[an error occurred while processing this directive]

HP OpenVMS Systems

ask the wizard
Content starts here

password authentication and network security?

» close window

The Question is:

 
Our environmnet consists of banking tellers/users logging into the banking
application using OpenVMS usernames and passwords. We will be adding a
client server application that will allow a client application to access
certain data on the OpenVMS applicat
ion through a server process. We would like the client application to pass
the OpenVMS username /password to the server process in order to
authenticate them to the system. The question we have is what is the best
way to validate the OpenVMS username/pass
word? I suspect it could be done with a combination of $GETUAI and
$HASH_PASSWORD but that would involve being able to replicate all the rules
that OpenVMS uses to authenticate a user (like is the DISUSER flag set,
etc.). Is there an easier way to do this

The Answer is :

 
  Calls to sys$getuai followed by a call to sys$hash_password would
  suffice, though a call to sys$scan_intrusion is also recommended.
 
  A simpler interface for performing user authentication is planned
  for inclusion in a release after OpenVMS V7.2.
 
  Another approach would be to use a more secure authentication scheme
  than passing clear-text passwords over the network -- your proposed
  scheme would require the user to respecify the password, or it would
  require you to maintain a local copy of the cleartext password with
  all the attendant risks of exposure.  As for schemes that you may want
  to check: MD5 (RFC1321) might be of interest here, as may be the DCE
  security services and some of the current and planned work in support
  of authenticated RPC.  Datalink or other encryption may also be of
  interest here.
 
  In other words, if your network is sufficiently secure from snooping
  that a cleartext password is not a potentially serious exposure, then
  you probably don't need to perform the password operation to begin with.
  (Proxies or similar approaches will work nicely, in other words.)  If
  the passwords are a risk, then you will want to consider other approaches
  in addition to the proposed transmission of a cleartext password.
 


  

     
     
answer written or last revised on ( 9-DEC-1998 )

     
» close window