- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - OpenVMS
- >
- Re: Hi all can you please guide me how to implemen...
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-21-2011 04:19 AM
11-21-2011 04:19 AM
Hi all,
I have a requirement to implement the following in the OpenVMS alpha system user accounts
1. Passwords much be set to 8 characters or more.
2. Password complexity must be enabled.
3. Passwords must include an alpha, a numeric, and a punctuation character.
4. Password re set must not allow one of the last 6 passwords used.
5. Lock out must be in place after 3 failed log in attempts.
Can you please guide me on the same.
Solved! Go to Solution.
- Tags:
- Password
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-21-2011 04:33 AM
11-21-2011 04:33 AM
Re: Hi all can you please guide me how to implement Password security
All of these questions can be answered by careful readin gof chapter 7 of the Guide to Systems Security manual. With the exception of hte requirement for a punctuation character (of which I am not entiorely sure is supported), all requirements are easily met. Please read the above referenced manual for a start. Post here the version of VMS that you are using and further details can be provided.
Dan
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-21-2011 04:52 AM
11-21-2011 04:52 AM
Re: Hi all can you please guide me how to implement Password security
Based on that requirements list, your security auditors are probably unfamiliar with OpenVMS and are likely working off a generic cookbook of password recommendations, so your evaluation of their recommendations should include some appropriate degree of skepticism. Some of the recommendations I've received from security auditors would have disabled OpenVMS.
As for your list, points 4 and 5 are longstanding default behavior of OpenVMS. See the security manual in the OpenVMS documentation set for details. For the other points, see OpenVMS Tips: Password Policy Filters and OpenVMS Tips: Password Policy Filters, Example and Configuring LDAP External Authentication among other postings. One of those has full source code.
Given the ever-increasing speed of brute-force password matching and the default break-in evasion support within OpenVMS and given the general weakness of passwords, password complexity is arguably tussling with an old (and losing) security battle. But that's typical of various security audits I've encountered; some of these reviews are little more than a corporate backside-covering issue -- also known as a transfer of liability - than an effort looking for actual and forward-looking security. (The list you've posted is a common cookbook that these folks work from.)
I have also useed the larger brute-force password attack dictionaries as site-specific additions into the forbidden-password list. These dictionaries tend to be five or ten thousand entries that are known and common password choices. Details on that approach are here.
As for another common brute-force, I haven't encountered a John The Ripper variant implemented in CUDA or OpenCL and running within a GPU (not that I've even looked for it), but I do expect its entirely feasible to brute-force the password hashes. The speeds of these GPU-based password attacks is prodiguous. And as for other alternatives to old-school password attacks - if your organization is worth targeting - there are other and easier and very effective ways to get access and get passwords using spearfishing and related techniques (eg: Stuxnet, Duqu, others), but - if you're worth it and your password hashes should get exposed to your attackers, then somebody will create the CUDA or OpenCL code necessary.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-21-2011 06:18 AM
11-21-2011 06:18 AM
Re: Hi all can you please guide me how to implement Password security
we are using VMS8.3
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-21-2011 12:46 PM
11-21-2011 12:46 PM
Re: Hi all can you please guide me how to implement Password security
> 1. Passwords much be set to 8 characters or more.
This is set per user in the UAF with MODIFY/PWDMINIMUM=value
the default default is 6. Change with
UAF> MODIFY DEFAULT/PRDMINIMUM=8
>2. Password complexity must be enabled.
>3. Passwords must include an alpha, a numeric, and a punctuation character.
You'll need to enable mixed passwords for each account and/or the default:
UAF> MODIFY user/FLAGS=PWDMIX
UAF> MODIFY DEFAULT/FLAGS=PWDMIX
To enable complexity rules, you'll need a VMS$PASSWORD_POLICY module. A Google search for VMS$PASSWORD_POLICY should find example code, which include instructions. I've also attached a MACRO32 version. You may need to modify the code to implement the policy you require.
> 4. Password re set must not allow one of the last 6 passwords used.
Set system wide with the system executive logical name SYS$PASSWORD_HISTORY_LIMIT. Default if not defined is 60. You can also defined SYS$PASSWORD_HISTORY_LIFETIME, which is the minimum
time to password reuse. Default is 365 days. I'd go with the stricter OpenVMS defaults.
> 5. Lock out must be in place after 3 failed log in attempts.
This is probably not a good idea. You can do it by setting SYSGEN parameters LGI_BRK_LIM to 3 and LGI_BRK_DISUSER to 1. However, this opens you up to DOS attacks - it's trivially easy to lock out one of your users, and 3 retries isn't sufficient for normal fumble fingers. Personally, I'd increase the limit from the default of 5 to about 20, and increase LGI_HID_TIM to a few hours. That will be more than sufficient to protect againt brute force attacks, give you plenty of warning from audit logs, but still give folk plenty of room for mistyping.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-23-2011 06:38 AM
11-23-2011 06:38 AM
Re: Hi all can you please guide me how to implement Password security
Thanks much folks for the solution .
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-25-2011 07:45 PM
11-25-2011 07:45 PM
Re: Hi all can you please guide me how to implement Password security
Please consider adding some "kudo's" and perhaps mark a specific reply as providing the solution.
Cheers, Hein.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-30-2011 09:53 AM - edited 12-01-2011 12:44 AM
11-30-2011 09:53 AM - edited 12-01-2011 12:44 AM
Re: Hi all can you please guide me how to implement Password security
Hi All,
Could any body please tell how to implement vms$password_policy_mar.txt 9 KB as attached by John Gillings
I created a file using create command
$ create VMS$PASSWORD_Policy.mar
then copied the contents of above mentioned file by John....then below
$ MACRO VMS$PASSWORD_POLICY ---> it created VMS$PASSWORD_POLICY.OBJ; under my home dirrectry .
But when i try to link it gives error as below, please advise
then
$LINK/SHAREABLE/SYSEXE VMS$PASSWORD_POLICY+SYS$INPUT:/OPTION-
_$> SYMBOL_VECTOR=(POLICY_PLAINTEXT=PROCEDURE,POLICY_HASH=PROCEDURE)
%DCL-W-MAXPARM, too many parameters - reenter command with fewer parameters
\SYMBOL_VECTOR\
Could anybody guide step by step ,as I am novice to MACRO programming but still want test this Password policy on VMS system ..your response will help me a lot on this..I am using Open VMS8.3 OS
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-30-2011 04:17 PM - edited 11-30-2011 04:21 PM
11-30-2011 04:17 PM - edited 11-30-2011 04:21 PM
Re: Hi all can you please guide me how to implement Password security
You have apparently somehow added spurious hyphen at the end of the LINK command; an errant continuation character after the /OPTION qualifier.
Remove that hyphen.
The command is intended to read its options data (the shareable image symbol declarations) from the command input SYS$INPUT device, but that hyphen caused DCL to see that data as additional parameters on the command.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-01-2011 12:53 AM
12-01-2011 12:53 AM
Re: Hi all can you please guide me how to implement Password security
Hi Hoff,
That hyphen is for continuation of a single on the next line...I don't think that's error. Please advise.
Regards
Prakash