- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - OpenVMS
- >
- Re: password reset issue.
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО07-24-2008 07:23 PM
тАО07-24-2008 07:23 PM
password reset issue.
When user log into system on 31th day ... system will ask the user to type the password again and again... without any error and user will not able to login into system.
My query is here:
User should get the prompt"Your password has been expired now changed your password"
This problem we are facing after upgradation of system from OVMS 7.3-2 to V8.3.
solution:
1.When user log via telnet they are able to see the prompt "Your password expired please change your password". Once changed the password via telnet session then user will be able to login thru secure sheell. Again after one month user will follow the same process to change the password.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО07-24-2008 08:16 PM
тАО07-24-2008 08:16 PM
Re: password reset issue.
Actually... entering passwords is overrated.
Have you considered Public-Key Authentication Setup? $SSH_KEYGEN and such?
Security is not my strong area...
What version of flavor and version of the TCP Server are you using? UCX? $UCX SHOW VERSION?
UCX V5.6 ECO 1 may address this.
Specifically I was told that:
"On initial login SSH server now displays
Number of login failures
Last interactive login
Last non-interactive login
SFTP sessions set the last non-interactive login time
SSH server sets pwd_exp/pwd2_exp flags if DisForce_Pwd_Change flag is set"
fwiw,
Hein (not a security expert).
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО07-24-2008 08:54 PM
тАО07-24-2008 08:54 PM
Re: password reset issue.
regards Kalle
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО07-24-2008 10:36 PM
тАО07-24-2008 10:36 PM
Re: password reset issue.
Thanks for ur interest.
$tcpip sho ver
HP TCP/IP Services for OpenVMS Alpha Version V5.6 - ECO 2
on an hp AlphaServer ES80 7/1150 running OpenVMS V8.3.
We use SSH Tectia Client/user end reflection14 and in both shell not getting "password expired" prompt.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО07-24-2008 10:45 PM
тАО07-24-2008 10:45 PM
Re: password reset issue.
Flag status as below,
Flags:DisCtlY DefCLI Restricted Captive
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО07-25-2008 04:00 AM
тАО07-25-2008 04:00 AM
Re: password reset issue.
Purely Personal Opinion
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО07-25-2008 04:36 AM
тАО07-25-2008 04:36 AM
Re: password reset issue.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО07-25-2008 07:05 AM
тАО07-25-2008 07:05 AM
Re: password reset issue.
Not all ssh clients offer that capability, and the OpenVMS ssh server environment defaults to not assuming that capability is present in the ssh client.
This particular knob is a frequent issue when working with ssh.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО07-25-2008 07:54 AM
тАО07-25-2008 07:54 AM
Re: password reset issue.
I too agree with Ian.
However, for completeness, a comment about the use of telnet to reset passwords.
The goal of using SSH and similar encrypted connections is to keep passwords and session information private.
If the password reset is done via enencrypted telnet, then any network monitor will have both the old and new passwords en claire ("in the clear"). This is precisely the reason why SSH is used to begin with.
I recommend that you check Ian's comment as soon as possible. If this does not resolve the problem, please raise it as an urgent, security related support issue.
Needless to say, please update this thread with the outcome.
- Bob Gezelter, http://www.rlgsc.com
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО07-27-2008 06:38 PM
тАО07-27-2008 06:38 PM
Re: password reset issue.
Login is not permitted under the following conditions. In these cases, no auditing occurs.
The user account does not exist.
The user account has expired.
The user account has access restrictions for the current day and time.
The pwd_expired flag is set in the user's SYSUAF record.
The keyword userloginlimithas a value of zero in the SSH server configuration file. (This applies to all users.)
If any of the following conditions are true for the user on the SSH server, login is not permitted and auditing occurs:
The user failed the authentication (for example, invalid or missing keys for the host-based or public-key method, invalid password for the password method, expired password and configured not to allow client in with expired password).
The user name is in the DenyUsers list, or is not in the AllowUsers list (if it exists) in the server configuration file (SSHD2_CONFIG.).
The user is in a group that is in the DenyGroups list, or is not in the AllowGroups list (if it exists) in the server configuration file (SSHD2_CONFIG.). The groups in the DenyGroups and AllowGroups lists are specified by the decimal representation that is the group portion of the UIC. That is, if a user's UIC is [777,42], the following syntax denies the user and all other users with UIC [777,*]:
DenyGroups 511
The disuser or autologin flag is set in the user's SYSUAF record.
The user does not have OPER privilege and one of the following is true:
The number of interactive logins has exceeded the SYSGEN parameter IJOBLIM.
The UserLoginLimit parameter in the server configuration file is greater than zero and there are already that number of logins for any individual user name.
The client has been identified as an intruder.
If the user's password has expired and the connection is from an OpenVMS system to another OpenVMS system, and the disforce_pwd_expired flag is not set in the user's SYSUAF, then the user must change the password. The password dictionary, password history, and generated password lists are not used. The number of failed attempts to verify the new password is specified using the NumberOfPasswordVerificationPrompts parameter in the client configuration file.
The client user is not forced to change the password before logging in when:
The connection is from OpenVMS to OpenVMS and the disforce_pwd_change flag is set in the user's SYSUAF record.
The connection is from a different SSH implementation to an OpenVMS system and the AllowNonvmsLoginWithExpiredPw parameter is set to yes in the client configuration file. In these cases, the pwd_expired flag is set in the user's SYSUAF record, so that any future attempts to log in will fail if the password is not changed during the current session.
The client user login is rejected if:
The connection is from a different SSH implementation to an OpenVMS system and the AllowVmsLoginWithExpiredPw parameter is set to no in the server configuration file.
The connection is from an OpenVMS system to a different SSH implementation, and the AllowNonVmsLoginWithExpiredPw parameter is set to no in the server configuration file.
Examples
If login is allowed but the password has expired, and the user is forced to change his password, the following message is displayed before the first DCL prompt:
WARNING - Your password has expired; update immediately with SET PASSWORD!
If the NumberOfPasswordVerificationPrompts parameter is set to 2, the following message is displayed:
Your password has expired; you must set a new password to log in
New password:Verification:
New password verification error; please try again
Verification:
If verification fails a second time, the login attempt fails.
To get detailed tracing information, on the OpenVMS SSH server, enter the following command:
$ ASSIGN/SYS "-i -d 6" TCPIP$SSH_SERVER_PARAM
Trace information is written to the TCPIP$SSH_HOME:TCPIP$SSH_RUN.LOG file.