- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - OpenVMS
- >
- Re: disuser if password unused
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО08-22-2007 02:50 AM
тАО08-22-2007 02:50 AM
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО08-22-2007 03:06 AM
тАО08-22-2007 03:06 AM
SolutionYou can set the password as pre-expired and set the account expiration date for 24 hours, and have an hourly or daily job detect a login and reset the expiration.
Various sites I know well use a batch job that runs some number of times a day or a week and that watch the last login, and use that to advance the account expiration. This requirement would be a slight variant on that basic approach.
I'd also expect that most any external authentication scheme around -- token-card-based logins or other such -- could either provide this, or be extended to provide this.
The batch job can simply run an image that calls $getuai and other such accouterments. (It's ever so slightly undocumented territory here, as you'll be using a direct RMS access into SYSUAF on the username key to get the usernames to feed into $getuai.)
There are other approaches.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО08-22-2007 04:24 AM
тАО08-22-2007 04:24 AM
Re: disuser if password unused
See brute force sample code below.
Mind you, I believe it would be better / nicer / cleaner if the procedure which changes the password adds a record with username and date to a 'todo' list.
Next a simple program with $GETUAI or DCL script with MCR AUTHORIZE SHOW
Hope this helps some,
Hein van den Heuvel (at gmail dot com)
HvdH Performance Consulting
$! uaf_pwd_reset_age.com [
$! List records from SYSUAF for which the Last Interactive Login is more
$! than a day before the last Password Change.
$
$!libr/extr=$uafdef/out=uafdef.tmp sys$library:lib.mlb
$!sea uafdef.tmp flag...
$!EQU UAF$Q_PWD_DATE 380
$!EQU UAF$Q_LASTLOGIN_I 396
$!EQU UAF$L_FLAGS 468
$!EQU UAF$V_DISACNT 4
$
$define sysuaf sys$disk:[]sysuaf.dat ! Local copy for testting
$close /nolog auf
$open /write/read/share=write uaf 'f$parse("SYSUAF","SYS$SYSTEM:.DAT",,,"SYNTAX_ONLY")
$ found = 0
$ records = 0
$loop:
$ records = records + 1
$ read/end=done uaf rec
$ if p1.nes."" then read/end=done/key=&p1 uaf rec
$
$! Just pick up the top 32 bits from the date fields
$! This get 1 click per 00:07:09.49, or about 202 clicks/day
$ pwd_date = f$cvsi(384*8,32,rec)
$ lastlogin = f$cvsi(400*8,32,rec)
$ disuser = f$cvsi(468*8+4,1,rec)
$ approximate_age = ( pwd_date - lastlogin) / 202
$ username=f$extr(4,12,rec)
$
$ IF approximate_age .GE.1 .AND. .NOT. disuser
$ THEN
$ found = found + 1
$ WRITE sys$output "MODIFY ''username' /FLAG=DISUSEER ! ~''approximate_age' days."
$ ENDIF
$ if p1.eqs."" then goto loop
$done:
$WRITE sys$output found, " targets found. Total records: ", records
$close uaf
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО08-22-2007 04:57 AM
тАО08-22-2007 04:57 AM
Re: disuser if password unused
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО08-22-2007 08:25 AM
тАО08-22-2007 08:25 AM
Re: disuser if password unused
Your SYSUAF might have records longer than DCL V7.1 can handle
We can try replacing the direct open of sysuaf by a temprary copy with truncated records, long enouigh to hold interesting fields. For example by replacing the OPEN/READ/SHARE=WRITE above with:
$sysuaf_tmp = "sys$login:sysuaf.tmp"
$sysuaf = f$parse("SYSUAF","SYS$SYSTEM:.DAT",,,"SYNTAX_ONLY")
$conver/share/fdl=sys$input/truncate/pad 'sysuaf' 'sysuaf_tmp'
file; organization indexed;
record; format fixed; size 480
area 0; bucket 63;
key 0; seg0_l 32; seg0_p 4;
$
$open /read uaf 'sysuaf_tmp'
hth,
Hein.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО08-23-2007 12:48 AM
тАО08-23-2007 12:48 AM
Re: disuser if password unused
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО08-23-2007 01:48 AM
тАО08-23-2007 01:48 AM
Re: disuser if password unused
Before -
Expiration: (none) Pwdminimum: 6 Login Fails: 0
Pwdlifetime: 60 00:00 Pwdchange: 23-JUL-2007 11:50
Last Login: 23-AUG-2007 09:35 (interactive), 23-AUG-2007 00:05 (non-interactive)
UAF> modify mccarthyk /password=********
%UAF-I-MDFYMSG, user record(s) updated
UAF> exit
%UAF-I-DONEMSG, system authorization file modified
%UAF-I-NAFNOMODS, no modifications made to network proxy database
%UAF-I-RDBNOMODS, no modifications made to rights database
Then -
LOTTOA: mcr authorize
UAF> show mccarthyk
Expiration: (none) Pwdminimum: 6 Login Fails: 0
Pwdlifetime: 60 00:00 Pwdchange: (pre-expired)
Last Login: 22-AUG-2007 13:13 (interactive), 21-AUG-2007 18:00 (non-interactive)
log out and in -
No access restrictions
Expiration: (none) Pwdminimum: 6 Login Fails: 0
Pwdlifetime: 60 00:00 Pwdchange: 23-AUG-2007 09:45
Last Login: 23-AUG-2007 09:44 (interactive), 23-AUG-2007 00:05 (non-interactive)
What this is telling me is that if a system manager modifies a password , a password date is not set ? (it get set to expired) and when the user loggs in , the password change time is later than the last login time. correct?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО08-23-2007 02:07 AM
тАО08-23-2007 02:07 AM
Re: disuser if password unused
Correct!
The pre-expired flag is set to indicate that the user did not do the change him/herself; and the user MUST change it.
Timing?
Well, the password was changed.. BY YOU, (forced by LOGINOUT) and AFTER you logged in.
( The difference is at most LGI_PWD_TMO, plus LGI_RETRY_LIM * LGI_RETRY_TMO )
Proost.
Have one on me.
jpe
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО08-23-2007 04:29 AM
тАО08-23-2007 04:29 AM
Re: disuser if password unused
As Jan hints to, Autohorize has thise notion of pre-expired. This is implemented by setting the pwd_date field to -1.
So best I can tell there is NO field in the sysuaf record which records the time when a password change was initiated, and therefor the original problem can not be solved using standard sysuaf alone. Sorry.
The procedure which does the pasword reset will have to do something extra. Creating its own 'todo' list with username + date woule appear to be the easiest. Conceivably it could also exploit an other SYSUAF field like USRDAT or the EXPIRATION date, but that gets hokey quickly. I supposed that the audit records could also be reviewed to find the actual reset time.
Alternatively the prodecure doing the checking can do something extra.
It could 'see' a pre-expired password one day, and record that. Then on the next day, if that record is still pre-expired, then it could assume the reset password for the account was not used in a timely fashion.
Regards,
Hein.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО08-23-2007 07:59 PM
тАО08-23-2007 07:59 PM
Re: disuser if password unused
There is also a programm (I think its on the freeware CD) GETUAI.EXE. Using this you can get information out of the AUTHORIZE file without having privilege (for your own account). If you want info of another user you need (of course) privilege.
You run the procedure with /
MC GETUAI.EXE
/PWDATE=
/LAST_LOGIN=
/DISUSER=
Almost all options are available. If you install this (freeware) you get the whole help with it.
The rest of the calculations are up to you how to implement this in a com procedure.
AvR