Operating System - OpenVMS
cancel
Showing results for 
Search instead for 
Did you mean: 

OpenVMS 8.3, Password Strength Enforcement

 
SOLVED
Go to solution
Highlighted
John T. Farmer
Regular Advisor

OpenVMS 8.3, Password Strength Enforcement

Wondering how to inforce specific password requirements for my company on OpenVMS 8.3. Specifics like "require one numeric rest alphabetic", mixed cased, etc. We have always relied on SYSUAF for password length & life. Need to take the next step.

Thanks,

John
john dot farmer at genworth dot com
11 REPLIES 11
John Gillings
Honored Contributor
Solution

Re: OpenVMS 8.3, Password Strength Enforcement

John,

You can use the VMS$PASSWORD_POLICY callout to impose any rules you like. I wrote a fairly general example, which Hoff has posted on his web site. It counts cases, numerics and special characters and can accept or reject a password depending on results of your constraints.

Search this forum for VMS$PASSWORD_POLICY to find a link.
A crucible of informative mistakes
Hoff
Honored Contributor

Re: OpenVMS 8.3, Password Strength Enforcement

Graham Burley
Frequent Advisor

Re: OpenVMS 8.3, Password Strength Enforcement

There's at least one commercial solution available:

PARSEC Group OpenVMS - Password Policy
http://www.parsec.com/openvms/password.php

Richard W Hunt
Valued Contributor

Re: OpenVMS 8.3, Password Strength Enforcement

If you have a languange compiler available that conforms to the OpenVMS Calling standards (BASIC or FORTRAN at least; C variants if you use the external call methods for those languages), you can build your own customized VMS$PASSWORD_POLICY fairly easily. Look in the SYS$EXAMPLES directory tree for the sample code.

Basically, you define two entry points as functions that return a status code. There is a policy_hash entry point that you probably don't care about so you just return ss$_normal for that call. For the other entry, policy_plaintext, you get two strings as input; the plaintext password and the username. The password has NOT been upcased or anything else. Just raw as it was typed.

In that context, you can do a call to system service routine SYS$GETUAI to determine some things. Here's what mine does, just for an example of what is possible.

First, sanity check the inputs just to be a belt-and-suspenders type of person. Then do the GETUAI call to determine the user's login flags and a couple of other settings. In my case, some users are SSH/PKI-based and the complex password rules don't apply. So if I don't have their PWDMIX flag set, I skip out and return SS$_NORMAL. Otherwise, scan the password one character at a time and count the number of letters in each of the categories Uppercase alpha, lowercase alpha, digits, and punctuation. I also screen out certain characters that I don't allow in passwords i.e. spaces and tabs. When I reach the end of the scan, I check the counts for our rules which happen to be TWO each as a minimum for each category.

It is NOT necessary to check password length because the standard password tests are still in effect. Your entry point is just an added result.

We have a second rule based on Dept. of Defense regulations regarding password churning. I check the date of last password change. We disallow anyone from changing a password more often than once per day. So I compare the current system time ($GETTIM) high-order longword to the high-order longword of the password change. If they differ by more than 201 (decimal), I allow the change. If not, I disallow the change.

Before you ask: If you go through the math, 201 in the high-order longword of a quadword date/time variable equates to 23:58:48.84 elapsed time. My security guys said that was close enough. If you went to 202, that would equate to 24:05:58.33 elapsed.

This is just to give you an idea of what you can do to customize your password policy. I viewed it with much trepidation until I actually tried it. Piece of cake.

The only other "gotcha" in the pile is that there are some instructions about SYSGEN parameters and logical names to tell the password code to use your module. It is good enough to just customize your startup (perhaps using the site-specific startup implied in SYSTARTUP.COM or a file that you reference from there) rather than trying to save the system in this particular state. That's really all you need to do.

Sr. Systems Janitor
John T. Farmer
Regular Advisor

Re: OpenVMS 8.3, Password Strength Enforcement

I believe I understand the approach and example you have outlined. Can this be done using COBOL since I'm not a Macro guy? My attempt to translate this to COBOL is attached. But after install and setting system parameters, the next login does not show any affects of running VMS$PASSWORD_POLICY.EXE (the displays are for debugging only and possibly are not visible at login). I coded a simple password check that I know would fail, attempting to force a failed login. Login was successful.

Note: The program returns the correct results when linked and run from a stub caller program from the command line. The caller checks return-status for failure. The SS$_NORMAL & SS$_PWDWEAK return success and failure respectively.

I used the Link, Install and SYSMAN commands provided in the Hoffman Labs article.

See attached listing from my COBOL compile. The source file contains two programs, one for POLICY_PLAINTEXT and one for POLICY_HASH. This is how I setup the program to be called from a main program. Does this equate to an "entry-point" as described in the macro example?

Am I almost there, or am I way off base? Thanks for additional direction and/or pointers.

Thanks,

John
Hein van den Heuvel
Honored Contributor

Re: OpenVMS 8.3, Password Strength Enforcement

>> Can this be done using COBOL since I'm not a Macro guy?

But you could be... in a few minutes, for a few minutes. No big deal... with a good example.


>> . But after install and setting system parameters, the next login does not show any affects of running VMS$PASSWORD_POLICY.EXE


That would be because the procedure is called during the SET PASSWORD command, not LOGINOUT

:^)

I grabbed your listing, turned it into Cobol using:

perl -ne "s/\d\s(.* BY )/0 *$1/; print $1.qq(\n) if /\t\s+\d+\s(.*)/" a.txt > a.cob

On a "personal Alpha session", compiled, linked, copied, sysgen, and then tried it:
----------------------
$ set pass
Old password:
New password:
Verification:
ROUTINE: POLICY_PLAINTEXT
%SYSTEM-F-ACCVIO, access violation
----------------------

So it works, sort of.
Just a little debugging to do.

Send time or money and I'll take care of it!

Be sure to also check out Jim Duff's example:

http://www.eight-cubed.com/blog/archives/000241.html

or my example:

http://forums11.itrc.hp.com/service/forums/questionanswer.do?threadId=866372

Good luck,
Hein van den Heuvel ( at gmail dot com )
John T. Farmer
Regular Advisor

Re: OpenVMS 8.3, Password Strength Enforcement

Hmmm, apparently was too late to think clearly... Thanks for catching that. Will work on that tonight, report my success tomorrow...

Thanks,

John
John Gillings
Honored Contributor

Re: OpenVMS 8.3, Password Strength Enforcement

John,

Programming languages are mere detail. I chose MACRO32 for this code so it's not dependent on a particular (licensed) compiler, and also because it's not dependent on an RTL.

No code other than what you see in the source is executed. Important when you're dealing with clear text passwords, to make sure there are no opportunities for back doors or trojans to skim passwords.

It's not complicated. I'm sure you can figure out how it works.

The filter is only used when changing passwords. To force a user to run through the filter when they login, set the users password to be expired:

UAF> MODIFY user/PWDEXPIRED

A crucible of informative mistakes
John T. Farmer
Regular Advisor

Re: OpenVMS 8.3, Password Strength Enforcement

I have a working proto-type using COBOL. I had a duh moment about when the code was executed. I properly executes the code at password change time. I appreciate all the help from this group.

I will post the code when it is cleaned up a little more.

Thanks,

John