- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - OpenVMS
- >
- OpenVMS 8.3, Password Strength Enforcement
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО08-27-2009 12:30 PM
тАО08-27-2009 12:30 PM
Thanks,
John
john dot farmer at genworth dot com
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО08-27-2009 01:28 PM
тАО08-27-2009 01:28 PM
SolutionYou can use the VMS$PASSWORD_POLICY callout to impose any rules you like. I wrote a fairly general example, which Hoff has posted on his web site. It counts cases, numerics and special characters and can accept or reject a password depending on results of your constraints.
Search this forum for VMS$PASSWORD_POLICY to find a link.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО08-27-2009 07:40 PM
тАО08-27-2009 07:40 PM
Re: OpenVMS 8.3, Password Strength Enforcement
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО08-27-2009 11:22 PM
тАО08-27-2009 11:22 PM
Re: OpenVMS 8.3, Password Strength Enforcement
PARSEC Group OpenVMS - Password Policy
http://www.parsec.com/openvms/password.php
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО08-31-2009 08:21 AM
тАО08-31-2009 08:21 AM
Re: OpenVMS 8.3, Password Strength Enforcement
Basically, you define two entry points as functions that return a status code. There is a policy_hash entry point that you probably don't care about so you just return ss$_normal for that call. For the other entry, policy_plaintext, you get two strings as input; the plaintext password and the username. The password has NOT been upcased or anything else. Just raw as it was typed.
In that context, you can do a call to system service routine SYS$GETUAI to determine some things. Here's what mine does, just for an example of what is possible.
First, sanity check the inputs just to be a belt-and-suspenders type of person. Then do the GETUAI call to determine the user's login flags and a couple of other settings. In my case, some users are SSH/PKI-based and the complex password rules don't apply. So if I don't have their PWDMIX flag set, I skip out and return SS$_NORMAL. Otherwise, scan the password one character at a time and count the number of letters in each of the categories Uppercase alpha, lowercase alpha, digits, and punctuation. I also screen out certain characters that I don't allow in passwords i.e. spaces and tabs. When I reach the end of the scan, I check the counts for our rules which happen to be TWO each as a minimum for each category.
It is NOT necessary to check password length because the standard password tests are still in effect. Your entry point is just an added result.
We have a second rule based on Dept. of Defense regulations regarding password churning. I check the date of last password change. We disallow anyone from changing a password more often than once per day. So I compare the current system time ($GETTIM) high-order longword to the high-order longword of the password change. If they differ by more than 201 (decimal), I allow the change. If not, I disallow the change.
Before you ask: If you go through the math, 201 in the high-order longword of a quadword date/time variable equates to 23:58:48.84 elapsed time. My security guys said that was close enough. If you went to 202, that would equate to 24:05:58.33 elapsed.
This is just to give you an idea of what you can do to customize your password policy. I viewed it with much trepidation until I actually tried it. Piece of cake.
The only other "gotcha" in the pile is that there are some instructions about SYSGEN parameters and logical names to tell the password code to use your module. It is good enough to just customize your startup (perhaps using the site-specific startup implied in SYSTARTUP.COM or a file that you reference from there) rather than trying to save the system in this particular state. That's really all you need to do.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-09-2009 05:44 AM
тАО09-09-2009 05:44 AM
Re: OpenVMS 8.3, Password Strength Enforcement
Note: The program returns the correct results when linked and run from a stub caller program from the command line. The caller checks return-status for failure. The SS$_NORMAL & SS$_PWDWEAK return success and failure respectively.
I used the Link, Install and SYSMAN commands provided in the Hoffman Labs article.
See attached listing from my COBOL compile. The source file contains two programs, one for POLICY_PLAINTEXT and one for POLICY_HASH. This is how I setup the program to be called from a main program. Does this equate to an "entry-point" as described in the macro example?
Am I almost there, or am I way off base? Thanks for additional direction and/or pointers.
Thanks,
John
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-09-2009 07:27 AM
тАО09-09-2009 07:27 AM
Re: OpenVMS 8.3, Password Strength Enforcement
But you could be... in a few minutes, for a few minutes. No big deal... with a good example.
>> . But after install and setting system parameters, the next login does not show any affects of running VMS$PASSWORD_POLICY.EXE
That would be because the procedure is called during the SET PASSWORD command, not LOGINOUT
:^)
I grabbed your listing, turned it into Cobol using:
perl -ne "s/\d\s(.* BY )/0 *$1/; print $1.qq(\n) if /\t\s+\d+\s(.*)/" a.txt > a.cob
On a "personal Alpha session", compiled, linked, copied, sysgen, and then tried it:
----------------------
$ set pass
Old password:
New password:
Verification:
ROUTINE: POLICY_PLAINTEXT
%SYSTEM-F-ACCVIO, access violation
----------------------
So it works, sort of.
Just a little debugging to do.
Send time or money and I'll take care of it!
Be sure to also check out Jim Duff's example:
http://www.eight-cubed.com/blog/archives/000241.html
or my example:
http://forums11.itrc.hp.com/service/forums/questionanswer.do?threadId=866372
Good luck,
Hein van den Heuvel ( at gmail dot com )
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-09-2009 07:40 AM
тАО09-09-2009 07:40 AM
Re: OpenVMS 8.3, Password Strength Enforcement
Thanks,
John
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-09-2009 02:13 PM
тАО09-09-2009 02:13 PM
Re: OpenVMS 8.3, Password Strength Enforcement
Programming languages are mere detail. I chose MACRO32 for this code so it's not dependent on a particular (licensed) compiler, and also because it's not dependent on an RTL.
No code other than what you see in the source is executed. Important when you're dealing with clear text passwords, to make sure there are no opportunities for back doors or trojans to skim passwords.
It's not complicated. I'm sure you can figure out how it works.
The filter is only used when changing passwords. To force a user to run through the filter when they login, set the users password to be expired:
UAF> MODIFY user/PWDEXPIRED
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-10-2009 05:56 AM
тАО09-10-2009 05:56 AM
Re: OpenVMS 8.3, Password Strength Enforcement
I will post the code when it is cleaned up a little more.
Thanks,
John