HPE GreenLake Administration
- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - OpenVMS
- >
- WEB change password utility
Operating System - OpenVMS
1827474
Members
2033
Online
109965
Solutions
Forums
Categories
Company
Local Language
back
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Forums
Discussions
Discussions
Discussions
Forums
Discussions
back
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Blogs
Information
Community
Resources
Community Language
Language
Forums
Blogs
Go to solution
Topic Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-11-2004 04:39 AM
11-11-2004 04:39 AM
I've been searching for a WEB based change password for OpneVMS alpha users to use. I found an old app called "change_password.exe", but I have believe there is something available either with the latest Apache or Java I've installed on my server. Does anyone know of a utility out there?
"Difficult to see, always in motion is the future..."
Solved! Go to Solution.
7 REPLIES 7
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-11-2004 07:24 AM
11-11-2004 07:24 AM
Solution
John,
If you can't find an off-the-shelf solution, you can roll your own fairly easily. Apache has a cgi-bin, which supports DCL (see examples in APACHE$ROOT:[CGI-BIN]). The biggest issue would be getting the process into the context of your user. However, for your particular case, that's easier than usual, as you will have the username and password.
A quick and simple way might be to use a DECnet task to the local node:
$ OPEN/READ/WRITE task 0"''user' ''pass'"::"0=SETPASS"
where SETPASS.COM could execute your change_password image. This also gives you a very simple mechanism for testing the old password (ie: you can't get into the process to change the password unless the network login is successful, and you'll get full auditing and intrusion detection for free).
Beware though, your usernames and passwords will be traversing the network in clear text. Make sure this is consistent with your security policies.
If you can't find an off-the-shelf solution, you can roll your own fairly easily. Apache has a cgi-bin, which supports DCL (see examples in APACHE$ROOT:[CGI-BIN]). The biggest issue would be getting the process into the context of your user. However, for your particular case, that's easier than usual, as you will have the username and password.
A quick and simple way might be to use a DECnet task to the local node:
$ OPEN/READ/WRITE task 0"''user' ''pass'"::"0=SETPASS"
where SETPASS.COM could execute your change_password image. This also gives you a very simple mechanism for testing the old password (ie: you can't get into the process to change the password unless the network login is successful, and you'll get full auditing and intrusion detection for free).
Beware though, your usernames and passwords will be traversing the network in clear text. Make sure this is consistent with your security policies.
A crucible of informative mistakes
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-12-2004 10:30 PM
11-12-2004 10:30 PM
Re: WEB change password utility
Hi,
based on the work of Richard Levitte and Tom Wade, I implemented a change_password.exe.
It does almost everything I could think of to make it reasonably safe, i.e.
- scan the intrusion database, and also update it in case of a breakin attempt,
- scan the password history and dictionary, if this is not disabled in the user's account,
- optionally, inhibit changing the password of a member of the system groups,
- optionally, only change password for accounts that hold a particular identifier,
- optionally, restrict password changes to accounts that only have network access enabled,
- generate the password if the account is set up to it.
The downside to all of this is that the program needs SYSPRV and SECURITY privilege, and (for use with a web server) probably needs to be installed with those, or suexec'd (which I haven't yet tried).
I haven't yet implemented interfacing to site-specific policies, and updating the password history.
It's not yet really polished for publication, but it is (quite unusually ;-) heavily commented C code.
If you want to give it a try, you can download it from http://www.pdv-systeme.de/users/martinv/cpw.zip
BTW: I know all of this could now be implemented easier, but this was meant to run under VMS 6.2...
cu,
Martin
based on the work of Richard Levitte and Tom Wade, I implemented a change_password.exe.
It does almost everything I could think of to make it reasonably safe, i.e.
- scan the intrusion database, and also update it in case of a breakin attempt,
- scan the password history and dictionary, if this is not disabled in the user's account,
- optionally, inhibit changing the password of a member of the system groups,
- optionally, only change password for accounts that hold a particular identifier,
- optionally, restrict password changes to accounts that only have network access enabled,
- generate the password if the account is set up to it.
The downside to all of this is that the program needs SYSPRV and SECURITY privilege, and (for use with a web server) probably needs to be installed with those, or suexec'd (which I haven't yet tried).
I haven't yet implemented interfacing to site-specific policies, and updating the password history.
It's not yet really polished for publication, but it is (quite unusually ;-) heavily commented C code.
If you want to give it a try, you can download it from http://www.pdv-systeme.de/users/martinv/cpw.zip
BTW: I know all of this could now be implemented easier, but this was meant to run under VMS 6.2...
cu,
Martin
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-20-2005 08:00 AM
05-20-2005 08:00 AM
Re: WEB change password utility
Almost everything I run into is created for OSU HTTP server, but I'm using Apache/2.0.47 (OpenVMS) mod_ssl/2.0.47 OpenSSL/0.9.6g PHP/4.3.2. I have incorporated the use of auth_openvms_module and the AuthUserOpenVMS directive. This is great but it as certain short coming.
I'm interested in anything you can provide which will allow checking an OpenVMS user account upon their attachment to the secured WEB page.
I would like to be able to provide the following functionalities:
1.) If password expired then prompt for new password
2.) If account is disusered disallow access
3.) If account is expired disallow access
I take it SWS does NOT come with this capability?
Thanks,
jd
I'm interested in anything you can provide which will allow checking an OpenVMS user account upon their attachment to the secured WEB page.
I would like to be able to provide the following functionalities:
1.) If password expired then prompt for new password
2.) If account is disusered disallow access
3.) If account is expired disallow access
I take it SWS does NOT come with this capability?
Thanks,
jd
"Difficult to see, always in motion is the future..."
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-18-2005 05:23 AM
06-18-2005 05:23 AM
Re: WEB change password utility
Martin Vorlaender wrote:
based on the work of Richard Levitte and Tom Wade, I implemented a change_password.exe.
It does almost everything I could think of to make it reasonably safe, i.e.
The downside to all of this is that the program needs SYSPRV and SECURITY privilege, and (for use with a web server) probably needs to be installed with those, or suexec'd (which I haven't yet tried).
Check out the new SYS$ACM service, you can call it to change your password without any privileges. I've got an example of it in http://www.ecr6.ohio-state.edu/~jonesd/change_password.zip
based on the work of Richard Levitte and Tom Wade, I implemented a change_password.exe.
It does almost everything I could think of to make it reasonably safe, i.e.
The downside to all of this is that the program needs SYSPRV and SECURITY privilege, and (for use with a web server) probably needs to be installed with those, or suexec'd (which I haven't yet tried).
Check out the new SYS$ACM service, you can call it to change your password without any privileges. I've got an example of it in http://www.ecr6.ohio-state.edu/~jonesd/change_password.zip
I'm looking for marbles all day long.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-19-2005 09:10 PM
06-19-2005 09:10 PM
Re: WEB change password utility
On access request, username and expected rights are checked agains UAF and Rightlist (depending on what has been defined) and that will just return "Acces allowed" (returning the page requested) or "access denied", returning error page 401 (Authentication required).
If that page could be adjusted to obtain this information AND allow the user to change their password (using methods described by others) yóu're done ;-) Beware though, that such a change is server-wide.
(I haven't tried this myself, but know it must be possible.
If that page could be adjusted to obtain this information AND allow the user to change their password (using methods described by others) yóu're done ;-) Beware though, that such a change is server-wide.
(I haven't tried this myself, but know it must be possible.
Willem Grooters
OpenVMS Developer & System Manager
OpenVMS Developer & System Manager
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-20-2005 08:38 PM
06-20-2005 08:38 PM
Re: WEB change password utility
David Jones wrote:
>>>
Check out the new SYS$ACM service, you can call it to change your password without any privileges.
<<<
Given that the CGI program runs in the web server user's context (typically APACHE$WWW for CSWS), SYS$ACM would require IMPERSONATE privilege to change another user's password.
Besides, as I wrote, the program was designed to run under VMS 6.2, so it also doesn't take into account the PWDMIX flag.
But thanks for the example program, and for the acm_wrapper functions. Anyone have a "Guide to ACME"? I find the description of the SYS$ACM service rather intimidating...
cu,
Martin
>>>
Check out the new SYS$ACM service, you can call it to change your password without any privileges.
<<<
Given that the CGI program runs in the web server user's context (typically APACHE$WWW for CSWS), SYS$ACM would require IMPERSONATE privilege to change another user's password.
Besides, as I wrote, the program was designed to run under VMS 6.2, so it also doesn't take into account the PWDMIX flag.
But thanks for the example program, and for the acm_wrapper functions. Anyone have a "Guide to ACME"? I find the description of the SYS$ACM service rather intimidating...
cu,
Martin
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-21-2005 01:56 AM
06-21-2005 01:56 AM
Re: WEB change password utility
Martin Volaender:
>>>>
Given that the CGI program runs in the web server user's context (typically APACHE$WWW for CSWS), SYS$ACM would require IMPERSONATE privilege to change another user's password.
<<<<
I didn't provide a CGI script, just a part of one that demonstrates the SYS$ACM functions. I use a configuration that allows 'captive' scripts to run in the user's persona (i.e. the IMPERSONATE is upstream of the CGI script). Someone else mentioned using DECnet to get the right context.
I think it will certain amount of effort for anyone to get the 'rhythm' of the novel $ACM API, no matter how good the documentation.
>>>>
Given that the CGI program runs in the web server user's context (typically APACHE$WWW for CSWS), SYS$ACM would require IMPERSONATE privilege to change another user's password.
<<<<
I didn't provide a CGI script, just a part of one that demonstrates the SYS$ACM functions. I use a configuration that allows 'captive' scripts to run in the user's persona (i.e. the IMPERSONATE is upstream of the CGI script). Someone else mentioned using DECnet to get the right context.
I think it will certain amount of effort for anyone to get the 'rhythm' of the novel $ACM API, no matter how good the documentation.
I'm looking for marbles all day long.
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.
Company
Support
Events and news
Customer resources
© Copyright 2025 Hewlett Packard Enterprise Development LP