HPE Community
Operating System - OpenVMS
1752604 Members
4471 Online
108788 Solutions
New Discussion юеВ

Re: password complexity enforcement for OpenVMS 7.3-1 and OpenVMS 7.3-2

 
SOLVED
Go to solution
Joseph Huber_1
Honored Contributor

тАО01-22-2009 05:24 AM

тАО01-22-2009 05:24 AM

Re: password complexity enforcement for OpenVMS 7.3-1 and OpenVMS 7.3-2

To Jans warning: No, it is not so catastrophic to have load_pw_policy set to 1 without installing the policy image: one still can login, only SET PASSWORD will fail in this case. See my example session below.

Username: huber
Password:
Welcome ...

MPIW12_HUB>mcr sysgen
SYSGEN> SHOW LOAD_PWD_POLICY
Parameter Name Current Default Min. Max. Unit Dynamic
-------------- ------- ------- ------- ------- ---- -------
LOAD_PWD_POLICY 1 0 0 1 Boolean D
SYSGEN> Exit
MPIW12_HUB>set password
%LIB-F-ACTIMAGE, error activating image SYS$LIBRARY:VMS$PASSWORD_POLICY.EXE
-SYSTEM-F-PRIVINSTALL, shareable images must be installed to run privileged imag
e
http://www.mpp.mpg.de/~huber
0 Kudos
Hoff
Honored Contributor

тАО01-22-2009 06:30 AM

тАО01-22-2009 06:30 AM

Re: password complexity enforcement for OpenVMS 7.3-1 and OpenVMS 7.3-2

Ah, this explains the spike in traffic arriving on that article.

If you have questions, it's a whole lot easier (for me and then for any other folks that are subsequently looking at the article) if the questions are posted over at /node/643. Accounts are free, too. (I have enabled the registration process to keep the site from filling from spam.)

I've updated the comments in the article to more explicitly point to the need of some DCL commands in the system startup or in a filter-specific startup procedure.

The security auditors love this password character selection stuff. It doesn't work, though. It's akin to reorganizing the deck chairs on the Titanic. Password-based authentication is among the weakest options, and it's particularly bad when combined with telnet and ftp and such; cleartext authentication protocols.

Some related reading:

http://64.223.189.234/node/229

Then...

http://64.223.189.234/node/219
http://64.223.189.234/node/526
http://64.223.189.234/node/832

I've also added a passwords tag to the HL site, and sprinkled it around various of the password-related sites.
0 Kudos
Thanassis Papadimitriou
Frequent Advisor

тАО01-22-2009 06:43 AM

тАО01-22-2009 06:43 AM

Re: password complexity enforcement for OpenVMS 7.3-1 and OpenVMS 7.3-2

Thank you all,

I kept notes on what i have to do to enable password filtering. The only thing I have to do is to write a command procedure which will include the INSTALL and sysgen invocation. After that I have to update systartup_vms.com to call at the bottom the newly created procedure.

Since you mentioned clear text transmission of passwords over telnet & ftp, does this password filtering work over ssh?
0 Kudos
Joseph Huber_1
Honored Contributor

тАО01-22-2009 07:22 AM

тАО01-22-2009 07:22 AM

Re: password complexity enforcement for OpenVMS 7.3-1 and OpenVMS 7.3-2

Yes of course, if You login via SSH, then everything flowing over this link is encrypted,
thus the password in a SET PASSWORD command is encrypted.

This has in particular nothing to do with password policy, it is just the purpose and result of the SSH connection.
http://www.mpp.mpg.de/~huber
0 Kudos
Thanassis Papadimitriou
Frequent Advisor

тАО01-22-2009 07:27 AM

тАО01-22-2009 07:27 AM

Re: password complexity enforcement for OpenVMS 7.3-1 and OpenVMS 7.3-2

In OpenVMS 7.3-1 /pwdmix flag does not exist. Does anybody know if there is an alternative solution for that without the need to upgrade to OpenVMS 7.3-2. /pwdmix flag exists in OpenVMS 7.3-2.
0 Kudos
Hoff
Honored Contributor

тАО01-22-2009 07:51 AM

тАО01-22-2009 07:51 AM

Re: password complexity enforcement for OpenVMS 7.3-1 and OpenVMS 7.3-2

There is no supported means to back-port the mixed-case password mechanisms to V7.3-1.

Better to spend the effort here moving forward to V7.3-2 (which itself is ancient, albeit with Prior Version Support still available) or (better) upgrading to the current OpenVMS Alpha V8.3 release.

Moving from V7.3-1 to V8.3 is arguably not a major upgrade for OpenVMS Alpha; there were minor kernel changes all through the range, and the V7 to V8 upgrade did not (on OpenVMS Alpha) involve significant kernel changes. In retrospect, the TQE kernel change from V7.3-1 to V7.3-2 probably caused more ripples than V7 to V8.

OpenVMS Alpha V8.3 also adds external authentication into your local LDAP (Active Directory or Open Directory or otherwise) and various other password-related features.
0 Kudos
Thanassis Papadimitriou
Frequent Advisor

тАО01-23-2009 05:42 AM

тАО01-23-2009 05:42 AM

Re: password complexity enforcement for OpenVMS 7.3-1 and OpenVMS 7.3-2

When the user logs in OpenVMS 7.3-2 with pwdmix set and VMS$PASSWORD_POLICY is in place then the user is allowed to enter case sensitive passwords and system interprets these passwords as case sensitive.

Is there a way that we can tell somehow OpenVMS 7.3-1 to accept and interpret case sensitive passwords?
0 Kudos
Hoff
Honored Contributor

тАО01-23-2009 09:17 AM

тАО01-23-2009 09:17 AM

Re: password complexity enforcement for OpenVMS 7.3-1 and OpenVMS 7.3-2

>Is there a way that we can tell somehow OpenVMS 7.3-1 to accept and interpret case sensitive passwords?

No.

A requirement for mixed-case passwords is not compatible with continued use of OpenVMS Alpha V7.3-1.

AFAIK, there is no back-port available. (This back-port would likely involve changes made to multiple OpenVMS modules and components, too. It's not a single and isolated change.)

Your choice here is between use of uppercase passwords and upgrading OpenVMS Alpha.
0 Kudos
Thanassis Papadimitriou
Frequent Advisor

тАО01-24-2009 12:59 AM

тАО01-24-2009 12:59 AM

Re: password complexity enforcement for OpenVMS 7.3-1 and OpenVMS 7.3-2

I have a last question.

Regarding UAF.ALPHA_EXE I observed that I cannot run a query at UAF records having /SELECT=flag=pwdmix.

Also, when I ask to print out the flags a user has, using /DISPLAY=(username,flags), although flag /pwdmix has been assigned and show user displays among other flags pwdmix as well, all other flags are displayed apart from pwdmix.

Do you if there is an updated UAF.ALPHA_EXE which may run queries based on flag=pwdmix?
0 Kudos
Joseph Huber_1
Honored Contributor

тАО01-26-2009 05:08 AM

тАО01-26-2009 05:08 AM

Re: password complexity enforcement for OpenVMS 7.3-1 and OpenVMS 7.3-2

You have the complete source, why not update it ?
(I myself have no VMS version new enough).

Extract module UAFDEF from sys$library:sys$lib_c.tlb.
Look for the flag bits inserted after DISPWDHIS ,
add the new ones in the files uafcld.cld and uaf_cld.h, @compile.
I think that should do it.
http://www.mpp.mpg.de/~huber
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.