HPE GreenLake Administration
- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - OpenVMS
- >
- Re: Confirming pulled data with UAF
Operating System - OpenVMS
1829403
Members
1467
Online
109991
Solutions
Forums
Categories
Company
Local Language
back
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Forums
Discussions
Discussions
Discussions
Forums
Discussions
back
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Blogs
Information
Community
Resources
Community Language
Language
Forums
Blogs
Topic Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-17-2004 01:31 AM
11-17-2004 01:31 AM
Confirming pulled data with UAF
Hello all.
I want to write a CP which among other things will confirm some actions by pulling a password from the user.
Assuming I want to use the user's VMS password, how can I confirm the password being entered by the user while running the CP with the one at the UAF file?
I want to write a CP which among other things will confirm some actions by pulling a password from the user.
Assuming I want to use the user's VMS password, how can I confirm the password being entered by the user while running the CP with the one at the UAF file?
7 REPLIES 7
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-17-2004 01:54 AM
11-17-2004 01:54 AM
Re: Confirming pulled data with UAF
In a command file I would just use a remote file access to the local machine to see if the password is ok:
$ open x 0"user pass"::nl:
$ close x
$ open x 0"user badpass"::nl:
%DCL-E-OPENIN, error opening 0"user password"::NL:.DAT; as input
-RMS-E-ACC, ACP file access failed
-SYSTEM-F-INVLOGIN, login information invalid at remote node
Not fool/full proof, not totaly secure, but easy and effective.
Cheers,
Hein.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-17-2004 07:33 AM
11-17-2004 07:33 AM
Re: Confirming pulled data with UAF
Alon,
Hein is, of course, correct. Using remote access is a neat trick to check passwords.
However, as a user, I'd be a bit reticent to type my real cleartext password into someone else's J.Random program. How do I know you're not storing it? There are also issues of turning off the terminal echo while prompting for the password, clearing the command recall buffer afterwards and other, even more subtle security concerns.
In some ways, the very fact that the user gets to your prompt should confirm their identity since they had to type their password to get there. If there is a significant chance that this is not the case, you have a general security issue on the site!
If you really must recheck the user, I suggest you use a REAL login to check the password. With the magic of PIPE this can be a single line command. You get all the prompting, security details and auditing for free. The downside is it's a bit "noisy" since you also get all the login output (though I'd say that's a "feature" since it would convince me, as a user, that you're not grabbing my password!).
First create a command procedure in SYS$MANAGER:
SYS$COMMON:[SYSMGR]PASSWORDCHECK.COM
$ WRITE SYS$OUTPUT "Password OK"
$ LOGOUT/BRIEF
Now define a logical name:
$ DEFINE/SYSTEM/EXEC PASSWORDCHECK -
SYS$MANAGER:PASSWORDCHECK.COM
To check a password use:
(warning - beware of ITRC line wrapping!)
$ PIPE WRITE SYS$OUTPUT -
"''F$GETJPI("","USERNAME")' /COMMAND=PASSWORDCHECK" | -
SET HOST 0/LOG=SYS$OUTPUT | -
SEARCH/NOOUTPUT/NOWARNING -
SYS$PIPE "Password OK"
$ IF $STATUS.NES."%X10000001" THEN GOTO BadPassword
The SET HOST command will output the system welcome message, then prompt for password only. If successful the process will login, execute the password check procedure and logout. This will output "Password OK" and the SEARCH command will be successful, so $STATUS will be "%X10000001". If the password is incorrect, VMS will prompt for Username and password again, so your user gets a second chance. Failure to login for any reason will mean the SEARCH fails, so $STATUS
You can reduce the output by replacing PASSWORDCHECK.COM with:
$ STOP/ID
and searching for something else that will only appear if the login is successful. For example:
SEARCH/NOOUT/NOWARN SYS$PIPE -
"''F$TRNLNM("SYS$WELCOME")'"
Hein is, of course, correct. Using remote access is a neat trick to check passwords.
However, as a user, I'd be a bit reticent to type my real cleartext password into someone else's J.Random program. How do I know you're not storing it? There are also issues of turning off the terminal echo while prompting for the password, clearing the command recall buffer afterwards and other, even more subtle security concerns.
In some ways, the very fact that the user gets to your prompt should confirm their identity since they had to type their password to get there. If there is a significant chance that this is not the case, you have a general security issue on the site!
If you really must recheck the user, I suggest you use a REAL login to check the password. With the magic of PIPE this can be a single line command. You get all the prompting, security details and auditing for free. The downside is it's a bit "noisy" since you also get all the login output (though I'd say that's a "feature" since it would convince me, as a user, that you're not grabbing my password!).
First create a command procedure in SYS$MANAGER:
SYS$COMMON:[SYSMGR]PASSWORDCHECK.COM
$ WRITE SYS$OUTPUT "Password OK"
$ LOGOUT/BRIEF
Now define a logical name:
$ DEFINE/SYSTEM/EXEC PASSWORDCHECK -
SYS$MANAGER:PASSWORDCHECK.COM
To check a password use:
(warning - beware of ITRC line wrapping!)
$ PIPE WRITE SYS$OUTPUT -
"''F$GETJPI("","USERNAME")' /COMMAND=PASSWORDCHECK" | -
SET HOST 0/LOG=SYS$OUTPUT | -
SEARCH/NOOUTPUT/NOWARNING -
SYS$PIPE "Password OK"
$ IF $STATUS.NES."%X10000001" THEN GOTO BadPassword
The SET HOST command will output the system welcome message, then prompt for password only. If successful the process will login, execute the password check procedure and logout. This will output "Password OK" and the SEARCH command will be successful, so $STATUS will be "%X10000001". If the password is incorrect, VMS will prompt for Username and password again, so your user gets a second chance. Failure to login for any reason will mean the SEARCH fails, so $STATUS
You can reduce the output by replacing PASSWORDCHECK.COM with:
$ STOP/ID
and searching for something else that will only appear if the login is successful. For example:
SEARCH/NOOUT/NOWARN SYS$PIPE -
"''F$TRNLNM("SYS$WELCOME")'"
A crucible of informative mistakes
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-17-2004 05:58 PM
11-17-2004 05:58 PM
Re: Confirming pulled data with UAF
>>>
and searching for something else that will only appear if the login is successful. For example:
SEARCH/NOOUT/NOWARN SYS$PIPE -
"''F$TRNLNM("SYS$WELCOME")'"
<<<
IMHO, this particular example is not a good one, as SYS$WELCOME may well be input-redirected. Then you're searching for a file name which will most likely not appear.
cu,
Martin
and searching for something else that will only appear if the login is successful. For example:
SEARCH/NOOUT/NOWARN SYS$PIPE -
"''F$TRNLNM("SYS$WELCOME")'"
<<<
IMHO, this particular example is not a good one, as SYS$WELCOME may well be input-redirected. Then you're searching for a file name which will most likely not appear.
cu,
Martin
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-17-2004 06:23 PM
11-17-2004 06:23 PM
Re: Confirming pulled data with UAF
Thanks all.
As to John's remarks - this piece of CP is to be used by my team, in order to perform daily tasks without having to remember syntax (most of them are not VMS people).
The reason I want to use the password is to make them make them think again before they do critical things like shutting-down the application.
I guess I could just have them type "yes" but asking for a password will make them pause-and-think a bit longer.
I'll try what you sugested and let you know. Points are cominf your way... ;-)
Alon.
As to John's remarks - this piece of CP is to be used by my team, in order to perform daily tasks without having to remember syntax (most of them are not VMS people).
The reason I want to use the password is to make them make them think again before they do critical things like shutting-down the application.
I guess I could just have them type "yes" but asking for a password will make them pause-and-think a bit longer.
I'll try what you sugested and let you know. Points are cominf your way... ;-)
Alon.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-17-2004 09:44 PM
11-17-2004 09:44 PM
Re: Confirming pulled data with UAF
Alon,
Here is a short MACRO32 program which tests the users password. The user must enter his password and this is checked against UAF. If all is OK you receive %X00000001 in $STATUS if the password isnt ok you receive %X00000000. Any other error is also reported. So you can put it in a procedure and test it with ON WARNING THEN.
To compile it, just do:
$ MACRO tpasswd
$ LINK tpasswd
Bojan
Here is a short MACRO32 program which tests the users password. The user must enter his password and this is checked against UAF. If all is OK you receive %X00000001 in $STATUS if the password isnt ok you receive %X00000000. Any other error is also reported. So you can put it in a procedure and test it with ON WARNING THEN.
To compile it, just do:
$ MACRO tpasswd
$ LINK tpasswd
Bojan
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-18-2004 04:53 AM
11-18-2004 04:53 AM
Re: Confirming pulled data with UAF
Yust reviewed the program and realised that it will not run in a command procedure.
Please replace the line:
sysinput: .ascid /sys$input/
in
sysinput: .ascid /sys$command/
or
sysinput: .ascid /tt/
Sorry,
Bojan
Please replace the line:
sysinput: .ascid /sys$input/
in
sysinput: .ascid /sys$command/
or
sysinput: .ascid /tt/
Sorry,
Bojan
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-18-2004 06:09 AM
11-18-2004 06:09 AM
Re: Confirming pulled data with UAF
Alon,
1. As John mentioned, from a security standpoint it's not a good idea to use the user's unencrypted VMS password over the network. If you do ask for a password, you want to it noecho to screen.
2. Most users will get used to automatically typing what they normally would and won't think about it any more than just typing a Y or YES.
3. If you really feel it's necessary, you would probably be as well off with a confirming prompt:
Do you really want to take_action_x?
4. You could have the DCL ask for an additional password for specific functions which is checked against a file.dat.
Lawrence
1. As John mentioned, from a security standpoint it's not a good idea to use the user's unencrypted VMS password over the network. If you do ask for a password, you want to it noecho to screen.
2. Most users will get used to automatically typing what they normally would and won't think about it any more than just typing a Y or YES.
3. If you really feel it's necessary, you would probably be as well off with a confirming prompt:
Do you really want to take_action_x?
4. You could have the DCL ask for an additional password for specific functions which is checked against a file.dat.
Lawrence
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.
Company
Events and news
Customer resources
© Copyright 2025 Hewlett Packard Enterprise Development LP