Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP Path: utzoo!watmath!clyde!rutgers!ames!ucbcad!ucbvax!CITHEX.CALTECH.EDU!carl From: carl@CITHEX.CALTECH.EDU.UUCP Newsgroups: mod.computers.vax Subject: Re: PASSWORD VERIFICATION PROCEDURES Message-ID: <870210001918.00o@CitHex.Caltech.Edu> Date: Tue, 10-Feb-87 03:19:18 EST Article-I.D.: CitHex.870210001918.00o Posted: Tue Feb 10 03:19:18 1987 Date-Received: Wed, 11-Feb-87 07:16:23 EST Sender: daemon@ucbvax.BERKELEY.EDU Organization: The ARPA Internet Lines: 61 Approved: info-vax@sri-kl.arpa In-Reply-To: Your message dated 9-Feb-1987 To: GEOFFRIL%UNION.BITNET@wiscvm.wisc.edu, @CitHex.Caltech.Edu, info-vax@CitHex.Caltech.Edu In place of your procedure, which went: $! first we prompt for the username and password $ inquire name "Username" $ set terminal/noecho ! don't echo password to screen $ inquire pwd "Password" $ set terminal/echo $ write sys$output "Validating your password... please wait" $! now use DECNET to access a public directory that contains ! nothing that is secret... (our node happens to be "amy" $ dir/output=temp.tmp amy"''name' ''pwd'"::sys$sysdevice:[public] $ if .not. $status then goto reject I'd suggest something of the form: $ set noon !avoid abnormal exit $ control = f$environment("CONTROL") $ set nocontrol_y !and don't let the user abort the procedure $! first we prompt for the username and password using read instead $! of inquire so that the password isn't in the recall buffer $ read/prompt="Username: " sys$command name $ set terminal/noecho ! don't echo password to screen $ read/prompt="Password: " sys$command pwd $ set terminal/echo $ write sys$output "Validating your password... please wait" $! now use DECNET to create a file on the null device - no cleanup $! is required this way $ create sys$node"''name' ''pwd'"::nl: $ status = $status $ delete/symbol pwd ! get rid of the password fast $ delete/symbol name $ set control=('control') ! restore control-y if appropriate $ if .not. status then goto reject The reasons for my recommended changes: 1) INQUIRE stores whatever gets typed in the recall buffer (DEC has indicated willingness to make it easy to flush the recall buffer in a future release of VMS). This means that a few control-B's will show the password that was used. READ doesn't place the result in the recall buffer. 2) Since the symbols pwd and name are accessible if the user interrupts out of the procedure, you must disable control-y until you've deleted the pwd symbol. It's nice to restore it when you're done, though; hence the use of F$ENVIRONMENT to determine the original setting. 3) Use of the logical name SYS$NODE makes the procedure more portable; in fact, it can be used from any machine on your DECnet without making additional copies. 4) If you create a file on the null device, there's no cleanup necessary; also, it doesn't require that any directories exist, and is thus more portable. This procedure is considerably tighter than the one you are currently using; however, I make no claims as to how tight it actually is in an absolute sense. By the way, if the users of this program are as lax about privileged jobs as you indicated, I highly recommend that you write some short timeouts into whatever this code is supposed to protect, so that they can't abandon the terminal in the middle of the privileged program. I still don't see how this procedure can grant selective access to a privileged program. What you seem to need to do is permit the program to be run only by a select group of users, and then only via a network job. Thus, instead of creating the file on the null device, you'd run the appropriate program (as a task).