HPE Community
Operating System - OpenVMS
1752752 Members
5242 Online
108789 Solutions
New Discussion юеВ

Userid/Password verification within a BASIC application

 
SOLVED
Go to solution
Dan Herron
Advisor

тАО02-01-2005 01:41 AM

тАО02-01-2005 01:41 AM

Userid/Password verification within a BASIC application

I have a BASIC program that when the user has "done something wrong" it requires their manager to clear the "problem" while the user is still executing the application. I would like the manager to come over to the user's terminal and from an application prompt, enter their VMS userid and password (concealing the password, of course) thus identifying themselves to the application, have the application verify the combination is correct and then give the manager access to the functions that will clear the "problem".

Is there a system service I can call from a BASIC application to verify the userid/password combination? If so, does someone have an example in BASIC of how to do so. I'm not a very good at understanding the system service documentation and work best from examples.

Many thanks for any assistance you can provide,
Dan Herron
Kittles Furniture
Indpls, IN
0 Kudos
Reply
7 REPLIES 7
Ian Miller.
Honored Contributor

тАО02-01-2005 01:56 AM

тАО02-01-2005 01:56 AM

Re: Userid/Password verification within a BASIC application

the basic steps would be to read the username, use SYS$GETUAI to obtain the users record. Read the password, use SYS$HASH_PASSWORD to hash the password and compare the result with the value in the user record. You may also want to look at SYS$AUDIT_EVENTW

Example code for calling these system services can be found
http://www.eight-cubed.com/examples/framework.php?file=sys_getuai.c
http://www.eight-cubed.com/examples/framework.php?file=sys_audit_event.c
http://wwwvms.mppmu.mpg.de/vmssig/src/FOR/UAI_EXAMPLE.FOR
____________________
Purely Personal Opinion
Reply
Kris Clippeleyr
Honored Contributor

тАО02-01-2005 02:18 AM

тАО02-01-2005 02:18 AM

Re: Userid/Password verification within a BASIC application

Hi,

You might also have a look at the SYS$ACM system service
http://h71000.www7.hp.com/doc/732FINAL/4527/4527pro.html#acm_001
http://h71000.www7.hp.com/doc/731FINAL/5841/5841pro_contents_010.html#toc_chapter_33

Greetz,
Kris (aka Qkcl)
I'm gonna hit the highway like a battering ram on a silver-black phantom bike...
Reply
Robert Gezelter
Honored Contributor

тАО02-01-2005 03:25 AM

тАО02-01-2005 03:25 AM

Re: Userid/Password verification within a BASIC application

Dan,

You might also want to take a look at the "Guide to System Security".

In particular, you want to consider carefully what this implies. You need to be careful to ensure that this does not lead to a security hole. The most simple minded approach does create a security hazard by processing the Management account/password pair.

There are several possibilities. Which one is the right one depends upon the exact details of your application (one that I have used on several occasions is DECnet logical links).

If the above is unclear, or I can be of further assistance, please let me know.

- Bob Gezelter, http://www.rlgsc.com
Reply
Bojan Nemec
Honored Contributor

тАО02-01-2005 05:37 AM

тАО02-01-2005 05:37 AM

Re: Userid/Password verification within a BASIC application

Dan,

In this thread (which has a similar problem as you), I posted a litle MACRO program which gets
the password of the current user and verify it.
You can use it as an example.

http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=743707

Bojan
Reply
John Gillings
Honored Contributor

тАО02-01-2005 07:08 AM

тАО02-01-2005 07:08 AM

Solution

Re: Userid/Password verification within a BASIC application

All the system service examples require privilege. For a simple, non-privileged test, use DECnet. Just OPEN a file using a network filespec:

0"username password"::PASSCHECK.TMP

if successful the password is correct.

See also my example using PIPE at

http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=743707

Since it's in DCL, you would have to SPAWN it from BASIC.
A crucible of informative mistakes
Reply
Hein van den Heuvel
Honored Contributor

тАО02-01-2005 09:11 AM

тАО02-01-2005 09:11 AM

Re: Userid/Password verification within a BASIC application

John wrote:

>>> open 0"username password"::PASSCHECK.TMP
>>> if successful the password is correct.
>>> See also my example using PIPE at
:
>>> Since it's in DCL, you would have to
SPAWN it from BASIC.

Just ot be perfectly clear, you can just use a BASIC OPEN statetement and use the STANDARD error handling to determine whether it worked (now close it!), or failed.
And you can use NL: as the 'file' (or login.com).

Hein.
Reply
Robert Gezelter
Honored Contributor

тАО02-01-2005 09:36 PM

тАО02-01-2005 09:36 PM

Re: Userid/Password verification within a BASIC application

Dan,

A further note on the integrity of the "Managers Password" and the override process.

Care needs to be exercised. Particularly since this is supposed to be an auditable interface. I am working with no context, but if this is going to be audited at some point, the following comments apply:
- the application program should not get the manager's password.
- the application should pass control to a separate, limited program which does the actual override.
- I don't have an indication of scale, but consideration should be given to a "Dongle", challenge/response, or similar system. The simple "Manager's Password" approach is vulnerable to various attacks, including: playback, spoofing, and unauthorized code modifications.

As I mentioned on opening, the overide/authorize function can be done correctly, in a way which will stand up to audit scrutiny, but care must be exercised.

In these days of Sarbenes-Oxley, for example, auditing standards for production applications have increased substantially, with more concern being paid to separation of program development staff from production accounting data. Overrides are of particular concern to auditors.

I hope that the above is helpful. If I have been unclear, please let me know.

- Bob Gezelter, http://www.rlgsc.com
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.