The Question is:
I would like to programmatically authorize a VMS user and password against the
OpenVMS system. I currently have all of the user information to do this. I
just need to know what call(s) to the system I need to make to ensure that
this is an existing user
_id and verify that I have the correct password. Is there currently a system
command that I can use that I can feed the user_id and password and get back
some sort of authorization?
The Answer is :
If the user is logged into the system, then there is obviously no
need for this, as the user identity has already been authenticated.
If the user is not logged in and you wish to authenticate the user,
then consider using a login. (At its simplest, this involves a
DCL command such as COPY 0"user password"::_NLA0: _NLA0:, or most
any other RMS operation that triggers a DECnet remote login. This
COPY operation triggers an attempt to access the DECnet FAL object
on the local DECnet host.)
If the user is not currently logged in and cannot be logged in, then
your approach is certainly possible using a trusted application image
and calls to $getuai and $hash_password, but the available services
do not provide a particularly secure approach; you will tend to create
security holes as there are no readily available tie-ins into the
auditing and breakin evasion mechanisms that are used by LOGINOUT.
A nefarious user could use an authentication scheme lacking auditing
and evasion as a mechanism to test potential passwords, of course.
(Any code performing security-relevent operations must enforce and
must maintain system security. This might well seem obvious, but
security can be rather more involved than it might initially
appear. And ANY security-level API will eventually get attacked.)
For distributed authentication, consider the use of Kerberos. Kerberos
is available in OpenVMS V7.3 and later.
OpenVMS Alpha V7.3-1 and later provide authentication services, and
provides for an easy approach for providing evasion and related
support. Please see the V7.3-1 documentation and particularly see
the sys$acm system service documentation for details.
For code examples for older releases, please see the XLOCKMORE and
other related tools. XLOCKMORE is available on the OpenVMS Freeware
Related topics include (1461), (1645), (4303), (4612), (4778), (6328),
and various others.