topic Re: priviledge to reset password in Operating System - OpenVMS

priviledge to reset password

TMcB — Mon, 21 Feb 2011 11:49:22 GMT

Hi all

What VMS privileges does a user need to be able to reset other users passwords.
i would like to allow our helpdesk to reset the users passwords - and give them an account to do so with the minimum required priviledges.
Thanks so much

Re: priviledge to reset password

Richard Brodie_1 — Mon, 21 Feb 2011 12:19:07 GMT

The AUTHORIZE utility is installed with SYSLCK and AUDIT. Beyond that, access to the SYSUAF (sys$system:sysuaf.dat by default)should be all that is needed.

Creating an ACL on the SYSUAF would do it. Since that would allow you to create extra accounts and change privileges etc also, it would be good practice to not to give a helpdesk account free access to this. The simplest would be making the password changing account a captive account.

Re: priviledge to reset password

TMcB — Mon, 21 Feb 2011 12:37:37 GMT

Thanks Richard - indeed would use a captive account

Re: priviledge to reset password

Robert Gezelter — Mon, 21 Feb 2011 13:21:09 GMT

TMcB,

When using a captive account, be careful to note that the command procedures need to CHECK THE USER-SUPPLIED INPUTS WITH EXTREME CARE.

The same cautionary notes that apply to back-end web scripts (e.g., CGI using DCL and other languages with string substitution), apply as well to captive account command procedures. One needs to beware unchecked string substitution, it can create an unintended attack vector.

For example, can the user supply a string "JJDUFFH/PRIV=CMKRML" as a password. This COULD lead to an unwitting symbol substitution, to wit:
$ AUTHORIZE MODIFY /PASSWORD='NEWPASSWORD' becoming
$ AUTHORIZE MODIFY /PASSWORD=JJDUFMH/PRIV=CMKRNL

Extreme caution is recommended.

- Bob Gezelter, http://www.rlgsc.com

Re: priviledge to reset password

Jan van den Ende — Mon, 21 Feb 2011 13:41:34 GMT

TMcB,

Like others noted, all kinds of misuse potential (intentional or not) are easily introduced.

We have made that at least a lot more difficult by making a little utility (only accessible by holders of HELPDESK identifier)
which just takes a username as parameter.
Then it generates a password by concatenating current year - month - day - hour - minute.
This is set as the new password and displayed to the helpdesk person to tell the calling user.
... and of course, usernames are checked, and privileged usernames are NOT accepted!

hth

Proost.

Have one on me.

jpe

Re: priviledge to reset password

Hoff — Mon, 21 Feb 2011 15:26:07 GMT

There is a complete username registration and associated password-reset system available for download here:

http://labs.hoffmanlabs.com/node/1260

Re: priviledge to reset password

John Gillings — Mon, 21 Feb 2011 22:06:42 GMT

TMcB,

In this case "minimum required" is an oxymoron. Any of the ALL category privileges should do. According to the System Services Reference Manual, $SETUAI "You must have SYSPRV privilege to set passwords for any user account (including your own)."

Implementing such a mechanism, while protecting against unauthorised privilege amplification requires care, as it would be easy to leave loopholes open.

The simplest, and most obvious case - preventing your helpdesk operators from modifying the password of SYSTEM and thereby taking control of the system is but the tip of the iceberg.

Robert's example of DCL qualifier syntax hacking shows that knocking up a DCL script to feed AUTHORIZE has some unexpected pitfalls.

My recommendation would be a program to be installed with SYSPRV which uses $SETUAI and UAI$_PASSWORD. I'd protect the image with an ACL, filter the input username with both an INCLUDE list AND an EXCLUDE list (remember he program has SYSPRV, so the lists can be hidden), and audit every action, again to a protected file.

With appropriate table driven logic, you could define it so that a given user had a set of usernames they're allowed to modify.

Re: priviledge to reset password

John Gillings — Mon, 21 Feb 2011 23:02:45 GMT

TMcB,

Also please note... there is no "d" in the word "Privilege"

Re: priviledge to reset password

TMcB — Tue, 22 Feb 2011 10:55:06 GMT

Thanks John for pointing out my poor typing skills.

Does anyone know if its possible to allow a user to change the password of a restricted group of users. I'm thinking that I wouldnt want the user to change the system account, but would want him to be able to change our standard users.

Thanks

Re: priviledge to reset password

Robert Gezelter — Tue, 22 Feb 2011 11:26:38 GMT

TMcB,

Yes. Check the process' rightslist and/or UIC. For example, Group leader (typically Member 1 of the group is permitted to reset members of their group). Alternatively, holders of an identifier (e.g., GROUPADMIN_nn) can reset passwords of users in UIC group [nn,*].

- Bob Gezelter, http://www.rlgsc.com

Re: priviledge to reset password

TMcB — Tue, 22 Feb 2011 11:44:48 GMT

thanks Bob for being a big help

Re: priviledge to reset password

Hoff — Tue, 22 Feb 2011 14:43:00 GMT

>Does anyone know if its possible to allow a user to change the password of a restricted group of users. I'm thinking that I wouldnt want the user to change the system account, but would want him to be able to change our standard users.

SMOP. Simple Matter of Programming.

Without doing a little work within your tool? No. But it's a database. So it's trivial to do this. Your reset mechanism can be (and should be) coded to do this.

The NEWUSER tool I linked to does exactly this, exempting specific users (and also dealing with random folks that might try to reset the passwords of others), so you'll see code and processing in there to avoid having out-of-range users reset, or rogue user password reset requests. (The reset implemented in that tool is self-service. No help desk required.)

If you're using external authentication via LDAP (via Open Directory or Active Directory LDAP servers or otherwise), you can likely perform an LDAP password reset on some other platform as there are tools for these tasks available, and avoid this whole matter. (I use a Mac for this web-based password change, as the security APIs and available tools are vastly more capable than those of VMS.)

I was unable to locate a registration and reset tool for that cluster, and ended up writing that NEWUSER code specifically because of the limits and omissions in VMS.