Re: Any Way to Validate Username & Password from an Application?

Craig Dedo wrote:
Everyone:
Is there any way to validate a username and password from an
application? We need to have this functionality in one of our OpenVMS
applications.

The application program has a variety of application-defined
advanced privileges, e.g., granting certain kinds of exceptions to the
usual business rules. At the time such privileges need to be used, it
is necessary to validate the username and password for several reasons.

VMS identifiers (rights) granted to users are ideal for this - you can set real protections using them, as well as program behaviours, security audits and alarms, etc.
We use rights (both positive and negative), and find them at run-time with $find_held (system service).

If you really want the entry of a password, it is doable, but you need to use all the right services, and make sure you do proper vms intrusion detection, evasion, auditing etc.
See $getuai, $hash_password, $audit_event, $scan_intrusion (from a module originally written in '92, so perhaps not entirely current - I think it's probably got easier since then).

These include:
1. Regulatory and audit trail requirements.
2. Warning to privileged users that they are about to do a
privileged task.
3. Ordinary users often don't have the required privilege for the
task and need a supervisor or specialist to do it for them.

Right now, we are using a hack in order to get this functionality.
After the user enters the required username and password, we do a
directory search of the default directory using a fully-qualified node
name with access control string. The command is of the form:
$ DIR NODE"USERNAME PASSWORD"::SYS$LOGIN:*.*

I was wondering of there was a more elegant method, e.g., some kind
of OpenVMS API procedure.

I suppose an rms $search would do the equivalent without the overhead of a subprocess.

I have already done some homework. I looked in the Run Time
Library (LIB$), System Services Library (SYS$), and Utility Routines
LOGINOUT procedures (LGI$) without finding anything that provides what
I need. I am wondering what, if anything, I have overlooked.

It's all in SYS$.

Chris
.

Relevant Pages

  • Any Way to Validate Username & Password from an Application?
    ... We need to have this functionality in one of our OpenVMS ... At the time such privileges need to be used, ... is necessary to validate the username and password for several reasons. ... we are using a hack in order to get this functionality. ...
    (comp.os.vms)
  • Re: Any Way to Validate Username & Password from an Application?
    ... Is there any way to validate a username and password from an ... We need to have this functionality in one of our OpenVMS ...
    (comp.os.vms)
  • Re: Any Way to Validate Username & Password from an Application?
    ... Is there any way to validate a username and password from an ... We need to have this functionality in one of our OpenVMS ... The source code for the OSU HTTP server uses system services to do this. ...
    (comp.os.vms)
  • Re: Any Way to Validate Username & Password from an Application?
    ... We need to have this functionality in one of our OpenVMS ... At the time such privileges need to be used, ... (Applications that ask for "real" system passwords and/or have access into the OpenVMS authorization database are obvious attack targets, and thus also tend to be the sorts of constructs that attract the attention of the security auditors.) ... Library, System Services Library, and Utility Routines ...
    (comp.os.vms)
  • Re: DEFCON 16 and Hacking OpenVMS
    ... Welcome to the OpenVMS AXP Operating System, ... Authorized privileges: ... question marks for any vulnerability hunter. ... We often use a simple shellcode/payload for testing as a first step in ...
    (comp.os.vms)