Operating System - OpenVMS
cancel
Showing results for 
Search instead for 
Did you mean: 

Check/Change password w/ Apache

SOLVED
Go to solution
John Donovan_4
Frequent Advisor

Check/Change password w/ Apache

Almost everything I run into is created for OSU HTTP server, but I'm using Apache/2.0.47 (OpenVMS) mod_ssl/2.0.47 OpenSSL/0.9.6g PHP/4.3.2. I have incorporated the use of auth_openvms_module and the AuthUserOpenVMS directive. This is great but it has certain short comings.

I'm interested in anything you can provide which will allow checking an OpenVMS user account upon their attachment to the secured WEB page.
I would like to be able to provide the following functionalities:
1.) If password expired then prompt for new password
2.) If account is disusered disallow access
3.) If account is expired disallow access

I take it SWS does NOT come with this capability?
Thanks,
jd
"Difficult to see, always in motion is the future..."
12 REPLIES
John Gillings
Honored Contributor

Re: Check/Change password w/ Apache

John,

I'm not familiar with auth_openvms_module, but I'm assuming from your query that it prompts for username and password and validates them. I'm further assuming that it's working, except that it doesn't support expired passwords?

Disusered and expired accounts should not be passing authentication. If they are, you should raise a formal elevation, as they represent a potentially serious security hole.

That leaves expired passwords... typically these are not checked or enforced during network connections, as there isn't necessarily a mechanism for prompting and changing the password. You could write a simple program to test for an expired password. It would need to be installed with privilege, pass it a username and return status "SUCCESS" if the password is OK, and "FAIL" if it's expired, disusered, does not exist etc...

To update an expired password, your best bet is to get OpenVMS to do it for you. Is there an SWS module to pop up a terminal session of any type? If so, you can present the user with a terminal prompt which, assuming the default NODISFORCE_PWD_CHANGE, will force the password to be updated. You then need a way to detect that it's happened and log the session off. On return, you can recheck the password.
A crucible of informative mistakes
Willem Grooters
Honored Contributor

Re: Check/Change password w/ Apache

What you want to achieve is not possible via the OpenVMS authentication module.
First, If a user's password is expired, he won't be allowed access when user-authentication is enabled in Apache. Nor is access allowed when the user's account is captive or has the flag DISUSER set.
Second: Apache - and all CGI-scripts that are invoked - run under the (non-privileged) user APACHE$WWW, and therefore, changing password (for another user!) is not allowed.

It might be that the SUEXEC module allows you to do this, I have no experience with it. I just know that there is some extra security built-in that allowes just users mentioned in a separate Apache file to run scripts under their name. That would require an extra synchronisation between SYSUAF and this file - to be executed by system management.
Furthermore, it won't work if that page is protected by the authentication module, for the fore-mentioned reasons.

Another, and IMHO a better approach, is warning that the password is about to expire, like VMS does by standard, allowing the user to take action in advance. But that would require a privileged image to be used, in order to allow APACHE$WWW the retrieve this data (based on REMOTE_USER symbol) and set this user's new password (based on this user's input).

Willem
Willem Grooters
OpenVMS Developer & System Manager
John Donovan_4
Frequent Advisor

Re: Check/Change password w/ Apache

I appreciate the input, but I CAN'T be the only site in the "Free World" who wants to provide a password change/check frontend using Apache! There are all kinds setup for OSU HTTP server. Maybe my question should be how do you get the OSU utilities to run under Apache?

I don't have a problem coding an executable to do this, but a proto-type or example would be helpful.
jd
"Difficult to see, always in motion is the future..."
Martin Vorlaender
Honored Contributor

Re: Check/Change password w/ Apache

Hi John,

what is it that you don't like about the tool I created? - see http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=739349 . As this is pure CGI, it should run with any webserver.

cu,
Martin
John Donovan_4
Frequent Advisor

Re: Check/Change password w/ Apache

Sorry Martin I missed that somehow. Yes this is what I'm looking for thanks. Is there any special handling of the WWW_IN, WWW_OUT & WWW_ environment variables?
"Difficult to see, always in motion is the future..."
Martin Vorlaender
Honored Contributor
Solution

Re: Check/Change password w/ Apache

John,

>>>
Is there any special handling of the WWW_IN, WWW_OUT & WWW_ environment variables?
<<<

As I only know these environment from Purveyor (a commercial webserver from Process software, only sold on an as-is basis today), I'm a bit surprised by seeing them in an Apache context.

Yes, my program is written to respect WWW_IN/WWW_OUT, in that if they are defined, they're used. If they're not defined, it uses plain stdin/stdout. With respect to the various other WWW_ variables, it tries a translation first without, then with the "WWW_" prefix.

cu,
Martin
John Donovan_4
Frequent Advisor

Re: Check/Change password w/ Apache

Thanks again Martin you have been extremely helpful to us.
"Difficult to see, always in motion is the future..."
Willem Grooters
Honored Contributor

Re: Check/Change password w/ Apache

All true, as I said: Needs to be installed or run by SUEXEC - requiring double administration.
However, giving the method that the OpenVMS authentication module works, the page that starts this script cannot be secured by the authentication module when someone's password has expired, the account is captive ot the DISUSER flag is set: access to that page is denied BEFORE the script can run. You'll need a second (general, or SUEXEC page) to provide the functionality.

Just to be complete.
Willem Grooters
OpenVMS Developer & System Manager
John Donovan_4
Frequent Advisor

Re: Check/Change password w/ Apache

This brings up another point. Does anyone know what (if anything) will be returned by auth_openvms_module that can be captured by a script and used to determine which path to take. In other words does auth_openvms_module send a status when account is ok, disusered, password expired, account locked out, etc?
"Difficult to see, always in motion is the future..."
Martin Vorlaender
Honored Contributor

Re: Check/Change password w/ Apache

John,

>>>
Does anyone know what (if anything) will be returned by auth_openvms_module that can be captured by a script and used to determine which path to take. In other words does auth_openvms_module send a status when account is ok, disusered, password expired, account locked out, etc?
<<<

AFAIK, all mod_auth modules work the same way; for a CGI script to be executed, the authentication must have been successful beforehand.

All the script can request are the normal environment variables, e.g. REMOTE_USER and AUTH_TYPE (probably set to something like "Basic").

Or so I interpret the Installation Guide, see http://h71000.www7.hp.com/openvms/products/ips/apache/csws_iguide.html , section 4.5:

"When a user seeks to open a file in that directory, the user will be prompted for a username and password. That username and password must match entries in the SYSUAF.DAT file. Furthermore, the SYSUAF.DAT entry must allow a network login for that username at the time of the request."

cu,
Martin
John Donovan_4
Frequent Advisor

Re: Check/Change password w/ Apache

But is there some sort of indicator of pass or fail?
"Difficult to see, always in motion is the future..."
Martin Vorlaender
Honored Contributor

Re: Check/Change password w/ Apache

>>>
But is there some sort of indicator of pass or fail?
<<<

Easy: If authentication failed, the script won't be started at all.

cu,
Martin