Operating System - OpenVMS
cancel
Showing results for 
Search instead for 
Did you mean: 

priviledge to reset password

 
SOLVED
Go to solution
TMcB
Super Advisor

priviledge to reset password

Hi all

What VMS privileges does a user need to be able to reset other users passwords.
i would like to allow our helpdesk to reset the users passwords - and give them an account to do so with the minimum required priviledges.
Thanks so much
11 REPLIES 11
Richard Brodie_1
Honored Contributor

Re: priviledge to reset password

The AUTHORIZE utility is installed with SYSLCK and AUDIT. Beyond that, access to the SYSUAF (sys$system:sysuaf.dat by default)should be all that is needed.

Creating an ACL on the SYSUAF would do it. Since that would allow you to create extra accounts and change privileges etc also, it would be good practice to not to give a helpdesk account free access to this. The simplest would be making the password changing account a captive account.
TMcB
Super Advisor

Re: priviledge to reset password

Thanks Richard - indeed would use a captive account
Robert Gezelter
Honored Contributor

Re: priviledge to reset password

TMcB,

When using a captive account, be careful to note that the command procedures need to CHECK THE USER-SUPPLIED INPUTS WITH EXTREME CARE.

The same cautionary notes that apply to back-end web scripts (e.g., CGI using DCL and other languages with string substitution), apply as well to captive account command procedures. One needs to beware unchecked string substitution, it can create an unintended attack vector.

For example, can the user supply a string "JJDUFFH/PRIV=CMKRML" as a password. This COULD lead to an unwitting symbol substitution, to wit:
$ AUTHORIZE MODIFY /PASSWORD='NEWPASSWORD' becoming
$ AUTHORIZE MODIFY /PASSWORD=JJDUFMH/PRIV=CMKRNL

Extreme caution is recommended.

- Bob Gezelter, http://www.rlgsc.com
Jan van den Ende
Honored Contributor

Re: priviledge to reset password

TMcB,

Like others noted, all kinds of misuse potential (intentional or not) are easily introduced.

We have made that at least a lot more difficult by making a little utility (only accessible by holders of HELPDESK identifier)
which just takes a username as parameter.
Then it generates a password by concatenating current year - month - day - hour - minute.
This is set as the new password and displayed to the helpdesk person to tell the calling user.
... and of course, usernames are checked, and privileged usernames are NOT accepted!

hth

Proost.

Have one on me.

jpe
Don't rust yours pelled jacker to fine doll missed aches.
Hoff
Honored Contributor
Solution

Re: priviledge to reset password

There is a complete username registration and associated password-reset system available for download here:

http://labs.hoffmanlabs.com/node/1260
John Gillings
Honored Contributor

Re: priviledge to reset password

TMcB,

In this case "minimum required" is an oxymoron. Any of the ALL category privileges should do. According to the System Services Reference Manual, $SETUAI "You must have SYSPRV privilege to set passwords for any user account (including your own)."

Implementing such a mechanism, while protecting against unauthorised privilege amplification requires care, as it would be easy to leave loopholes open.

The simplest, and most obvious case - preventing your helpdesk operators from modifying the password of SYSTEM and thereby taking control of the system is but the tip of the iceberg.

Robert's example of DCL qualifier syntax hacking shows that knocking up a DCL script to feed AUTHORIZE has some unexpected pitfalls.

My recommendation would be a program to be installed with SYSPRV which uses $SETUAI and UAI$_PASSWORD. I'd protect the image with an ACL, filter the input username with both an INCLUDE list AND an EXCLUDE list (remember he program has SYSPRV, so the lists can be hidden), and audit every action, again to a protected file.

With appropriate table driven logic, you could define it so that a given user had a set of usernames they're allowed to modify.

A crucible of informative mistakes
John Gillings
Honored Contributor

Re: priviledge to reset password

TMcB,

Also please note... there is no "d" in the word "Privilege"
A crucible of informative mistakes
TMcB
Super Advisor

Re: priviledge to reset password

Thanks John for pointing out my poor typing skills.

Does anyone know if its possible to allow a user to change the password of a restricted group of users. I'm thinking that I wouldnt want the user to change the system account, but would want him to be able to change our standard users.

Thanks
Robert Gezelter
Honored Contributor

Re: priviledge to reset password

TMcB,

Yes. Check the process' rightslist and/or UIC. For example, Group leader (typically Member 1 of the group is permitted to reset members of their group). Alternatively, holders of an identifier (e.g., GROUPADMIN_nn) can reset passwords of users in UIC group [nn,*].

- Bob Gezelter, http://www.rlgsc.com
TMcB
Super Advisor

Re: priviledge to reset password

thanks Bob for being a big help
Hoff
Honored Contributor

Re: priviledge to reset password

>Does anyone know if its possible to allow a user to change the password of a restricted group of users. I'm thinking that I wouldnt want the user to change the system account, but would want him to be able to change our standard users.

SMOP. Simple Matter of Programming.

Without doing a little work within your tool? No. But it's a database. So it's trivial to do this. Your reset mechanism can be (and should be) coded to do this.

The NEWUSER tool I linked to does exactly this, exempting specific users (and also dealing with random folks that might try to reset the passwords of others), so you'll see code and processing in there to avoid having out-of-range users reset, or rogue user password reset requests. (The reset implemented in that tool is self-service. No help desk required.)

If you're using external authentication via LDAP (via Open Directory or Active Directory LDAP servers or otherwise), you can likely perform an LDAP password reset on some other platform as there are tools for these tasks available, and avoid this whole matter. (I use a Mac for this web-based password change, as the security APIs and available tools are vastly more capable than those of VMS.)

I was unable to locate a registration and reset tool for that cluster, and ended up writing that NEWUSER code specifically because of the limits and omissions in VMS.