Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP
Path: utzoo!watmath!clyde!cbatt!ucbvax!LLL-ICDC.ARPA!oberman%icaen.DECnet
From: oberman%icaen.DECnet@LLL-ICDC.ARPA.UUCP
Newsgroups: mod.computers.vax
Subject: Password verification
Message-ID: <8702102313.AA22451@ucbvax.Berkeley.EDU>
Date: Tue, 10-Feb-87 11:44:00 EST
Article-I.D.: ucbvax.8702102313.AA22451
Posted: Tue Feb 10 11:44:00 1987
Date-Received: Wed, 11-Feb-87 19:59:43 EST
Sender: daemon@ucbvax.BERKELEY.EDU
Reply-To: "ICAEN::OBERMAN" <oberman%icaen.decnet@lll-icdc.arpa>
Organization: The ARPA Internet
Lines: 35
Approved: info-vax@sri-kl.arpa

>One of the INFO-VAX respondents suggested that we use DECnet instead of
>wasting time writing a procedure call.
>    The following piece of DCL works fine and does not require publishing
>anything about the encryption formulas.  It also logs bad passwords as logfails
>inthe accounting files, making it possible to trace breakin attempts. 
> 
>$!  first we prompt for the username and password
>$ inquire name "Username"
>$ set terminal/noecho      !  don't echo password to screen
>$ inquire pwd "Password"
>$ set terminal/echo
>$ write sys$output "Validating your password... please wait"
>$!   now use DECNET to access a public directory that contains
> !   nothing that is secret... (our node happens to be "amy"
>$ dir/output=temp.tmp amy"''name' ''pwd'"::sys$sysdevice:[public]
>$ if .not. $status then goto reject
> 
>Later in your code, you can delete the file  temp.tmp
> 
>This procedure is a bit slow since DECnet has to go out on the net anc
>back in, but it sure is simple.  We find it adequate for programs that are
>not frequently used...  In conjunction with ACL protection, it makes for
>a very tight procedure.

This procedure has a serious problem. The INQUIRE command leaves the password
in the DCL recall buffer. Any time security is important, such as when a
password is being entered, use a READ/PROMPT command. In fact, because of
limitations in the INQUIRE command I routinely use the READ/PROMPT command
in all command procedures.

					R. Kevin Oberman
					LLNL
					arpa: oberman@lll-icdc.arpa
					(415) 422-6955
------