HPE Community
Operating System - OpenVMS
1828342 Members
3295 Online
109976 Solutions
New Discussion

openVMS minimum password duration

 
SOLVED
Go to solution
hirschi
New Member

‎10-12-2006 02:57 AM

‎10-12-2006 02:57 AM

openVMS minimum password duration

Is it possible to implement a "minimum lifetime" for passwords ?
We would like to unable a password change during at least 15 days after its creation.
0 Kudos
Reply
11 REPLIES 11
Karl Rohwedder
Honored Contributor

‎10-12-2006 03:23 AM

‎10-12-2006 03:23 AM

Re: openVMS minimum password duration

I know of no standard VMS solution for this.
Of course you could modify the dcltables and call your own image instead of SETP0, check for the password change (this is stored in UAF record) and issue an error message or call SETP0.

regards Kalle
0 Kudos
Reply
hirschi
New Member

‎10-12-2006 03:37 AM

‎10-12-2006 03:37 AM

Re: openVMS minimum password duration

Thanks Karl.
Do you know where we could find password rules in HP documentation ?
We would need official documentation to provide evidence of this lack of fonctionality for a security audit ...
0 Kudos
Reply
Karl Rohwedder
Honored Contributor

‎10-12-2006 03:53 AM

‎10-12-2006 03:53 AM

Solution

Re: openVMS minimum password duration

Check the standard VMS docs, e.g. here:
http://h71000.www7.hp.com/doc/os83_index.html.

Esp. the System Managers Essentials and the Guide to System Security.

Some thought about this can be read here:
http://www.osdata.com/holistic/security/security.htm#OpenVMSsecurity

To prevent user to use old password again (by changing it several times), VMS keeps a history of used password (can be disabled on a per user basis).

regards Kalle
Reply
Richard Brodie_1
Honored Contributor

‎10-12-2006 03:58 AM

‎10-12-2006 03:58 AM

Re: openVMS minimum password duration

"Do you know where we could find password rules in HP documentation ?"

In the system security manual. One might also ask, "in what way does preventing you from changing your password increase security?"
0 Kudos
Reply
Rick Dyson
Valued Contributor

‎10-13-2006 01:29 AM

‎10-13-2006 01:29 AM

Re: openVMS minimum password duration

There is an ability to implement any password rules you want, over and above the default OpenVMS ones. I do this to enforce intitutional rules.

Using the same API hooks (documented in manuals), I would assume you should be able to collect the last password reset date from the UAF with a system service call and then do the math and deny the new password.

I have not done this, but the hooks all seem to be there to my mind. (consider the source ! :)

I don't recall where the exact docs are located, but a key word to look for is "VMS$Password_Policy". It is triggered by setting the SysGen parameter: Load_PWD_Policy.

rick
Reply
Ian Miller.
Honored Contributor

‎10-13-2006 01:34 AM

‎10-13-2006 01:34 AM

Re: openVMS minimum password duration

additonal password requirements can be enforced by implementing a site specific password policy as described here

http://h71000.www7.hp.com/doc/82FINAL/5841/5841pro_091.html#create_share_image_sec
____________________
Purely Personal Opinion
0 Kudos
Reply
Kris Clippeleyr
Honored Contributor

‎10-24-2006 08:04 PM

‎10-24-2006 08:04 PM

Re: openVMS minimum password duration

Time to revive this thread.
Browsing through my collection of undocumented features, I stumbled over the LGI$PASSWORD_NOCHANGE_DAYS logical name.
The equivalence should be numeric; the value sets the minimum time (in days) to change the password.
E.g.:
$ DEFINE/SYS/EXEC LGI$PASSWORD_NOCHANGE_DAYS 5
$ SET PASSWORD !1st time OK
Old password:
New password:
Verification:
$ SET PASSWORD !2nd time refused
Old password:
New password:
Verification:
%SET-F-PWDLOCKED, password is locked to prevent change

Hope this helps,
Kris (aka Qkcl)



I'm gonna hit the highway like a battering ram on a silver-black phantom bike...
0 Kudos
Reply
Wim Van den Wyngaert
Honored Contributor

‎10-24-2006 08:33 PM

‎10-24-2006 08:33 PM

Re: openVMS minimum password duration

Note that Kris uses an undocumented and thus unsupported feature. IMO they should not exist and be supported or not be tehre at all.

Wim
Wim
0 Kudos
Reply
Dave Laurier
Frequent Advisor

‎10-24-2006 10:03 PM

‎10-24-2006 10:03 PM

Re: openVMS minimum password duration


If you would like to create a site specific password policy then also check the following thread:

http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=866372

It contains examples for various people in various programming languages that show how to create a shareable image for this purpose.
0 Kudos
Reply
Jan van den Ende
Honored Contributor

‎10-24-2006 11:07 PM

‎10-24-2006 11:07 PM

Re: openVMS minimum password duration

Looks like Kris has the answer.

But it also looks like Engeneering should (and easily could!) document this feature.

Although personally I always question WHY one would want to, but I _HAVE_ seen this demand before ( by rule-making auditors without real-life experience, nor any thinking capability, I assume ) and IF you run into such demand, it will be sooo much easier to just be able to comply...

fwiw,

Proost.

Have one on me.

jpe
Don't rust yours pelled jacker to fine doll missed aches.
0 Kudos
Reply
comarow
Trusted Contributor

‎10-30-2006 11:21 PM

‎10-30-2006 11:21 PM

Re: openVMS minimum password duration

Interesting demand. Yes, you can create your own interface, but it would be very customized for that site and difficult to maintain.

We know that you can lock a password. Assuming the user is unprivileged, you could use a com procedure that creates an account, and locks the password. It could also create another com procedures, of just a few lines, that will unlock it after the duration.

I suspect you are trying to prevent people from setting it back. As someone just mentioned, the password history prevents that, so you may not need any solution??

Best of luck.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.