Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP Path: utzoo!watmath!clyde!rutgers!ucla-cs!ames!ucbcad!ucbvax!UNION.BITNET!GEOFFRIL From: GEOFFRIL@UNION.BITNET.UUCP Newsgroups: mod.computers.vax Subject: PASSWORD VERIFICATION PROCEDURES Message-ID: <8702100603.AA02948@ucbvax.Berkeley.EDU> Date: Mon, 9-Feb-87 15:20:00 EST Article-I.D.: ucbvax.8702100603.AA02948 Posted: Mon Feb 9 15:20:00 1987 Date-Received: Wed, 11-Feb-87 05:48:58 EST Sender: daemon@ucbvax.BERKELEY.EDU Organization: The ARPA Internet Lines: 42 Approved: info-vax@sri-kl.arpa As the person who caused much of the recent debate over publishing the password encryption routine, I though you might like to see a very simple solution to the need for password verification. In my original problem, I had a privileged command that I wanted to protect further by asking the user to reenter his/her password. This would prevent someone else running the program by stepping up to the terminal while the proper user is away from the desk. this is a consideration when we develop programs for our student consultants who often need to step away from their station to help a user in distress. Our consultants are not very security conscious and ignore instructions not to leave a privileged terminal unattended. One of the INFO-VAX respondents suggested that we use DECnet instead of wasting time writing a procedure call. The following piece of DCL works fine and does not require publishing anything about the encryption formulas. It also logs bad passwords as logfails inthe accounting files, making it possible to trace breakin attempts. $! first we prompt for the username and password $ inquire name "Username" $ set terminal/noecho ! don't echo password to screen $ inquire pwd "Password" $ set terminal/echo $ write sys$output "Validating your password... please wait" $! now use DECNET to access a public directory that contains ! nothing that is secret... (our node happens to be "amy" $ dir/output=temp.tmp amy"''name' ''pwd'"::sys$sysdevice:[public] $ if .not. $status then goto reject Later in your code, you can delete the file temp.tmp This procedure is a bit slow since DECnet has to go out on the net anc back in, but it sure is simple. We find it adequate for programs that are not frequently used... In conjunction with ACL protection, it makes for a very tight procedure. Leo Geoffrion, Skidmore college GEOFFRIL@UNION.BITNET