topic Re: password complexity enforcement for OpenVMS 7.3-1 and OpenVMS 7.3-2 in Operating System - OpenVMS

password complexity enforcement for OpenVMS 7.3-1 and OpenVMS 7.3-2

Thanassis Papadimitriou — Thu, 22 Jan 2009 09:25:40 GMT

I would like to enforce all users to enter password strings containing at least 3 characters from 1 upper, 1 lower, 1 numeric and 1 special character.

I know that this is enabled per user by assigning /pwdmix flag to the account. But, it is limited to upper, lower characters.

It is time consuming to write down a new code using VMS$PASSWORD_POLICY.EXAMPLE, can we find any existing code to use.

I would like to be able to specify the number of upper, lower, numeric and special that a password must contain and also to define the total number of complexity characters that the password must at least contain.

Re: password complexity enforcement for OpenVMS 7.3-1 and OpenVMS 7.3-2

Joseph Huber_1 — Thu, 22 Jan 2009 09:42:46 GMT

Too complex? because the examples are written in ADA and Bliss ?

maybe start with this example, if You can handle C source:
http://wwwvms.mppmu.mpg.de/vmssig/src/c/VMS$PASSWORD_POLICY.C

Re: password complexity enforcement for OpenVMS 7.3-1 and OpenVMS 7.3-2

Thanassis Papadimitriou — Thu, 22 Jan 2009 10:23:07 GMT

Yes, it is complex.

But, the C example is to weak to use. It counts only digits.

What I need is the following:

http://64.223.189.234/node/643

it is written in Macro 32. Can you help me and guide how to install it in my platform?

Re: password complexity enforcement for OpenVMS 7.3-1 and OpenVMS 7.3-2

Joseph Huber_1 — Thu, 22 Jan 2009 10:42:06 GMT

> But, the C example is to weak to use. It counts only digits.

Yes, I meant start with this example, and extend it, or You are no C programmer and have none available ?

The Macro code on Hoffs site seems to be ready to be used: follow the "usage" comment: Macro,link,copy the .EXE to sys$common:[syslib], and set the system parameter LOAD_PWD_POLICY to 1.

Re: password complexity enforcement for OpenVMS 7.3-1 and OpenVMS 7.3-2

Joseph Huber_1 — Thu, 22 Jan 2009 11:03:26 GMT

forgot in the list the INSTALL command of course after copying the module to sys$common:[syslib].
And also note to do the INSTALL from systartup_vms.com !

Re: password complexity enforcement for OpenVMS 7.3-1 and OpenVMS 7.3-2

Robert Gezelter — Thu, 22 Jan 2009 11:18:25 GMT

Thanassis,

These examples were never meant as finished products. They are merely examples of the means and methods to interface a custom password policy module.

Since OpenVMS is language agnostic, it is possible to write such a module in any language that one (or one's colleagues) is familiar with, with the possible direct exceptions of non-compiled languages such as Java, PERL, and DCL).

Alternatively, outside expertise may be retained to implement what ever policy is eventually decided. (Disclosure: We do provide services in this area, as do other frequent contributors to this forum).

- Bob Gezelter, http://www.rlgsc.com

Re: password complexity enforcement for OpenVMS 7.3-1 and OpenVMS 7.3-2

Thanassis Papadimitriou — Thu, 22 Jan 2009 12:03:20 GMT

Robert,

Thank you for your input but the code in macro 32 works fine. I managed to make it function.

I have tested it in OpenVMS 7.3-2 & OpenVMS 7.2-1 and I got results in each OS version tested.

BR,

Re: password complexity enforcement for OpenVMS 7.3-1 and OpenVMS 7.3-2

Thanassis Papadimitriou — Thu, 22 Jan 2009 12:08:04 GMT

Joseph,

I did what is written in usage guides. But, I issued the INSTALL from command prompt. Should I add an INSTALL line in the startup file as well to enable VMS$PASSWORD_POLICY whenever the server is rebooted?

BR,

Re: password complexity enforcement for OpenVMS 7.3-1 and OpenVMS 7.3-2

Jan van den Ende — Thu, 22 Jan 2009 12:44:01 GMT

Thanassis,

>>>
Should I add an INSTALL line in the startup file as well to enable VMS$PASSWORD_POLICY whenever the server is rebooted?
<<<

Most definitely, YES!!!

If you set the LOAD_PWD_POLICY, and do NOT do the install,then there is NO way to log into the system at all!
(if that SHOULD happen, you must boot conversational, unset it, (so you can log in again) and put the INSTALL in the startup, set LOAD_PWD_POLICY again, and reboot again. No pretty prospect)

hth

Proost.

Have one on me.

jpe

Re: password complexity enforcement for OpenVMS 7.3-1 and OpenVMS 7.3-2

Joseph Huber_1 — Thu, 22 Jan 2009 13:13:00 GMT

As I have written, put the INSTALL into sysstartup_vms.com,
this means it is executed at reboot.

And at best follow the advice of Stephen Hoff. NOT to set the system parameter LOAD_PWD_POLICY permanent to 1, but do it at the ACTIVE sysgen parameter set at every boot;
this way the parameter stays at 0 when sysartup_vms is aborted for whatever reason.

At best, put the INSTALL together with the SYSGEN commands into a separate commandfile, executed towards the end of systartup-vms.

Re: password complexity enforcement for OpenVMS 7.3-1 and OpenVMS 7.3-2

Joseph Huber_1 — Thu, 22 Jan 2009 13:24:30 GMT

To Jans warning: No, it is not so catastrophic to have load_pw_policy set to 1 without installing the policy image: one still can login, only SET PASSWORD will fail in this case. See my example session below.

Username: huber
Password:
Welcome ...

MPIW12_HUB>mcr sysgen
SYSGEN> SHOW LOAD_PWD_POLICY
Parameter Name Current Default Min. Max. Unit Dynamic
-------------- ------- ------- ------- ------- ---- -------
LOAD_PWD_POLICY 1 0 0 1 Boolean D
SYSGEN> Exit
MPIW12_HUB>set password
%LIB-F-ACTIMAGE, error activating image SYS$LIBRARY:VMS$PASSWORD_POLICY.EXE
-SYSTEM-F-PRIVINSTALL, shareable images must be installed to run privileged imag
e

Re: password complexity enforcement for OpenVMS 7.3-1 and OpenVMS 7.3-2

Hoff — Thu, 22 Jan 2009 14:30:25 GMT

Ah, this explains the spike in traffic arriving on that article.

If you have questions, it's a whole lot easier (for me and then for any other folks that are subsequently looking at the article) if the questions are posted over at /node/643. Accounts are free, too. (I have enabled the registration process to keep the site from filling from spam.)

I've updated the comments in the article to more explicitly point to the need of some DCL commands in the system startup or in a filter-specific startup procedure.

The security auditors love this password character selection stuff. It doesn't work, though. It's akin to reorganizing the deck chairs on the Titanic. Password-based authentication is among the weakest options, and it's particularly bad when combined with telnet and ftp and such; cleartext authentication protocols.

Some related reading:

http://64.223.189.234/node/229

Then...

http://64.223.189.234/node/219
http://64.223.189.234/node/526
http://64.223.189.234/node/832

I've also added a passwords tag to the HL site, and sprinkled it around various of the password-related sites.

Re: password complexity enforcement for OpenVMS 7.3-1 and OpenVMS 7.3-2

Thanassis Papadimitriou — Thu, 22 Jan 2009 14:43:18 GMT

Thank you all,

I kept notes on what i have to do to enable password filtering. The only thing I have to do is to write a command procedure which will include the INSTALL and sysgen invocation. After that I have to update systartup_vms.com to call at the bottom the newly created procedure.

Since you mentioned clear text transmission of passwords over telnet & ftp, does this password filtering work over ssh?

Re: password complexity enforcement for OpenVMS 7.3-1 and OpenVMS 7.3-2

Joseph Huber_1 — Thu, 22 Jan 2009 15:22:46 GMT

Yes of course, if You login via SSH, then everything flowing over this link is encrypted,
thus the password in a SET PASSWORD command is encrypted.

This has in particular nothing to do with password policy, it is just the purpose and result of the SSH connection.

Re: password complexity enforcement for OpenVMS 7.3-1 and OpenVMS 7.3-2

Thanassis Papadimitriou — Thu, 22 Jan 2009 15:27:26 GMT

In OpenVMS 7.3-1 /pwdmix flag does not exist. Does anybody know if there is an alternative solution for that without the need to upgrade to OpenVMS 7.3-2. /pwdmix flag exists in OpenVMS 7.3-2.

Re: password complexity enforcement for OpenVMS 7.3-1 and OpenVMS 7.3-2

Hoff — Thu, 22 Jan 2009 15:51:38 GMT

There is no supported means to back-port the mixed-case password mechanisms to V7.3-1.

Better to spend the effort here moving forward to V7.3-2 (which itself is ancient, albeit with Prior Version Support still available) or (better) upgrading to the current OpenVMS Alpha V8.3 release.

Moving from V7.3-1 to V8.3 is arguably not a major upgrade for OpenVMS Alpha; there were minor kernel changes all through the range, and the V7 to V8 upgrade did not (on OpenVMS Alpha) involve significant kernel changes. In retrospect, the TQE kernel change from V7.3-1 to V7.3-2 probably caused more ripples than V7 to V8.

OpenVMS Alpha V8.3 also adds external authentication into your local LDAP (Active Directory or Open Directory or otherwise) and various other password-related features.

Re: password complexity enforcement for OpenVMS 7.3-1 and OpenVMS 7.3-2

Thanassis Papadimitriou — Fri, 23 Jan 2009 13:42:25 GMT

When the user logs in OpenVMS 7.3-2 with pwdmix set and VMS$PASSWORD_POLICY is in place then the user is allowed to enter case sensitive passwords and system interprets these passwords as case sensitive.

Is there a way that we can tell somehow OpenVMS 7.3-1 to accept and interpret case sensitive passwords?

Re: password complexity enforcement for OpenVMS 7.3-1 and OpenVMS 7.3-2

Hoff — Fri, 23 Jan 2009 17:17:54 GMT

>Is there a way that we can tell somehow OpenVMS 7.3-1 to accept and interpret case sensitive passwords?

No.

A requirement for mixed-case passwords is not compatible with continued use of OpenVMS Alpha V7.3-1.

AFAIK, there is no back-port available. (This back-port would likely involve changes made to multiple OpenVMS modules and components, too. It's not a single and isolated change.)

Your choice here is between use of uppercase passwords and upgrading OpenVMS Alpha.

Re: password complexity enforcement for OpenVMS 7.3-1 and OpenVMS 7.3-2

Thanassis Papadimitriou — Sat, 24 Jan 2009 08:59:27 GMT

I have a last question.

Regarding UAF.ALPHA_EXE I observed that I cannot run a query at UAF records having /SELECT=flag=pwdmix.

Also, when I ask to print out the flags a user has, using /DISPLAY=(username,flags), although flag /pwdmix has been assigned and show user displays among other flags pwdmix as well, all other flags are displayed apart from pwdmix.

Do you if there is an updated UAF.ALPHA_EXE which may run queries based on flag=pwdmix?

Re: password complexity enforcement for OpenVMS 7.3-1 and OpenVMS 7.3-2

Joseph Huber_1 — Mon, 26 Jan 2009 13:08:12 GMT

You have the complete source, why not update it ?
(I myself have no VMS version new enough).

Extract module UAFDEF from sys$library:sys$lib_c.tlb.
Look for the flag bits inserted after DISPWDHIS ,
add the new ones in the files uafcld.cld and uaf_cld.h, @compile.
I think that should do it.