topic Re: Detecting expired passwords in a C program in Operating System - OpenVMS

Detecting expired passwords in a C program

Scott Dawson_2 — Mon, 21 Feb 2005 12:30:55 GMT

I have a web interface to an openVMS applicatin. I have routines to add users, validate pswd, modify pswd. I am having a heck of a time checking if a pswd is expired. When using the sys$getuai utility, and checking the UAI_Flags, I get a successful status but a 0 for result. Even when the accnt is expired. What's the correct way to check for expired password from a C program?

Thanks

Re: Detecting expired passwords in a C program

Ian Miller. — Mon, 21 Feb 2005 12:49:33 GMT

can you post the code fragment as a txt attachment here?

Re: Detecting expired passwords in a C program

Hein van den Heuvel — Mon, 21 Feb 2005 13:26:52 GMT

pwd_expired is tricky, non-intuitive, as there is the flag bit at play, as well as a date stamp. A simple MODI/FLA=PWDEXPI will mark the date field, NOT the flag bit. Witness:

UAF> SHOW TEST
:
Flags:
:
Pwdchange: 18-FEB-2005 14:59
:
UAF> MODI TEST/FLAG=PWDEXPIRED
Flags:
:
Pwdchange: (pre-expired)

Or with a little tool that I wrote and will attach:

$ MCR AUTHORIZE MODI TEST /NOPWDEXPI
%UAF-I-MDFYMSG, user record(s) updated
$ GETUAI TEST USERNAME FLAGS PWD_DATE
USERNAME,FLAGS,PWD_DATE
TEST,00000000,21-FEB-2005 13:21:18.70
$ MCR AUTHORIZE MODI TEST /PWDEXPI
%UAF-I-MDFYMSG, user record(s) updated
$ GETUAI TEST USERNAME FLAGS PWD_DATE
USERNAME,FLAGS,PWD_DATE
TEST,00000000, 0 00:00:00.00

The PWD_EXPIRED flag will only be set if

1. The user logs in
2. The password has expired (see below)
3. The user is set not to be forced to change an expired password on login i.e. DISFORCE_PWD_CHANGE is set.

hth,
Hein.

HP Internal folks... This is discussed in:
VAXAXP::NOTES$ARCHIVE:VMSNOTES_V12 topic 1783

Re: Detecting expired passwords in a C program

Scott Dawson_2 — Mon, 21 Feb 2005 13:46:14 GMT

Here's a code snippet. After reviewing the replies to this, I'd also like to ask "what" is the preferred way to do this?

The value in uflags (from attachment) is 0 and return_status = 1.

Anyhow...thanks for the help

Re: Detecting expired passwords in a C program

Scott Dawson_2 — Mon, 21 Feb 2005 14:52:48 GMT

After reviewing the above posts and the limits of checking flags. Would a better approach be to check the date of pwdchange and add the pwdlifetime. If the result is < current datetime, I force them to reset the password. I was hoping for a simple check.

Let me know if I'm going in the wrong direction.

thanks

Re: Detecting expired passwords in a C program

Bojan Nemec — Mon, 21 Feb 2005 15:13:56 GMT

Scott,

The UAI$M_PWD_EXPIRED flag is set when the user tryes to login and his password is expired. Please read the Description section of the SYS$QETUAI system service:

http://h71000.www7.hp.com/doc/732FINAL/4527/4527pro_005.html#index_x_630

It gives you an explanation how the flag is set.

Bojan

Re: Detecting expired passwords in a C program

Kris Clippeleyr — Tue, 22 Feb 2005 02:23:01 GMT

Scott,

Would a better approach be to check the date of pwdchange and add the pwdlifetime. If the result is < current datetime, I force them to reset the password. I was hoping for a simple check.

That's exactly what LOGINOUT does. As per the manual:
"During a normal login when the UAI$V_DISFORCE_PWD_CHANGE bit is not set, the system compares UAI$_PWD_DATE against UAI$_PWD_LIFETIME and, if expired, forces the user to change the password. With this configuration, the UAI$V_PWD_EXPIRED bit is not set."

So, your on the right track.

Regards,
Kris (aka Qkcl)

Re: Detecting expired passwords in a C program

Ian Miller. — Tue, 22 Feb 2005 06:08:09 GMT

It appears you have to check that the password last modified date plus the password life time value are older then the current date & time.