Operating System - OpenVMS
1748034 Members
4989 Online
108757 Solutions
New Discussion юеВ

Re: disuser if password unused

 
SOLVED
Go to solution

disuser if password unused

Is there a mechinism to disuser an account if the account is not logged in after 24 hour of a password reset?
14 REPLIES 14
Hoff
Honored Contributor
Solution

Re: disuser if password unused

Assuming standard authentication mechanisms and tools, AFAIK no; not without some coordination with and processing performed within some sort of daily processing job running.

You can set the password as pre-expired and set the account expiration date for 24 hours, and have an hourly or daily job detect a login and reset the expiration.

Various sites I know well use a batch job that runs some number of times a day or a week and that watch the last login, and use that to advance the account expiration. This requirement would be a slight variant on that basic approach.

I'd also expect that most any external authentication scheme around -- token-card-based logins or other such -- could either provide this, or be extended to provide this.

The batch job can simply run an image that calls $getuai and other such accouterments. (It's ever so slightly undocumented territory here, as you'll be using a direct RMS access into SYSUAF on the username key to get the usernames to feed into $getuai.)

There are other approaches.
Hein van den Heuvel
Honored Contributor

Re: disuser if password unused

No supported mechanisme, but a quick scan of sysuaf will readily get you there.

See brute force sample code below.

Mind you, I believe it would be better / nicer / cleaner if the procedure which changes the password adds a record with username and date to a 'todo' list.
Next a simple program with $GETUAI or DCL script with MCR AUTHORIZE SHOW can check daily / weekly whether specific users need action. Much more targetted, less brute force.

Hope this helps some,
Hein van den Heuvel (at gmail dot com)
HvdH Performance Consulting



$! uaf_pwd_reset_age.com [] Hein van den Heuvel,August 2007.
$! List records from SYSUAF for which the Last Interactive Login is more
$! than a day before the last Password Change.
$
$!libr/extr=$uafdef/out=uafdef.tmp sys$library:lib.mlb
$!sea uafdef.tmp flag...
$!EQU UAF$Q_PWD_DATE 380
$!EQU UAF$Q_LASTLOGIN_I 396
$!EQU UAF$L_FLAGS 468
$!EQU UAF$V_DISACNT 4
$
$define sysuaf sys$disk:[]sysuaf.dat ! Local copy for testting
$close /nolog auf
$open /write/read/share=write uaf 'f$parse("SYSUAF","SYS$SYSTEM:.DAT",,,"SYNTAX_ONLY")
$ found = 0
$ records = 0
$loop:
$ records = records + 1
$ read/end=done uaf rec
$ if p1.nes."" then read/end=done/key=&p1 uaf rec
$
$! Just pick up the top 32 bits from the date fields
$! This get 1 click per 00:07:09.49, or about 202 clicks/day
$ pwd_date = f$cvsi(384*8,32,rec)
$ lastlogin = f$cvsi(400*8,32,rec)
$ disuser = f$cvsi(468*8+4,1,rec)
$ approximate_age = ( pwd_date - lastlogin) / 202
$ username=f$extr(4,12,rec)
$
$ IF approximate_age .GE.1 .AND. .NOT. disuser
$ THEN
$ found = found + 1
$ WRITE sys$output "MODIFY ''username' /FLAG=DISUSEER ! ~''approximate_age' days."
$ ENDIF
$ if p1.eqs."" then goto loop
$done:
$WRITE sys$output found, " targets found. Total records: ", records
$close uaf

Re: disuser if password unused

That .com loks like the correct direction though I am having trouble getting it to work. Im on V7.1 of vms.
Hein van den Heuvel
Honored Contributor

Re: disuser if password unused

Various versions of VMS have had various maximum symbol sizes.
Your SYSUAF might have records longer than DCL V7.1 can handle

We can try replacing the direct open of sysuaf by a temprary copy with truncated records, long enouigh to hold interesting fields. For example by replacing the OPEN/READ/SHARE=WRITE above with:

$sysuaf_tmp = "sys$login:sysuaf.tmp"
$sysuaf = f$parse("SYSUAF","SYS$SYSTEM:.DAT",,,"SYNTAX_ONLY")
$conver/share/fdl=sys$input/truncate/pad 'sysuaf' 'sysuaf_tmp'
file; organization indexed;
record; format fixed; size 480
area 0; bucket 63;
key 0; seg0_l 32; seg0_p 4;
$
$open /read uaf 'sysuaf_tmp'

hth,
Hein.

Re: disuser if password unused

Exactly what I needed Thanks!

Re: disuser if password unused

I just noticed something. I went into authorize and reset my password:

Before -

Expiration: (none) Pwdminimum: 6 Login Fails: 0
Pwdlifetime: 60 00:00 Pwdchange: 23-JUL-2007 11:50
Last Login: 23-AUG-2007 09:35 (interactive), 23-AUG-2007 00:05 (non-interactive)

UAF> modify mccarthyk /password=********
%UAF-I-MDFYMSG, user record(s) updated
UAF> exit
%UAF-I-DONEMSG, system authorization file modified
%UAF-I-NAFNOMODS, no modifications made to network proxy database
%UAF-I-RDBNOMODS, no modifications made to rights database

Then -

LOTTOA: mcr authorize
UAF> show mccarthyk
Expiration: (none) Pwdminimum: 6 Login Fails: 0
Pwdlifetime: 60 00:00 Pwdchange: (pre-expired)
Last Login: 22-AUG-2007 13:13 (interactive), 21-AUG-2007 18:00 (non-interactive)

log out and in -

No access restrictions
Expiration: (none) Pwdminimum: 6 Login Fails: 0
Pwdlifetime: 60 00:00 Pwdchange: 23-AUG-2007 09:45
Last Login: 23-AUG-2007 09:44 (interactive), 23-AUG-2007 00:05 (non-interactive)


What this is telling me is that if a system manager modifies a password , a password date is not set ? (it get set to expired) and when the user loggs in , the password change time is later than the last login time. correct?
Jan van den Ende
Honored Contributor

Re: disuser if password unused

Kendall,

Correct!

The pre-expired flag is set to indicate that the user did not do the change him/herself; and the user MUST change it.

Timing?
Well, the password was changed.. BY YOU, (forced by LOGINOUT) and AFTER you logged in.
( The difference is at most LGI_PWD_TMO, plus LGI_RETRY_LIM * LGI_RETRY_TMO )

Proost.

Have one on me.

jpe
Don't rust yours pelled jacker to fine doll missed aches.
Hein van den Heuvel
Honored Contributor

Re: disuser if password unused

In my testing I got confused between my test version of SYSUAF and the real one.

As Jan hints to, Autohorize has thise notion of pre-expired. This is implemented by setting the pwd_date field to -1.

So best I can tell there is NO field in the sysuaf record which records the time when a password change was initiated, and therefor the original problem can not be solved using standard sysuaf alone. Sorry.

The procedure which does the pasword reset will have to do something extra. Creating its own 'todo' list with username + date woule appear to be the easiest. Conceivably it could also exploit an other SYSUAF field like USRDAT or the EXPIRATION date, but that gets hokey quickly. I supposed that the audit records could also be reviewed to find the actual reset time.

Alternatively the prodecure doing the checking can do something extra.
It could 'see' a pre-expired password one day, and record that. Then on the next day, if that record is still pre-expired, then it could assume the reset password for the account was not used in a timely fashion.

Regards,
Hein.


Anton van Ruitenbeek
Trusted Contributor

Re: disuser if password unused

Kendall,

There is also a programm (I think its on the freeware CD) GETUAI.EXE. Using this you can get information out of the AUTHORIZE file without having privilege (for your own account). If you want info of another user you need (of course) privilege.
You run the procedure with /=.


MC GETUAI.EXE -
/PWDATE= -
/LAST_LOGIN= -
/DISUSER=

Almost all options are available. If you install this (freeware) you get the whole help with it.

The rest of the calculations are up to you how to implement this in a com procedure.

AvR
NL: Meten is weten, maar je moet weten hoe te meten! - UK: Measuremets is knowledge, but you need to know how to measure !