HPE Community
Operating System - OpenVMS
1752794 Members
5821 Online
108789 Solutions
New Discussion юеВ

Re: SSH login w/expired password allows new password change containing invalid characters

 
Cindy Railey_1
Advisor

тАО04-11-2008 10:14 AM

тАО04-11-2008 10:14 AM

SSH login w/expired password allows new password change containing invalid characters

I just reported this to HP, but thought I would post it in case anyone else encounters an issue like this -

We had a user who generally uses SSH to connect to the VMS servers - In mid-March her password was expired and she set a new password which included "@" (which of course is an invalid character for password). SSH/VMS allowed the password change - and she continued to login with that password since.

Yesterday - she needed to transfer a file from her desktop to VMS, and she could not connect with FTP (SFTP would have worked). Audit Server was reporting "%LOGIN-F-INVPWD, invalid password"

Not knowing about the 'invalid character' in the password - we thought she was a bad typist, had a bad keyboard ?.. but were persistant in troubleshooting for about 45 minutes. Finally someone asked for her password, otherwise we may have never known what happened.

I tested and the problem occurs on both AlphaVMS v7.3-2/TCPIP v5.4 ECO 4 and IA64 VMS v8.3/TCPIP v5.6 ECO 2.

You can login with invalid characters in your password via SSH or SFTP, but not FTP, DECNet (set host), or Telnet - that's as far as I went with it.
0 Kudos
4 REPLIES 4
Gregg Parmentier
Frequent Advisor

тАО04-11-2008 11:26 AM

тАО04-11-2008 11:26 AM

Re: SSH login w/expired password allows new password change containing invalid characters




I wonder if the ssh/sftp interface drops the @. So, would the password with the @ removed have been valid via telnet.

That might make it a problem with the client software you're using, and not with VMS.
0 Kudos
Cindy Railey_1
Advisor

тАО04-14-2008 12:14 PM

тАО04-14-2008 12:14 PM

Re: SSH login w/expired password allows new password change containing invalid characters

To rule out the terminal emulation software we use - I connected to a VMS server via SSH (using the password with illegal characters) then connected directly to another VMS server in the same Cluster using TELNET, FTP, DECnet (Set Host), SSH, & SFTP. Only SSH and SFTP would allow login with the password. All other protocols failed login.
0 Kudos
Cindy Railey_1
Advisor

тАО04-15-2008 12:27 PM

тАО04-15-2008 12:27 PM

Re: SSH login w/expired password allows new password change containing invalid characters

HP responded - if the UAF records have the PWDMIX flag set - then the issue described does not occur.

If you do NOT have PWDMIX flag set - SSH ignores that fact and allows 'extended' characters in the password. The user cannot login any other method afterwards.

This little bug is being reported to engineering.
0 Kudos
Cindy Railey_1
Advisor

тАО04-15-2008 12:29 PM

тАО04-15-2008 12:29 PM

Re: SSH login w/expired password allows new password change containing invalid characters

closing this thread as the problem will be resolved eventually. main reason for posting was to help others who may come across this issue.
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.