[prev in list] [next in list] [prev in thread] [next in thread] 

List:       samba-vms
Subject:    RE: Password Changing from Win95
From:       LNUSSAT.JMALMBER () eds ! com
Date:       1998-06-18 20:04:58
[Download RAW message or body]

There is a document called LOGINOUT CALLOUTS, that I think is in the MADGOAT
archives that documents some of the stuff needed to do that.  I have not done
anything to validate the information contained in the document.  I do not know
what versions of VMS it applies to either.


Microsoft has also documented security API's that allow a custom DLL to be
used, that will receive the plain text password from the login sequence.  The
DLL can then use that PASSWORD as it wishes.  It all appears to run on the
client side, not the server, so that if the password is reset through user
manager, the DLL would not have any knowledge of it until the user loggs in
again.

Both of these solution require compiling a program.



Quick and Dirty HACK #1:

Create a captive VMS account named PASSWORD.  When a user logs into it, request
their NT ID and then their LAN password.
Use the SMBCLIENT to verify them.  If passed, use the SET PASSWORD command to
set the VMS password.



Quick and Dirty HACK #2:  (For those who are adventuresome)

1. Patch the SYLOGIN.COM procedure to check for NETWORK access.  Check the
username coming in to make sure that it is the same as the account coming in.
If not check the proxy data base or an exception database, to see if it is
allowed.
This step disabled all non-proxied access into your system, including through
RSH/REXEC on TCP/IP.

It is important that you get the above step right and verify that it works to
keep your security intact.

If you have disabled your DECNET default account, and not done the above, and
you think that you have secured your system,  you are living in ignorance of
what the user community does to get around that.


2. Add a command procedure for INTERACTIVE TERMINAL logins only.  Some special
handling is needed for DEC WINDOWS session starting.  Check for logical name
DECW$DOING_SESSION.

For DECW$DOING_SESSION, check to see if your f$getjpi("","MASTER_PID") is the
same as f$getjpi("","PID"), then create a DECTERM with CREATE/TERM/WAIT that
will run the command procedure, to get the proper dialog.

(while you are there in SYLOGIN, add a $set working_set command to reset the
throttled back quotas for your session manager to run a little faster.)

You must make sure that the user is an INTERACTIVE TERMINAL.  The
F$GETDVI("SYS$COMMAND","TRM") is the method to use, not the method that DEC
published that checks for a number of terminal types.  (I wonder when the
DECWindows people will start to read the Current OpenVMS manuals.  Based on
their DCL code, they seem to be working off of a V3.X set)

For INTERACTIVE TERMINALS only, have the procedure prompt for the LAN
password.  Use SMBCLIENT to verify that it works.  If not, give it 2 more
tries, and then log the user off.

If they succeed let them come in.


3. Then remove the VMS password from these accounts.  SCARY, SCARY, SCARY.
Definitely not for the SYSTEM account.

Removing the VMS password disables remote FTP access to the account for UCX,
sorry I do not know about other packages.  More work may be required there.
Test this for UCX as your version and patch of the month may be different than
mine.

If you do not understand how to do these steps from the instructions above then
you probably should not do them.

Before doing these steps, test and evaluate the level of security needed for
your site.

I am doing something similar to this but not exactly the same with the
PATHWORKS product to eliminate password sharing on maintenance accounts.  I am
using more than DCL code to insure security, and improve performance.

IMPORTANT NOTE:
Use any of the above techniques at your own risk, I can not warrantee them to
be totally secure.

-John





         SAMBAVMS [INET.SAMBAVMS] @ DIAMOND
        06/17/98 04:51 AM


To:  SAMBAVMS [INET.SAMBAVMS] @ DIAMOND
cc:
Subject: RE: Password Changing from Win95

| Can Samba for VMS (current version) be used to change a user's VMS password?
| Our configuration is Win95 clients connecting to an NT Domain and a single
| Alpha VMS system running SAMBA.  There are currently 6 passwords for each
| user and I am attempting to both cut down the number of passwords and also
| keep the remaining ones synchronized.

*No. Though this might be not too difficult, we've either just to setup
*smb.conf correctly to use $SET PASSWORD or if this does not work, we
*have to write a small set-password program. Some else should
*investigate this.

| A related question is can SAMBA be used to provide VMS EXTERNAL
| authentication - a la Pathworks V6?  I don't want to run Pathworks because
| of the client cost.

*No. This would be an extra project. Anyone who want do that?

*Eckart

[prev in list] [next in list] [prev in thread] [next in thread]