Re: password complexity enforcement for OpenVMS 7.3-1 and OpenVMS 7.3-2

Thanassis Papadimitriou · ‎01-22-2009

I would like to enforce all users to enter password strings containing at least 3 characters from 1 upper, 1 lower, 1 numeric and 1 special character.

I know that this is enabled per user by assigning /pwdmix flag to the account. But, it is limited to upper, lower characters.

It is time consuming to write down a new code using VMS$PASSWORD_POLICY.EXAMPLE, can we find any existing code to use.

I would like to be able to specify the number of upper, lower, numeric and special that a password must contain and also to define the total number of complexity characters that the password must at least contain.

Joseph Huber_1 · ‎01-22-2009

Too complex? because the examples are written in ADA and Bliss ?

maybe start with this example, if You can handle C source:
http://wwwvms.mppmu.mpg.de/vmssig/src/c/VMS$PASSWORD_POLICY.C

http://www.mpp.mpg.de/~huber

Thanassis Papadimitriou · ‎01-22-2009

Yes, it is complex.

But, the C example is to weak to use. It counts only digits.

What I need is the following:

http://64.223.189.234/node/643

it is written in Macro 32. Can you help me and guide how to install it in my platform?

Joseph Huber_1 · ‎01-22-2009

> But, the C example is to weak to use. It counts only digits.

Yes, I meant start with this example, and extend it, or You are no C programmer and have none available ?

The Macro code on Hoffs site seems to be ready to be used: follow the "usage" comment: Macro,link,copy the .EXE to sys$common:[syslib], and set the system parameter LOAD_PWD_POLICY to 1.

http://www.mpp.mpg.de/~huber

Joseph Huber_1 · ‎01-22-2009

forgot in the list the INSTALL command of course after copying the module to sys$common:[syslib].
And also note to do the INSTALL from systartup_vms.com !

http://www.mpp.mpg.de/~huber

Robert Gezelter · ‎01-22-2009

Thanassis,

These examples were never meant as finished products. They are merely examples of the means and methods to interface a custom password policy module.

Since OpenVMS is language agnostic, it is possible to write such a module in any language that one (or one's colleagues) is familiar with, with the possible direct exceptions of non-compiled languages such as Java, PERL, and DCL).

Alternatively, outside expertise may be retained to implement what ever policy is eventually decided. (Disclosure: We do provide services in this area, as do other frequent contributors to this forum).

- Bob Gezelter, http://www.rlgsc.com

Thanassis Papadimitriou · ‎01-22-2009

Robert,

Thank you for your input but the code in macro 32 works fine. I managed to make it function.

I have tested it in OpenVMS 7.3-2 & OpenVMS 7.2-1 and I got results in each OS version tested.

BR,

Thanassis Papadimitriou · ‎01-22-2009

Joseph,

I did what is written in usage guides. But, I issued the INSTALL from command prompt. Should I add an INSTALL line in the startup file as well to enable VMS$PASSWORD_POLICY whenever the server is rebooted?

BR,

Jan van den Ende · ‎01-22-2009

Thanassis,

>>>
Should I add an INSTALL line in the startup file as well to enable VMS$PASSWORD_POLICY whenever the server is rebooted?
<<<

Most definitely, YES!!!

If you set the LOAD_PWD_POLICY, and do NOT do the install,then there is NO way to log into the system at all!
(if that SHOULD happen, you must boot conversational, unset it, (so you can log in again) and put the INSTALL in the startup, set LOAD_PWD_POLICY again, and reboot again. No pretty prospect)

hth

Proost.

Have one on me.

jpe

Don't rust yours pelled jacker to fine doll missed aches.

Joseph Huber_1 · ‎01-22-2009

As I have written, put the INSTALL into sysstartup_vms.com,
this means it is executed at reboot.

And at best follow the advice of Stephen Hoff. NOT to set the system parameter LOAD_PWD_POLICY permanent to 1, but do it at the ACTIVE sysgen parameter set at every boot;
this way the parameter stays at 0 when sysartup_vms is aborted for whatever reason.

At best, put the INSTALL together with the SYSGEN commands into a separate commandfile, executed towards the end of systartup-vms.

http://www.mpp.mpg.de/~huber

Joseph Huber_1 · ‎01-22-2009

To Jans warning: No, it is not so catastrophic to have load_pw_policy set to 1 without installing the policy image: one still can login, only SET PASSWORD will fail in this case. See my example session below.

Username: huber
Password:
Welcome ...

MPIW12_HUB>mcr sysgen
SYSGEN> SHOW LOAD_PWD_POLICY
Parameter Name Current Default Min. Max. Unit Dynamic
-------------- ------- ------- ------- ------- ---- -------
LOAD_PWD_POLICY 1 0 0 1 Boolean D
SYSGEN> Exit
MPIW12_HUB>set password
%LIB-F-ACTIMAGE, error activating image SYS$LIBRARY:VMS$PASSWORD_POLICY.EXE
-SYSTEM-F-PRIVINSTALL, shareable images must be installed to run privileged imag
e

http://www.mpp.mpg.de/~huber

Hoff · ‎01-22-2009

Ah, this explains the spike in traffic arriving on that article.

If you have questions, it's a whole lot easier (for me and then for any other folks that are subsequently looking at the article) if the questions are posted over at /node/643. Accounts are free, too. (I have enabled the registration process to keep the site from filling from spam.)

I've updated the comments in the article to more explicitly point to the need of some DCL commands in the system startup or in a filter-specific startup procedure.

The security auditors love this password character selection stuff. It doesn't work, though. It's akin to reorganizing the deck chairs on the Titanic. Password-based authentication is among the weakest options, and it's particularly bad when combined with telnet and ftp and such; cleartext authentication protocols.

Some related reading:

http://64.223.189.234/node/229

Then...

http://64.223.189.234/node/219
http://64.223.189.234/node/526
http://64.223.189.234/node/832

I've also added a passwords tag to the HL site, and sprinkled it around various of the password-related sites.

Thanassis Papadimitriou · ‎01-22-2009

Thank you all,

I kept notes on what i have to do to enable password filtering. The only thing I have to do is to write a command procedure which will include the INSTALL and sysgen invocation. After that I have to update systartup_vms.com to call at the bottom the newly created procedure.

Since you mentioned clear text transmission of passwords over telnet & ftp, does this password filtering work over ssh?

Joseph Huber_1 · ‎01-22-2009

Yes of course, if You login via SSH, then everything flowing over this link is encrypted,
thus the password in a SET PASSWORD command is encrypted.

This has in particular nothing to do with password policy, it is just the purpose and result of the SSH connection.

http://www.mpp.mpg.de/~huber

Thanassis Papadimitriou · ‎01-22-2009

In OpenVMS 7.3-1 /pwdmix flag does not exist. Does anybody know if there is an alternative solution for that without the need to upgrade to OpenVMS 7.3-2. /pwdmix flag exists in OpenVMS 7.3-2.

Hoff · ‎01-22-2009

There is no supported means to back-port the mixed-case password mechanisms to V7.3-1.

Better to spend the effort here moving forward to V7.3-2 (which itself is ancient, albeit with Prior Version Support still available) or (better) upgrading to the current OpenVMS Alpha V8.3 release.

Moving from V7.3-1 to V8.3 is arguably not a major upgrade for OpenVMS Alpha; there were minor kernel changes all through the range, and the V7 to V8 upgrade did not (on OpenVMS Alpha) involve significant kernel changes. In retrospect, the TQE kernel change from V7.3-1 to V7.3-2 probably caused more ripples than V7 to V8.

OpenVMS Alpha V8.3 also adds external authentication into your local LDAP (Active Directory or Open Directory or otherwise) and various other password-related features.

Thanassis Papadimitriou · ‎01-23-2009

When the user logs in OpenVMS 7.3-2 with pwdmix set and VMS$PASSWORD_POLICY is in place then the user is allowed to enter case sensitive passwords and system interprets these passwords as case sensitive.

Is there a way that we can tell somehow OpenVMS 7.3-1 to accept and interpret case sensitive passwords?

Hoff · ‎01-23-2009

>Is there a way that we can tell somehow OpenVMS 7.3-1 to accept and interpret case sensitive passwords?

No.

A requirement for mixed-case passwords is not compatible with continued use of OpenVMS Alpha V7.3-1.

AFAIK, there is no back-port available. (This back-port would likely involve changes made to multiple OpenVMS modules and components, too. It's not a single and isolated change.)

Your choice here is between use of uppercase passwords and upgrading OpenVMS Alpha.

Thanassis Papadimitriou · ‎01-24-2009

I have a last question.

Regarding UAF.ALPHA_EXE I observed that I cannot run a query at UAF records having /SELECT=flag=pwdmix.

Also, when I ask to print out the flags a user has, using /DISPLAY=(username,flags), although flag /pwdmix has been assigned and show user displays among other flags pwdmix as well, all other flags are displayed apart from pwdmix.

Do you if there is an updated UAF.ALPHA_EXE which may run queries based on flag=pwdmix?

Joseph Huber_1 · ‎01-26-2009

You have the complete source, why not update it ?
(I myself have no VMS version new enough).

Extract module UAFDEF from sys$library:sys$lib_c.tlb.
Look for the flag bits inserted after DISPWDHIS ,
add the new ones in the files uafcld.cld and uaf_cld.h, @compile.
I think that should do it.

http://www.mpp.mpg.de/~huber

Joseph Huber_1 · ‎01-26-2009

...
and in display.c: change
max_flags = 20;
to
max_flags = 25;

You can extract the 3 files from my archive at
http://wwwvms.mppmu.mpg.de/vmssig/archive/u/uaf.zip

(I did not correct the compile time warnings in the old version there.)

http://www.mpp.mpg.de/~huber

Thanassis Papadimitriou · ‎01-26-2009

Pretty good idea..

i downloaded the 3 files from your distribution into my directory..

but unfortunately @compile does not end up successfully to create the new .exe files.

I download also your distribution in a clean directory but unfortunately @compile did not finish again.

Joseph Huber_1 · ‎01-26-2009

and would You dare to tell us the error message (s)?

http://www.mpp.mpg.de/~huber

Joseph Huber_1 · ‎01-26-2009

If You compile on IA64 , get my uaf.zip again with these new files:
uaf.,c uafcld.cld parse_uic.mar

Save parse_uic.mar before as parse_uic_vax.mar,
I just don't know how to make .not.VAX conditional in macro32.
The only diff in .mar is to call lib$table_parse instead of lib$tparse.
(see rtl lib$ lib$tparse).

http://www.mpp.mpg.de/~huber

Thanassis Papadimitriou · ‎01-26-2009

Of course I will tell you.. it is not a secret!!

I have got only ALPHA server platforms. The displayed error is the following regarding your distribution.

$ dir

Directory SYS$COMMON:[SYSMGR.TEST.UAF2]

$PRVDEF.H;1 AAAREADME.TXT;1 AXP-PORT.TXT;1 CC.OPT;1
COMPILE.COM;1 DESCRIP.MMS;1 DISPLAY.AXP-DIF;1 DISPLAY.C;1
DISPLAY.OBJ;2 DISPLAY.OBJ;1 GCC.OPT;1 GUESS.C;1
GUESS.OBJ;2 GUESS.OBJ;1 GUESS_PASSWORD.C;1 HPWD.MAR;1
INIT_CLI.C;1 LGI$HPWD.C;1 MAKEFILE.;1 PARSE.C;1
PARSE.OBJ;2 PARSE.OBJ;1 PARSE_UIC.AXP-DIF;1 PARSE_UIC.MAR;1
PARSE_UIC.OBJ;2 PARSE_UIC.OBJ;1 SELECT.AXP-DIF;1 SELECT.C;1
SELECT.OBJ;2 SELECT.OBJ;1 STANDARD.AXP-DIF;1 STANDARD.H;1
TEMP.C;1 UAF.AXP-DIF;1 UAF.C;1 UAF.H;1
UAF.HLB;1 UAF.HLP;4 UAF.HLP;3 UAF.HLP;2
UAF.HLP;1 UAF.OBJ;2 UAF.OBJ;1 UAF.RNH;1
UAF.ZIP;1 UAFCLD.CLD;1 UAFDEF.DECC;1 UAF_CLD.AXP-DIF;1
UAF_CLD.H;1 WORDLIST.H;1

Total of 50 files.
$
$
$ @compile

$tran tpa$_ident,,,,uic
^
%AMAC-E-GENERROR, generated ERROR: 0 $TRAN requires symbols defined in ARCH_DEFS.MAR
-AMAC-I-ATEXPLINE, at macro expansion line 6
at line number 12 in file SYS$COMMON:[SYSMGR.TEST.UAF2]PARSE_UIC.MAR;1
.ERROR ; $TRAN requires symbols defined in ARCH_DEFS.MAR

$tran tpa$_ident,,,,uic
^
%AMAC-E-IFEXPRNABS, IF expression not absolute
-AMAC-I-ATEXPLINE, at macro expansion line 16
at line number 12 in file SYS$COMMON:[SYSMGR.TEST.UAF2]PARSE_UIC.MAR;1
.IF NE, IXVMS

.end
^
%AMAC-E-PREVERROR, previous errors prevent further analysis
at line number 40 in file SYS$COMMON:[SYSMGR.TEST.UAF2]PARSE_UIC.MAR;1

Categories

Company

Local Language

Forums

Discussions

Forums

Discussions

Discussions

Forums

Discussions

Forums

Discussions

Discussions

Forums

Forums

Discussions

Forums

Discussions

Forums

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Community

Resources

Other HPE Sites

Discussions

Forums

Blogs

Re: password complexity enforcement for OpenVMS 7.3-1 and OpenVMS 7.3-2

password complexity enforcement for OpenVMS 7.3-1 and OpenVMS 7.3-2