topic Re: Userid/Password verification within a BASIC application in Operating System - OpenVMS

Userid/Password verification within a BASIC application

Dan Herron — Tue, 01 Feb 2005 09:41:04 GMT

I have a BASIC program that when the user has "done something wrong" it requires their manager to clear the "problem" while the user is still executing the application. I would like the manager to come over to the user's terminal and from an application prompt, enter their VMS userid and password (concealing the password, of course) thus identifying themselves to the application, have the application verify the combination is correct and then give the manager access to the functions that will clear the "problem".

Is there a system service I can call from a BASIC application to verify the userid/password combination? If so, does someone have an example in BASIC of how to do so. I'm not a very good at understanding the system service documentation and work best from examples.

Many thanks for any assistance you can provide,
Dan Herron
Kittles Furniture
Indpls, IN

Re: Userid/Password verification within a BASIC application

Ian Miller. — Tue, 01 Feb 2005 09:56:40 GMT

the basic steps would be to read the username, use SYS$GETUAI to obtain the users record. Read the password, use SYS$HASH_PASSWORD to hash the password and compare the result with the value in the user record. You may also want to look at SYS$AUDIT_EVENTW

Example code for calling these system services can be found
http://www.eight-cubed.com/examples/framework.php?file=sys_getuai.c
http://www.eight-cubed.com/examples/framework.php?file=sys_audit_event.c
http://wwwvms.mppmu.mpg.de/vmssig/src/FOR/UAI_EXAMPLE.FOR

Re: Userid/Password verification within a BASIC application

Kris Clippeleyr — Tue, 01 Feb 2005 10:18:44 GMT

Hi,

You might also have a look at the SYS$ACM system service
http://h71000.www7.hp.com/doc/732FINAL/4527/4527pro.html#acm_001
http://h71000.www7.hp.com/doc/731FINAL/5841/5841pro_contents_010.html#toc_chapter_33

Greetz,
Kris (aka Qkcl)

Re: Userid/Password verification within a BASIC application

Robert Gezelter — Tue, 01 Feb 2005 11:25:54 GMT

Dan,

You might also want to take a look at the "Guide to System Security".

In particular, you want to consider carefully what this implies. You need to be careful to ensure that this does not lead to a security hole. The most simple minded approach does create a security hazard by processing the Management account/password pair.

There are several possibilities. Which one is the right one depends upon the exact details of your application (one that I have used on several occasions is DECnet logical links).

If the above is unclear, or I can be of further assistance, please let me know.

- Bob Gezelter, http://www.rlgsc.com

Re: Userid/Password verification within a BASIC application

Bojan Nemec — Tue, 01 Feb 2005 13:37:15 GMT

Dan,

In this thread (which has a similar problem as you), I posted a litle MACRO program which gets
the password of the current user and verify it.
You can use it as an example.

http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=743707

Bojan

Re: Userid/Password verification within a BASIC application

John Gillings — Tue, 01 Feb 2005 15:08:57 GMT

All the system service examples require privilege. For a simple, non-privileged test, use DECnet. Just OPEN a file using a network filespec:

0"username password"::PASSCHECK.TMP

if successful the password is correct.

See also my example using PIPE at

http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=743707

Since it's in DCL, you would have to SPAWN it from BASIC.

Re: Userid/Password verification within a BASIC application

Hein van den Heuvel — Tue, 01 Feb 2005 17:11:52 GMT

John wrote:

>>> open 0"username password"::PASSCHECK.TMP
>>> if successful the password is correct.
>>> See also my example using PIPE at
:
>>> Since it's in DCL, you would have to
SPAWN it from BASIC.

Just ot be perfectly clear, you can just use a BASIC OPEN statetement and use the STANDARD error handling to determine whether it worked (now close it!), or failed.
And you can use NL: as the 'file' (or login.com).

Hein.

Re: Userid/Password verification within a BASIC application

Robert Gezelter — Wed, 02 Feb 2005 05:36:15 GMT

Dan,

A further note on the integrity of the "Managers Password" and the override process.

Care needs to be exercised. Particularly since this is supposed to be an auditable interface. I am working with no context, but if this is going to be audited at some point, the following comments apply:
- the application program should not get the manager's password.
- the application should pass control to a separate, limited program which does the actual override.
- I don't have an indication of scale, but consideration should be given to a "Dongle", challenge/response, or similar system. The simple "Manager's Password" approach is vulnerable to various attacks, including: playback, spoofing, and unauthorized code modifications.

As I mentioned on opening, the overide/authorize function can be done correctly, in a way which will stand up to audit scrutiny, but care must be exercised.

In these days of Sarbenes-Oxley, for example, auditing standards for production applications have increased substantially, with more concern being paid to separation of program development staff from production accounting data. Overrides are of particular concern to auditors.

I hope that the above is helpful. If I have been unclear, please let me know.

- Bob Gezelter, http://www.rlgsc.com