|
HP OpenVMS Systemsask the wizard |
|
The Question is: Does a system service or library call exist that can be used to authenticate a user's VMS username and password? Our company has several custom VMS applications that we currently support and enhance. From a coding, support, and end-user stand point it simplify username and password management, if only one (OS & Apps) username password need be maintained. I know it is possible to authenticate a VMS username and password. We currently utilize a multi-session software product called Magic Windows. In addition to multi-session, it has a feature that allows a user to lockout his/her terminal. It requires the current user to enter his/her VMS password to unlock the terminal. So if you could point me in the basic direction I will figure it out from that point. Thanks John The Answer is : To emulate the process LOGINOUT uses for authenticating a user (but not changing the passwords) you need to use a combination of SYS$GETUAI, SYS$SCAN_INTRUSION and SYS$HASH_PASSWORD, all of which are documented system services. Development is underway to allow this entire process to be performed using just one system service call, this capability is expected to appear in an OpenVMS release after V7.2. With that said, however, you should carefully consider anything that performs a re-authentication after the user has already logged in. Leading your users to honor such requests leaves the way open for Password Grabber attacks. Read section 7.5.4 of the V7.1 Guide to System Security regarding the Secure Server defense against such attacks. Except in very specialized situations, a combination of regular authentication (perhaps augmented by add-on hardware authentication devices) and protections provided by the operating system are most secure. If you ask the user to set up and use a per-user password, they may well give you the same password they are presently using to log into OpenVMS. Which means you are suddenly responsible for far more security than you might have initially expected to be responsible for. (OpenVMS uses a one-way hash on the user password, comparing the one-way hash of the specified password against the saved hashed password -- the plaintext password is not saved. This is where calls such as SYS$HASH_PASSWORD come into play. In addition, OpenVMS also carefully protects the SYSUAF file, the file that contains the (hashed) password values. These steps make it exceedingly difficult to get a user's password. Do *you* want to maintain this level of security in your application? If you are asking for passwords, you may well be setting yourself up for more work than you expected.) I would recommend the simplest approach -- protect the data file(s) used for your application with an OpenVMS identifier set up for your application by the system manager, disabling all access to the files from users that lack the identifier. (With images and V6.x versions of OpenVMS, the subsystem identifer support can be quite useful here, as well -- the identifier can be granted to the image, not to the user.) Have the system manager issue the identifier (only) to the folks that should be able to access your application (or to the subsystem, per the subsystem identifier. Your procedures can then simply operate without really worrying about security at all, save for catching file access failures on the data files due to access prohibitions or other problems -- this basic file access error processing is something you should do in any event.
|