorter than the specified word length.
 
         Description of new configuration option 'DICTIONMINWORDLENGTH':
 
         DICTIONMINWORDLENGTH can contain a number specifying the
         minimum word length for the source files in DICTIONLIST.  Words
         shorter than the specified length will be omitted from the
         password dictionary.  The minimum value allowed is 2 [letters];
         default value is 3 [letters].
 
         After this patch is installed on a system, it is necessary to
         rebuild the password dictionary database.  This can be done in
         two ways:
 
         1. Edit file /etc/default/passwd and add at the end of the file
            new configuration option 'DICTIONMINWORDLENGTH=3'.  The
            password dictionary database will be rebuilt during the
            subsequent invocation of 'passwd'.
 
         2. Rebuild the password dictionary database using mkpwdict(1).
            You can add new configuration option 'DICTIONMINWORDLENGTH=3'
            into /etc/default/passwd or the command line option '-l 3'
            can be supplied for mkpwdict(1).


README -- Last modified date: Wednesday, March 8, 2017