|
HP OpenVMS Systemsask the wizard |
|
The Question is: Our environmnet consists of banking tellers/users logging into the banking application using OpenVMS usernames and passwords. We will be adding a client server application that will allow a client application to access certain data on the OpenVMS applicat ion through a server process. We would like the client application to pass the OpenVMS username /password to the server process in order to authenticate them to the system. The question we have is what is the best way to validate the OpenVMS username/pass word? I suspect it could be done with a combination of $GETUAI and $HASH_PASSWORD but that would involve being able to replicate all the rules that OpenVMS uses to authenticate a user (like is the DISUSER flag set, etc.). Is there an easier way to do this The Answer is : Calls to sys$getuai followed by a call to sys$hash_password would suffice, though a call to sys$scan_intrusion is also recommended. A simpler interface for performing user authentication is planned for inclusion in a release after OpenVMS V7.2. Another approach would be to use a more secure authentication scheme than passing clear-text passwords over the network -- your proposed scheme would require the user to respecify the password, or it would require you to maintain a local copy of the cleartext password with all the attendant risks of exposure. As for schemes that you may want to check: MD5 (RFC1321) might be of interest here, as may be the DCE security services and some of the current and planned work in support of authenticated RPC. Datalink or other encryption may also be of interest here. In other words, if your network is sufficiently secure from snooping that a cleartext password is not a potentially serious exposure, then you probably don't need to perform the password operation to begin with. (Proxies or similar approaches will work nicely, in other words.) If the passwords are a risk, then you will want to consider other approaches in addition to the proposed transmission of a cleartext password.
|