|
|
Thanassis Papadimitriou
|
|
Jan 22, 2009 09:25:47 GMT
|
|
I would like to enforce all users to enter password strings containing at least 3 characters from 1 upper, 1 lower, 1 numeric and 1 special character.
I know that this is enabled per user by assigning /pwdmix flag to the account. But, it is limited to upper, lower characters.
It is time consuming to write down a new code using VMS$PASSWORD_POLICY.EXAMPLE, can we find any existing code to use.
I would like to be able to specify the number of upper, lower, numeric and special that a password must contain and also to define the total number of complexity characters that the password must at least contain.
|
|
|
Note: If you are the author of this question and wish to assign points to any of the answers, please login first.For more information on assigning points ,click
here
|
|
|
Sort Answers By:
Date or Points
|
|
Joseph Huber
|
|
Jan 22, 2009 09:42:46 GMT
10 pts
|
|
|
|
Thanassis Papadimitriou
|
|
Jan 22, 2009 10:23:07 GMT
N/A: Question Author
|
|
Yes, it is complex.
But, the C example is to weak to use. It counts only digits.
What I need is the following:
http://64.223.189.234/node/643
it is written in Macro 32. Can you help me and guide how to install it in my platform? |
|
|
Joseph Huber
|
|
Jan 22, 2009 10:42:06 GMT
10 pts
|
|
> But, the C example is to weak to use. It counts only digits.
Yes, I meant start with this example, and extend it, or You are no C programmer and have none available ?
The Macro code on Hoffs site seems to be ready to be used: follow the "usage" comment: Macro,link,copy the .EXE to sys$common:[syslib], and set the system parameter LOAD_PWD_POLICY to 1. |
|
|
Joseph Huber
|
|
Jan 22, 2009 11:03:26 GMT
10 pts
|
|
forgot in the list the INSTALL command of course after copying the module to sys$common:[syslib].
And also note to do the INSTALL from systartup_vms.com ! |
|
Robert Gezelter
|
|
Jan 22, 2009 11:18:25 GMT
9 pts
|
|
Thanassis,
These examples were never meant as finished products. They are merely examples of the means and methods to interface a custom password policy module.
Since OpenVMS is language agnostic, it is possible to write such a module in any language that one (or one's colleagues) is familiar with, with the possible direct exceptions of non-compiled languages such as Java, PERL, and DCL).
Alternatively, outside expertise may be retained to implement what ever policy is eventually decided. (Disclosure: We do provide services in this area, as do other frequent contributors to this forum).
- Bob Gezelter, http://www.rlgsc.com |
|
|
Thanassis Papadimitriou
|
|
Jan 22, 2009 12:03:20 GMT
N/A: Question Author
|
|
Robert,
Thank you for your input but the code in macro 32 works fine. I managed to make it function.
I have tested it in OpenVMS 7.3-2 & OpenVMS 7.2-1 and I got results in each OS version tested.
BR, |
|
|
Thanassis Papadimitriou
|
|
Jan 22, 2009 12:08:04 GMT
N/A: Question Author
|
|
Joseph,
I did what is written in usage guides. But, I issued the INSTALL from command prompt. Should I add an INSTALL line in the startup file as well to enable VMS$PASSWORD_POLICY whenever the server is rebooted?
BR, |
|
|
Jan van den Ende
|
|
Jan 22, 2009 12:44:01 GMT
9 pts
|
|
Thanassis,
>>>
Should I add an INSTALL line in the startup file as well to enable VMS$PASSWORD_POLICY whenever the server is rebooted?
<<<
Most definitely, YES!!!
If you set the LOAD_PWD_POLICY, and do NOT do the install,then there is NO way to log into the system at all!
(if that SHOULD happen, you must boot conversational, unset it, (so you can log in again) and put the INSTALL in the startup, set LOAD_PWD_POLICY again, and reboot again. No pretty prospect)
hth
Proost.
Have one on me.
jpe |
|
|
Joseph Huber
|
|
Jan 22, 2009 13:13:00 GMT
10 pts
|
|
As I have written, put the INSTALL into sysstartup_vms.com,
this means it is executed at reboot.
And at best follow the advice of Stephen Hoff. NOT to set the system parameter LOAD_PWD_POLICY permanent to 1, but do it at the ACTIVE sysgen parameter set at every boot;
this way the parameter stays at 0 when sysartup_vms is aborted for whatever reason.
At best, put the INSTALL together with the SYSGEN commands into a separate commandfile, executed towards the end of systartup-vms. |
|
|
Joseph Huber
|
|
Jan 22, 2009 13:24:30 GMT
10 pts
|
|
To Jans warning: No, it is not so catastrophic to have load_pw_policy set to 1 without installing the policy image: one still can login, only SET PASSWORD will fail in this case. See my example session below.
Username: huber
Password:
Welcome ...
MPIW12_HUB>mcr sysgen
SYSGEN> SHOW LOAD_PWD_POLICY
Parameter Name Current Default Min. Max. Unit Dynamic
-------------- ------- ------- ------- ------- ---- -------
LOAD_PWD_POLICY 1 0 0 1 Boolean D
SYSGEN> Exit
MPIW12_HUB>set password
%LIB-F-ACTIMAGE, error activating image SYS$LIBRARY:VMS$PASSWORD_POLICY.EXE
-SYSTEM-F-PRIVINSTALL, shareable images must be installed to run privileged imag
e |
|
|
Hoff
|
|
Jan 22, 2009 14:30:25 GMT
10 pts
|
|
Ah, this explains the spike in traffic arriving on that article.
If you have questions, it's a whole lot easier (for me and then for any other folks that are subsequently looking at the article) if the questions are posted over at /node/643. Accounts are free, too. (I have enabled the registration process to keep the site from filling from spam.)
I've updated the comments in the article to more explicitly point to the need of some DCL commands in the system startup or in a filter-specific startup procedure.
The security auditors love this password character selection stuff. It doesn't work, though. It's akin to reorganizing the deck chairs on the Titanic. Password-based authentication is among the weakest options, and it's particularly bad when combined with telnet and ftp and such; cleartext authentication protocols.
Some related reading:
http://64.223.189.234/node/229
Then...
http://64.223.189.234/node/219
http://64.223.189.234/node/526
http://64.223.189.234/node/832
I've also added a passwords tag to the HL site, and sprinkled it around various of the password-related sites. |
|
|
Thanassis Papadimitriou
|
|
Jan 22, 2009 14:43:18 GMT
N/A: Question Author
|
|
Thank you all,
I kept notes on what i have to do to enable password filtering. The only thing I have to do is to write a command procedure which will include the INSTALL and sysgen invocation. After that I have to update systartup_vms.com to call at the bottom the newly created procedure.
Since you mentioned clear text transmission of passwords over telnet & ftp, does this password filtering work over ssh? |
|
|
Joseph Huber
|
|
Jan 22, 2009 15:22:46 GMT
10 pts
|
|
Yes of course, if You login via SSH, then everything flowing over this link is encrypted,
thus the password in a SET PASSWORD command is encrypted.
This has in particular nothing to do with password policy, it is just the purpose and result of the SSH connection. |
|
|
Thanassis Papadimitriou
|
|
Jan 22, 2009 15:27:26 GMT
N/A: Question Author
|
|
|
In OpenVMS 7.3-1 /pwdmix flag does not exist. Does anybody know if there is an alternative solution for that without the need to upgrade to OpenVMS 7.3-2. /pwdmix flag exists in OpenVMS 7.3-2. |
|
|
Hoff
|
|
Jan 22, 2009 15:51:38 GMT
10 pts
|
|
There is no supported means to back-port the mixed-case password mechanisms to V7.3-1.
Better to spend the effort here moving forward to V7.3-2 (which itself is ancient, albeit with Prior Version Support still available) or (better) upgrading to the current OpenVMS Alpha V8.3 release.
Moving from V7.3-1 to V8.3 is arguably not a major upgrade for OpenVMS Alpha; there were minor kernel changes all through the range, and the V7 to V8 upgrade did not (on OpenVMS Alpha) involve significant kernel changes. In retrospect, the TQE kernel change from V7.3-1 to V7.3-2 probably caused more ripples than V7 to V8.
OpenVMS Alpha V8.3 also adds external authentication into your local LDAP (Active Directory or Open Directory or otherwise) and various other password-related features. |
|
|
Thanassis Papadimitriou
|
|
Jan 23, 2009 13:42:25 GMT
N/A: Question Author
|
|
When the user logs in OpenVMS 7.3-2 with pwdmix set and VMS$PASSWORD_POLICY is in place then the user is allowed to enter case sensitive passwords and system interprets these passwords as case sensitive.
Is there a way that we can tell somehow OpenVMS 7.3-1 to accept and interpret case sensitive passwords? |
|
|
Hoff
|
|
Jan 23, 2009 17:17:54 GMT
10 pts
|
|
>Is there a way that we can tell somehow OpenVMS 7.3-1 to accept and interpret case sensitive passwords?
No.
A requirement for mixed-case passwords is not compatible with continued use of OpenVMS Alpha V7.3-1.
AFAIK, there is no back-port available. (This back-port would likely involve changes made to multiple OpenVMS modules and components, too. It's not a single and isolated change.)
Your choice here is between use of uppercase passwords and upgrading OpenVMS Alpha. |
|
|
Thanassis Papadimitriou
|
|
Jan 24, 2009 08:59:27 GMT
N/A: Question Author
|
|
I have a last question.
Regarding UAF.ALPHA_EXE I observed that I cannot run a query at UAF records having /SELECT=flag=pwdmix.
Also, when I ask to print out the flags a user has, using /DISPLAY=(username,flags), although flag /pwdmix has been assigned and show user displays among other flags pwdmix as well, all other flags are displayed apart from pwdmix.
Do you if there is an updated UAF.ALPHA_EXE which may run queries based on flag=pwdmix? |
|
|
Joseph Huber
|
|
Jan 26, 2009 13:08:12 GMT
10 pts
|
|
You have the complete source, why not update it ?
(I myself have no VMS version new enough).
Extract module UAFDEF from sys$library:sys$lib_c.tlb.
Look for the flag bits inserted after DISPWDHIS ,
add the new ones in the files uafcld.cld and uaf_cld.h, @compile.
I think that should do it. |
|
|
Joseph Huber
|
|
Jan 26, 2009 13:18:48 GMT
10 pts
|
|
|
|
Thanassis Papadimitriou
|
|
Jan 26, 2009 15:19:36 GMT
N/A: Question Author
|
|
Pretty good idea..
i downloaded the 3 files from your distribution into my directory..
but unfortunately @compile does not end up successfully to create the new .exe files.
I download also your distribution in a clean directory but unfortunately @compile did not finish again. |
|
|
Joseph Huber
|
|
Jan 26, 2009 15:50:19 GMT
10 pts
|
|
|
and would You dare to tell us the error message (s)? |
|
|
Joseph Huber
|
|
Jan 26, 2009 16:37:45 GMT
10 pts
|
|
If You compile on IA64 , get my uaf.zip again with these new files:
uaf.,c uafcld.cld parse_uic.mar
Save parse_uic.mar before as parse_uic_vax.mar,
I just don't know how to make .not.VAX conditional in macro32.
The only diff in .mar is to call lib$table_parse instead of lib$tparse.
(see rtl lib$ lib$tparse). |
|
|
Thanassis Papadimitriou
|
|
Jan 27, 2009 07:49:09 GMT
N/A: Question Author
|
|
Of course I will tell you.. it is not a secret!!
I have got only ALPHA server platforms. The displayed error is the following regarding your distribution.
$ dir
Directory SYS$COMMON:[SYSMGR.TEST.UAF2]
$PRVDEF.H;1 AAAREADME.TXT;1 AXP-PORT.TXT;1 CC.OPT;1
COMPILE.COM;1 DESCRIP.MMS;1 DISPLAY.AXP-DIF;1 DISPLAY.C;1
DISPLAY.OBJ;2 DISPLAY.OBJ;1 GCC.OPT;1 GUESS.C;1
GUESS.OBJ;2 GUESS.OBJ;1 GUESS_PASSWORD.C;1 HPWD.MAR;1
INIT_CLI.C;1 LGI$HPWD.C;1 MAKEFILE.;1 PARSE.C;1
PARSE.OBJ;2 PARSE.OBJ;1 PARSE_UIC.AXP-DIF;1 PARSE_UIC.MAR;1
PARSE_UIC.OBJ;2 PARSE_UIC.OBJ;1 SELECT.AXP-DIF;1 SELECT.C;1
SELECT.OBJ;2 SELECT.OBJ;1 STANDARD.AXP-DIF;1 STANDARD.H;1
TEMP.C;1 UAF.AXP-DIF;1 UAF.C;1 UAF.H;1
UAF.HLB;1 UAF.HLP;4 UAF.HLP;3 UAF.HLP;2
UAF.HLP;1 UAF.OBJ;2 UAF.OBJ;1 UAF.RNH;1
UAF.ZIP;1 UAFCLD.CLD;1 UAFDEF.DECC;1 UAF_CLD.AXP-DIF;1
UAF_CLD.H;1 WORDLIST.H;1
Total of 50 files.
$
$
$ @compile
$tran tpa$_ident,,,,uic
^
%AMAC-E-GENERROR, generated ERROR: 0 $TRAN requires symbols defined in ARCH_DEFS.MAR
-AMAC-I-ATEXPLINE, at macro expansion line 6
at line number 12 in file SYS$COMMON:[SYSMGR.TEST.UAF2]PARSE_UIC.MAR;1
.ERROR ; $TRAN requires symbols defined in ARCH_DEFS.MAR
$tran tpa$_ident,,,,uic
^
%AMAC-E-IFEXPRNABS, IF expression not absolute
-AMAC-I-ATEXPLINE, at macro expansion line 16
at line number 12 in file SYS$COMMON:[SYSMGR.TEST.UAF2]PARSE_UIC.MAR;1
.IF NE, IXVMS
.end
^
%AMAC-E-PREVERROR, previous errors prevent further analysis
at line number 40 in file SYS$COMMON:[SYSMGR.TEST.UAF2]PARSE_UIC.MAR;1 |
|
|
Joseph Huber
|
|
Jan 27, 2009 08:14:01 GMT
10 pts
|
|
No such error on my Alpha 7.3-1 system and IA64 8.3 .
What is Your system ?
Do You have a symbol MACRO ? (show symbol macro). |
|
|
Thanassis Papadimitriou
|
|
Jan 27, 2009 08:16:25 GMT
N/A: Question Author
|
|
$ show symbol macro
%DCL-W-UNDSYM, undefined symbol - check validity and spelling
$ show system
OpenVMS V7.3-2 |
|
|
Joseph Huber
|
|
Jan 27, 2009 08:31:15 GMT
10 pts
|
|
Since I have not really changed parse_uic.mar, just replaced lib$tparse by lib$table_parse,
try "macro parse_uic_vax", the original.
My only idea is that the default macro command in 7.3-2 is invoking the Alpha assembler, not macro32.
Try "macro/migrate parse_uic" to see if that works.
If yes, replace the macro commands in compile.com by macro/migrate. |
|
|
Joseph Huber
|
|
Jan 27, 2009 08:36:14 GMT
10 pts
|
|
Oh no, I see compile.com does already macro/migrate for alpha and ia64.
So the problem must be in VMS 7.3-2 macro in general or Your installation specifically.
I assume your previous distribution of uaf.zip was working, except it did not have the newer flags keyword: compare the parse_uic.mar from there with the new one. Does it compile ? |
|
|
Joseph Huber
|
|
Jan 27, 2009 08:46:42 GMT
10 pts
|
|
And BTW AMAC-E- messages clearly are generated bvy the Alpha macro-assembler, NOT the macro32 (Vax-macro-) compiler.
I really wonder how You were able to compile before ? |
|
|
Thanassis Papadimitriou
|
|
Jan 27, 2009 08:49:56 GMT
N/A: Question Author
|
|
I was not able to compile.
I downloaded an already compiled distribution with .obj and .exe already created. |
|
|
Joseph Huber
|
|
Jan 27, 2009 09:05:24 GMT
10 pts
|
|
Well then, I have no idea what causes this behaviour. macro/migrate should invoke the macro32 compiler, not the macro64 assembler.
Maybe an out of the box alpha VMS is installing it like that ?
The only thing I can see on my system regarding macro was an installation of macro64 in vmsinstal.history.
So maybe this is necessary to invoke the macro32 compiler.
Meanwhile I will add the alpha object and exe files to my uaf.zip in sudirectory [.alpha]
just wait half an hour ... |
|
|
Thanassis Papadimitriou
|
|
Jan 30, 2009 09:31:33 GMT
N/A: Question Author
|
|
Thank you Joseph!!
I downloaded the compiled kit.. it works!!
One more thing and I believe we are done.
When I issue the following command (find all accounts that are disabled and have pwdmix flag set):
uafselect2 /select=flag=(DISUSER,PWDMIX) -
/display=(username,flags)/total
I ask to display the username and flags. I observed that all other flags are displayed except pwdmix even though it is set.
Please help! |
|
|
Joseph Huber
|
|
Jan 30, 2009 11:01:07 GMT
10 pts
|
|
Yep, I counted the number of bits wrong:
in display.c max_flags is 26 not 25.
Change this one number in display.c or
get the new obj/exe from my updated uaf.zip . |
|
|
Thanassis Papadimitriou
|
|
Jan 30, 2009 12:06:43 GMT
N/A: Question Author
|
|
|
I got the new obj/exe files, but still pwdmix flag is not displayed. |
|
|
Joseph Huber
|
|
Jan 30, 2009 12:16:55 GMT
10 pts
|
|
I have no alpha with a VMS version new enough to test, but on IA64 VMS 3.8 it works:
$ uaf/select=flags=pwdmix /display=(username,flags)
user: DEFAULT flags: DISUSER,PWDMIX
$ sh sys/noproc
OpenVMS V8.3-1H1 on node DECUSI 30-JAN-2009 13:11:22.66 Uptime 15 18:36:59
And I compiled and linked from the same source on Alpha 7.3-1.
Eventually just link uaf.exe again from the objects in [.alpha] subdirectory.
And You are sure not to use the old version of uaf.exe (see Your uaf symbol), and are testing on the 7.3-2, not on 7.3-1 ? |
|
|
Joseph Huber
|
|
Jan 30, 2009 12:33:38 GMT
10 pts
|
|
And even on my 7.3-1 system:
MPIW10_HUB> uaf/select=flags=pwdmix /display=(username,flags)
user: DEFAULT flags: DISUSER,PWDMIX
MPIW10_HUB>sh sys/noproc
OpenVMS V7.3-1 on node MPIW10 30-JAN-2009 13:29:23.30 Uptime 100 22:55:14
You either did noth update uaf.zip (web proxy cache not updated), or your uaf command symbol is pointing to an old version.
Does "AUTHORIZE SHOW user" show the flag ? |
|
|
Thanassis Papadimitriou
|
|
Jan 30, 2009 13:04:19 GMT
N/A: Question Author
|
|
Yes the authorize command displays the flag.
I observed that the files within uaf.zip at your site, when I download it they have a date of 27/1/2009 in ALPHA directory.
Is that correct?
Maybe I redownload the previous version of uaf.zip! |
|
|
Joseph Huber
|
|
Jan 30, 2009 13:10:00 GMT
10 pts
|
|
No, [.alpha]display.obj and uaf.exe has a date of today.
You definitely got the old version from cache.
I try to flush the cache of my web-server, retry to fetch uaf.zip again in a few minutes, but make sure You use the cache bypass feature of your browser. |
|
|
Joseph Huber
|
|
Jan 30, 2009 13:54:31 GMT
10 pts
|
|
If it is not possible to bypass cache/proxy, use anonymous FTP to wwwvms.mppmu.mpg.de
cd /pub/vmssig/archive/u
binary
get uaf.zip |
|
|
Thanassis Papadimitriou
|
|
Feb 2, 2009 08:25:28 GMT
N/A: Question Author
|
|
Hello,
I managed to download the latest version of uaf.zip. It works and displays pwdmix flag.
Thank you all for your effort.
Case is closed. |
|
|
Thanassis Papadimitriou
|
|
Feb 2, 2009 08:29:19 GMT
Thread closed by author
|
|
Using uaf.zip I am able to query authorize by non-standard criteria as provided by itself in uaf. Hence, I am able now to display all disabled users with pwdmix set and so on.
Also, I have found a code in macro 32 which allows to force password complexity to user. I am able to specify the level of complexity between lower, upper, number and special characters. Very convenient.
Thank you. |
|
Printable version
