Operating System - OpenVMS
cancel
Showing results for 
Search instead for 
Did you mean: 

Creating system-generated passwords without using SET PASSWORD

 
SOLVED
Go to solution
Jeremy Begg
Trusted Contributor

Creating system-generated passwords without using SET PASSWORD

Hi,

I'm preparing to automate the creation of user accounts on my OpenVMS 8.3 systems and would like to auto-generate the passwords for the new accounts.

I'm comfortable with the passwords generated by

$ SET PASSWORD /GENERATE

but that command is not well suited to the task at hand.

Is there a callable interface to the password generator, or a standalone program? I haven't been able to find one.

Thanks,
Jeremy Begg
12 REPLIES 12
Joseph Huber_1
Honored Contributor

Re: Creating system-generated passwords without using SET PASSWORD

If nothing better can be found...
put the single line
$SET PASSWORD/generate=n
into a command-file (n: choose the wanted password length).
$Exit or EOF after the kine, so that set password does not get old/new password input and simply exits.

Execute the command-file with /output=tempfile or pipe it into a command-file, which reads the output (or sys$pipe), and takes the password(s).

An alternative could be another generate password program like gpw.c at

ftp://ftp.multicians.org/

You could modify it to put the generated password into a DCL symbol.
http://www.mpp.mpg.de/~huber
Joseph Huber_1
Honored Contributor

Re: Creating system-generated passwords without using SET PASSWORD

And in addition there are CPAN perl modules
String::MkPasswd
( http://search.cpan.org/~cgrau/String-MkPasswd-0.02/lib/String/MkPasswd.pm )

and
Crypt::RandPasswd

( http://search.cpan.org/~jdporter/Crypt-RandPasswd-0.02/lib/Crypt/RandPasswd.pm )
\
http://www.mpp.mpg.de/~huber
Hoff
Honored Contributor

Re: Creating system-generated passwords without using SET PASSWORD

One usual approach involves perusal of NETCONFIG.COM.

IIRC, some related underpinnings are available via the undocumented sys$forge_word system service.

I've posted full source code of the NEWUSER user creation tool (with an MIT-style license) at http://labs.hoffmanlabs.com/node/1260
Joseph Huber_1
Honored Contributor
Solution

Re: Creating system-generated passwords without using SET PASSWORD

.. and a DCL one-liner to get a generated password into a logical name:

pipe write sys$output "Invalid" | set password/generate=8 | (read sys$pipe l ; read sys$pipe l ; define/job password &l)

http://www.mpp.mpg.de/~huber
Craig A
Valued Contributor

Re: Creating system-generated passwords without using SET PASSWORD

If the LockPWD flag is set then the account issuing the SET PASS/GEN password will get:

%SET-F-PWDLOCKED, password is locked to prevent change

Craig A
Graham Burley
Frequent Advisor

Re: Creating system-generated passwords without using SET PASSWORD

I would've thought $mc authorize add/generate_password more suited to the task, but I've probably missed the point.
Jeremy Begg
Trusted Contributor

Re: Creating system-generated passwords without using SET PASSWORD

Hi,

Responding first to the last posts from Craig and Graham ...

The newly-created accounts won't have LOCKPWD set, so that's not going to be a problem. And in any case the password will be generated before the account is created.

Graham, thanks for pointing out the /GENERATE_PASSWORD qualifier, I didn't know about that one. I don't think it will work for me in this situation because it still requires me to select from a list -- which isn't as automated as I need. But I think it will be useful elsewhere!

I'll respond to the other suggestions and assign points when I've had a chance to look at them in more detail.

Thanks!
Jeremy Begg
John McL
Trusted Contributor

Re: Creating system-generated passwords without using SET PASSWORD

Is it too difficult to write some code that uses randon numbers between appropriate limits for ASCII a-z, A-Z and 0-9 and repeat this for however many characters? Use a seed such as I/O ops on a disk if you want to make it difficult for people to emulate what you've done and get the same password.

Once you have it then use $SETUAI to save it.

You've not said if the users will change their passwords when they first access the system but I'm guessing that's the case.


Jeremy Begg
Trusted Contributor

Re: Creating system-generated passwords without using SET PASSWORD

Hi John,

No, it's not too hard to write some code to spit out a string of characters -- but I'm trying to not reinvent the wheel, and I prefer that the generated password be pronouncable (more or less).

I should add that these accounts will be non-interactive, primarily for email services, and users won't be required to change them. (We will provide an option to allow users to change them if they wish.)

Thanks,
Jeremy Begg