Operating System - OpenVMS
cancel
Showing results for 
Search instead for 
Did you mean: 

password reset issue.

 
umesh01
Occasional Advisor

password reset issue.

End user used to login thru secure shell ( SSH Tectia /Reflection 14) to Openvms 8.3 system, and password Pwdlifetime:30.

When user log into system on 31th day ... system will ask the user to type the password again and again... without any error and user will not able to login into system.

My query is here:
User should get the prompt"Your password has been expired now changed your password"

This problem we are facing after upgradation of system from OVMS 7.3-2 to V8.3.

solution:
1.When user log via telnet they are able to see the prompt "Your password expired please change your password". Once changed the password via telnet session then user will be able to login thru secure sheell. Again after one month user will follow the same process to change the password.
11 REPLIES 11
Hein van den Heuvel
Honored Contributor

Re: password reset issue.

Frequently changing well protect passwords is overrated... IMHO.

Actually... entering passwords is overrated.
Have you considered Public-Key Authentication Setup? $SSH_KEYGEN and such?

Security is not my strong area...

What version of flavor and version of the TCP Server are you using? UCX? $UCX SHOW VERSION?

UCX V5.6 ECO 1 may address this.
Specifically I was told that:
"On initial login SSH server now displays
Number of login failures
Last interactive login
Last non-interactive login
SFTP sessions set the last non-interactive login time
SSH server sets pwd_exp/pwd2_exp flags if DisForce_Pwd_Change flag is set"

fwiw,
Hein (not a security expert).
Karl Rohwedder
Honored Contributor

Re: password reset issue.

SSH from TCPIP V5.6-Eco1 does ask for a new password.

regards Kalle
umesh01
Occasional Advisor

Re: password reset issue.

Hi Hein/karl,
Thanks for ur interest.
$tcpip sho ver
HP TCP/IP Services for OpenVMS Alpha Version V5.6 - ECO 2
on an hp AlphaServer ES80 7/1150 running OpenVMS V8.3.

We use SSH Tectia Client/user end reflection14 and in both shell not getting "password expired" prompt.

umesh01
Occasional Advisor

Re: password reset issue.

Hi Hein,
Flag status as below,
Flags:DisCtlY DefCLI Restricted Captive
Ian Miller.
Honored Contributor

Re: password reset issue.

I think you probably need to set the parameter AllowNonvmsLoginWithExpiredPw in the ssh config
____________________
Purely Personal Opinion
EdgarZamora_1
Respected Contributor

Re: password reset issue.

You say you upgraded from 7.3-2 to 8.3. You must've upgraded TCPIP too. Did you update your SSH config files? If I'm not mistaken you had to extract some new config file(s) from a library or something. My memory fails me right now, but do read the ssh documentation for your version of tcpip, especially the section for upgrading.
Hoff
Honored Contributor

Re: password reset issue.

Ian is almost certainly correct here. This is almost certainly the AllowNonvmsLoginWithExpiredPw knob involved here.

Not all ssh clients offer that capability, and the OpenVMS ssh server environment defaults to not assuming that capability is present in the ssh client.

This particular knob is a frequent issue when working with ssh.

Robert Gezelter
Honored Contributor

Re: password reset issue.

umesh01,

I too agree with Ian.

However, for completeness, a comment about the use of telnet to reset passwords.

The goal of using SSH and similar encrypted connections is to keep passwords and session information private.

If the password reset is done via enencrypted telnet, then any network monitor will have both the old and new passwords en claire ("in the clear"). This is precisely the reason why SSH is used to begin with.

I recommend that you check Ian's comment as soon as possible. If this does not resolve the problem, please raise it as an urgent, security related support issue.

Needless to say, please update this thread with the outcome.

- Bob Gezelter, http://www.rlgsc.com
Kumar_Sanjay
Regular Advisor

Re: password reset issue.

I too Agree with Ian and Robert. I remember that i have resolved similer issue by modifying SSH config file.




Login is not permitted under the following conditions. In these cases, no auditing occurs.

The user account does not exist.

The user account has expired.

The user account has access restrictions for the current day and time.

The pwd_expired flag is set in the user's SYSUAF record.

The keyword userloginlimithas a value of zero in the SSH server configuration file. (This applies to all users.)

If any of the following conditions are true for the user on the SSH server, login is not permitted and auditing occurs:

The user failed the authentication (for example, invalid or missing keys for the host-based or public-key method, invalid password for the password method, expired password and configured not to allow client in with expired password).

The user name is in the DenyUsers list, or is not in the AllowUsers list (if it exists) in the server configuration file (SSHD2_CONFIG.).

The user is in a group that is in the DenyGroups list, or is not in the AllowGroups list (if it exists) in the server configuration file (SSHD2_CONFIG.). The groups in the DenyGroups and AllowGroups lists are specified by the decimal representation that is the group portion of the UIC. That is, if a user's UIC is [777,42], the following syntax denies the user and all other users with UIC [777,*]:


DenyGroups 511


The disuser or autologin flag is set in the user's SYSUAF record.

The user does not have OPER privilege and one of the following is true:

The number of interactive logins has exceeded the SYSGEN parameter IJOBLIM.

The UserLoginLimit parameter in the server configuration file is greater than zero and there are already that number of logins for any individual user name.

The client has been identified as an intruder.

If the user's password has expired and the connection is from an OpenVMS system to another OpenVMS system, and the disforce_pwd_expired flag is not set in the user's SYSUAF, then the user must change the password. The password dictionary, password history, and generated password lists are not used. The number of failed attempts to verify the new password is specified using the NumberOfPasswordVerificationPrompts parameter in the client configuration file.

The client user is not forced to change the password before logging in when:

The connection is from OpenVMS to OpenVMS and the disforce_pwd_change flag is set in the user's SYSUAF record.

The connection is from a different SSH implementation to an OpenVMS system and the AllowNonvmsLoginWithExpiredPw parameter is set to yes in the client configuration file. In these cases, the pwd_expired flag is set in the user's SYSUAF record, so that any future attempts to log in will fail if the password is not changed during the current session.

The client user login is rejected if:

The connection is from a different SSH implementation to an OpenVMS system and the AllowVmsLoginWithExpiredPw parameter is set to no in the server configuration file.

The connection is from an OpenVMS system to a different SSH implementation, and the AllowNonVmsLoginWithExpiredPw parameter is set to no in the server configuration file.

Examples

If login is allowed but the password has expired, and the user is forced to change his password, the following message is displayed before the first DCL prompt:


WARNING - Your password has expired; update immediately with SET PASSWORD!


If the NumberOfPasswordVerificationPrompts parameter is set to 2, the following message is displayed:


Your password has expired; you must set a new password to log in
New password:Verification:
New password verification error; please try again
Verification:


If verification fails a second time, the login attempt fails.

To get detailed tracing information, on the OpenVMS SSH server, enter the following command:


$ ASSIGN/SYS "-i -d 6" TCPIP$SSH_SERVER_PARAM


Trace information is written to the TCPIP$SSH_HOME:TCPIP$SSH_RUN.LOG file.
umesh01
Occasional Advisor

Re: password reset issue.

Hi All,
Sorry to reply so late.I was busy in other vms system migration activity.

I checked,SSHD2_CONFIG. file there is no any specific restriction for group id or host name.It is same file copied from old v7.3-2.
My query is,
End user should get the prompt
"password expired,please change the password"
As it is asking in old system V7.3-2 every 30 days in reflection14 client.

please help to resolve this issue.


Hoff
Honored Contributor

Re: password reset issue.

Here's something I wrote up on this area of ssh and expired passwords as implemented on OpenVMS a while back:

http://64.223.189.234/node/510

Here's the knob to set:

AllowNonvmsLoginWithExpiredPw

Here are some HP details to read:

http://h71000.www7.hp.com/doc/83final/BA548_90007/ch08.html

and

http://h71000.www7.hp.com/doc/83final/BA548_90007/ch04s06.html

Interestingly, the HP manuals reference these two:

AllowNonvmsLoginWithExpiredPw AllowNonvmsLoginWithExpiredPwd

AFAIK, the former is correct and the latter is an error in the HP manuals.