Path: utzoo!mnetor!uunet!husc6!necntc!ames!hc!beta!mbr
From: mbr@beta.UUCP (Mike Rose)
Newsgroups: comp.os.vms
Subject: Re: USER ID PASS validation on VMS
Message-ID: <13497@beta.UUCP>
Date: 18 Dec 87 19:08:09 GMT
References: <355@siemens.UUCP> <8712171512.AA06909@mitre.arpa>
Reply-To: mbr@beta.UUCP (Mike Rose)
Organization: Los Alamos Natl. Labs, Los Alamos, NM
Lines: 37


In article <1288@inco.UUCP> fennell@inco.UUCP (Tim Fennell) writes:
>>>    I need to find a VMS utility that will allow me to 
>>>    validate a User ID and password.  

Someone, somewhere else writes
>>Their [DEC] response was "We do not support this,
>>and never will, because it is a possible security loophole."  

In article <8712171512.AA06909@mitre.arpa> art@MITRE.ARPA (Art McClinton) writes:
>Stating that it is a security hole is a cop-out by the DECie that did not
>know how to do it.

I doubt that is the case.  It is very easy to do, provided you leave 
a security hole.  The routine HPWD.MAR in the fiche will hash a 
password, this can then be compared to the password(s) in the UAF
with the $getuai system service.  The security hole is that someone
can then try lots of different passwords for a username without the 
intrusion detection system getting fired up or the attempts being logged.

HPWD.MAR is documented, though poorly. (it has a 4 word description
of each parameter required).  I have routines that call it and check 
passwords, etc and will mail them to anyone.  Unfortunately they are 
useless without the source code for HPWD.MAR, which I won't post 
because I don't know if it's legal to do so.  There is no global 
entry point for LGI$HPWD.


>It is possible to use DECnet to open a logical link to a process using the 
>username and password.  

Yes, it is possible.  Starting up processes is a real cpu hog though.
Also, if you are using usernames with two passwords only the first
password is checked on network logins.  The second is ignored.

Mike Rose
mbr@lanl.gov