HP OpenVMS Systems

ask the wizard
Content starts here

Password-based User Authentication?

» close window

The Question is:

I would like to programmatically authorize a VMS user and password against the
 OpenVMS system.  I currently have all of the user information to do this.  I
 just need to know what call(s) to the system I need to make to ensure that
 this is an existing user
_id and verify that I have the correct password.  Is there currently a system
 command that I can use that I can feed the user_id and password and get back
 some sort of authorization?

The Answer is :

  If the user is logged into the system, then there is obviously no
  need for this, as the user identity has already been authenticated.
  If the user is not logged in and you wish to authenticate the user,
  then consider using a login.  (At its simplest, this involves a
  DCL command such as COPY 0"user password"::_NLA0: _NLA0:, or most
  any other RMS operation that triggers a DECnet remote login.  This
  COPY operation triggers an attempt to access the DECnet FAL object
  on the local DECnet host.)
  If the user is not currently logged in and cannot be logged in, then
  your approach is certainly possible using a trusted application image
  and calls to $getuai and $hash_password, but the available services
  do not provide a particularly secure approach; you will tend to create
  security holes as there are no readily available tie-ins into the
  auditing and breakin evasion mechanisms that are used by LOGINOUT.
  A nefarious user could use an authentication scheme lacking auditing
  and evasion as a mechanism to test potential passwords, of course.
  (Any code performing security-relevent operations must enforce and
  must maintain system security.  This might well seem obvious, but
  security can be rather more involved than it might initially
  appear.  And ANY security-level API will eventually get attacked.)
  For distributed authentication, consider the use of Kerberos.  Kerberos
  is available in OpenVMS V7.3 and later.
  OpenVMS Alpha V7.3-1 and later provide authentication services, and
  provides for an easy approach for providing evasion and related
  support.  Please see the V7.3-1 documentation and particularly see
  the sys$acm system service documentation for details.
  For code examples for older releases, please see the XLOCKMORE and
  other related tools.  XLOCKMORE is available on the OpenVMS Freeware
  Related topics include (1461), (1645), (4303), (4612), (4778), (6328),
  and various others.

answer written or last revised on ( 9-SEP-2002 )

» close window