Path: utzoo!mnetor!uunet!husc6!bbn!rochester!rutgers!bellcore!faline!ulysses!mhuxt!ihnp4!homxb!mtuxo!mtune!codas!ufcsv!beach.cis.ufl.edu!jmb
From: jmb@beach.cis.ufl.edu (John M Boof)
Newsgroups: comp.os.vms
Subject: Re: USER ID PASS VALIDATION ON VMS
Message-ID: <9909@ufcsv.cis.ufl.EDU>
Date: 23 Dec 87 01:11:56 GMT
References: <8712192213.AA27374@ucbvax.Berkeley.EDU> <13592@beta.UUCP>
Sender: news@ufcsv.cis.ufl.EDU
Reply-To: jmb@beach.cis.ufl.edu (John M Boof)
Organization: UF CIS Department
Lines: 27

In the above-referenced article, mbr@beta.UUCP (Mike Rose) writes:

>In article <8712192213.AA27374@ucbvax.Berkeley.EDU> IMHW400@INDYVAX.BITNET writes:
>>May I point out that, if HPWD is documented then the security hole is already
>>there.  Anybody with access to the 'fiche can just recode it.  
>
>That is not true.  The hole is only there when you can somehow inquire
>if a password is correct for a particular username.  A non-privileged 
>user recoding the algorithm has nothing, since they cannot obtain the
>hashed version of the correct password from the uaf.  

Ah, but GETUAI will give the hashed password and all UAF information for
any user in your Group ID (UIC) - at least on the VAXes I have used.

This caused quite a scare for some, since there are many devious-minded
users on our main VAX.  It has been taken care of on this one cluster,
but other VAXes I use will still let you get that info.

...JMBoof
_________________________
in order of preference:
darpa-internet:  VAX/VMS:  boof%oak.decnet@pine.circa.ufl.edu  or
                           boof@pine.circa.ufl.edu
uucp:            Gould,UNIX:  ... !ihnp4!codas!ufcsv!beach.cis.ufl.edu!jmb
bitnet:          VAX/VMS:  boof@ufpine  or  boof@ifasgnv
                 IBM CMS:  $$$YEQ#@NERVM
_________________________