topic WEB change password utility in Operating System - OpenVMS

WEB change password utility

John Donovan_4 — Thu, 11 Nov 2004 12:39:58 GMT

I've been searching for a WEB based change password for OpneVMS alpha users to use. I found an old app called "change_password.exe", but I have believe there is something available either with the latest Apache or Java I've installed on my server. Does anyone know of a utility out there?

Re: WEB change password utility

John Gillings — Thu, 11 Nov 2004 15:24:01 GMT

John,

If you can't find an off-the-shelf solution, you can roll your own fairly easily. Apache has a cgi-bin, which supports DCL (see examples in APACHE$ROOT:[CGI-BIN]). The biggest issue would be getting the process into the context of your user. However, for your particular case, that's easier than usual, as you will have the username and password.

A quick and simple way might be to use a DECnet task to the local node:

$ OPEN/READ/WRITE task 0"''user' ''pass'"::"0=SETPASS"

where SETPASS.COM could execute your change_password image. This also gives you a very simple mechanism for testing the old password (ie: you can't get into the process to change the password unless the network login is successful, and you'll get full auditing and intrusion detection for free).

Beware though, your usernames and passwords will be traversing the network in clear text. Make sure this is consistent with your security policies.

Re: WEB change password utility

Martin Vorlaender — Sat, 13 Nov 2004 06:30:01 GMT

Hi,

based on the work of Richard Levitte and Tom Wade, I implemented a change_password.exe.

It does almost everything I could think of to make it reasonably safe, i.e.

- scan the intrusion database, and also update it in case of a breakin attempt,
- scan the password history and dictionary, if this is not disabled in the user's account,
- optionally, inhibit changing the password of a member of the system groups,
- optionally, only change password for accounts that hold a particular identifier,
- optionally, restrict password changes to accounts that only have network access enabled,
- generate the password if the account is set up to it.

The downside to all of this is that the program needs SYSPRV and SECURITY privilege, and (for use with a web server) probably needs to be installed with those, or suexec'd (which I haven't yet tried).

I haven't yet implemented interfacing to site-specific policies, and updating the password history.

It's not yet really polished for publication, but it is (quite unusually ;-) heavily commented C code.

If you want to give it a try, you can download it from http://www.pdv-systeme.de/users/martinv/cpw.zip

BTW: I know all of this could now be implemented easier, but this was meant to run under VMS 6.2...

cu,
Martin

Re: WEB change password utility

John Donovan_4 — Fri, 20 May 2005 15:00:02 GMT

Almost everything I run into is created for OSU HTTP server, but I'm using Apache/2.0.47 (OpenVMS) mod_ssl/2.0.47 OpenSSL/0.9.6g PHP/4.3.2. I have incorporated the use of auth_openvms_module and the AuthUserOpenVMS directive. This is great but it as certain short coming.

I'm interested in anything you can provide which will allow checking an OpenVMS user account upon their attachment to the secured WEB page.
I would like to be able to provide the following functionalities:
1.) If password expired then prompt for new password
2.) If account is disusered disallow access
3.) If account is expired disallow access

I take it SWS does NOT come with this capability?
Thanks,
jd

Re: WEB change password utility

David Jones_21 — Sat, 18 Jun 2005 12:23:32 GMT

Martin Vorlaender wrote:
based on the work of Richard Levitte and Tom Wade, I implemented a change_password.exe.

It does almost everything I could think of to make it reasonably safe, i.e.

The downside to all of this is that the program needs SYSPRV and SECURITY privilege, and (for use with a web server) probably needs to be installed with those, or suexec'd (which I haven't yet tried).

Check out the new SYS$ACM service, you can call it to change your password without any privileges. I've got an example of it in http://www.ecr6.ohio-state.edu/~jonesd/change_password.zip

Re: WEB change password utility

Willem Grooters — Mon, 20 Jun 2005 04:10:19 GMT

On access request, username and expected rights are checked agains UAF and Rightlist (depending on what has been defined) and that will just return "Acces allowed" (returning the page requested) or "access denied", returning error page 401 (Authentication required).
If that page could be adjusted to obtain this information AND allow the user to change their password (using methods described by others) yÃ³u're done ;-) Beware though, that such a change is server-wide.
(I haven't tried this myself, but know it must be possible.

Re: WEB change password utility

Martin Vorlaender — Tue, 21 Jun 2005 03:38:49 GMT

David Jones wrote:
>>>
Check out the new SYS$ACM service, you can call it to change your password without any privileges.
<<<

Given that the CGI program runs in the web server user's context (typically APACHE$WWW for CSWS), SYS$ACM would require IMPERSONATE privilege to change another user's password.

Besides, as I wrote, the program was designed to run under VMS 6.2, so it also doesn't take into account the PWDMIX flag.

But thanks for the example program, and for the acm_wrapper functions. Anyone have a "Guide to ACME"? I find the description of the SYS$ACM service rather intimidating...

cu,
Martin

Re: WEB change password utility

David Jones_21 — Tue, 21 Jun 2005 08:56:52 GMT

Martin Volaender:
>>>>
Given that the CGI program runs in the web server user's context (typically APACHE$WWW for CSWS), SYS$ACM would require IMPERSONATE privilege to change another user's password.
<<<<

I didn't provide a CGI script, just a part of one that demonstrates the SYS$ACM functions. I use a configuration that allows 'captive' scripts to run in the user's persona (i.e. the IMPERSONATE is upstream of the CGI script). Someone else mentioned using DECnet to get the right context.

I think it will certain amount of effort for anyone to get the 'rhythm' of the novel $ACM API, no matter how good the documentation.