21-Jul-2004

Password policies

A password filter is a module that can deny certain password combinations as valid passwords when a user attempts to use the $ SET PASSWORD command.

An example of a password filter would be one to ensure that a new password contains at least one digit and is a minimum number of characters in length.

Here's how to install/deinstall one.

A password filter needs to be coded as a shareable image. The code to implement one can be as straightforward as this:



#include <stdio.h>
#include <ssdef.h>
#include <descrip.h>
#include <ctype.h>

struct quad { int :32, :32; };

extern unsigned long int POLICY_PLAINTEXT
                (struct dsc$descriptor_s *password_d,
                 struct dsc$descriptor_s *username_d) {

static char *p;
static short int i;
static char found_digit;

    found_digit = FALSE;

    p = (char *)password_d->dsc$a_pointer;

    for (i = 0; i < password_d->dsc$w_length; i++) {
        if ((isdigit (*p)) || (*p == '$') || (*p == '_')) {
            found_digit = TRUE;
            break;
        }
        p++;
    }

    if ((!found_digit) ||
        (password_d->dsc$w_length < 6)) {
        return SS$_PWDWEAK;
    } else {
        return SS$_NORMAL;
    }
}

extern unsigned long int POLICY_HASH (struct quad hash,
                                      struct dsc$descriptor_s username_d) {

    return SS$_NORMAL;
}

To compile and link this code on an Alpha, you include this code in a file called VMS$PASSWORD_POLICY.C, compile, link, and install the resulting image, and flip a SYSGEN parameter to switch it on:



$ cc vms$password_policy
$ link/share vms$password_policy,sys$input/option
gsmatch=always,1,0
symbol_vector=(policy_hash=procedure, policy_plaintext=procedure)
^Z
$ copy/prot=w:re vms$password_policy.exe sys$common:[syslib]
$ install add sys$share:vms$password_policy/open/header/share
$ mcr sysgen
SYSGEN> USE ACTIVE
SYSGEN> SET LOAD_PWD_POLICY 1
SYSGEN> WRITE ACTIVE
SYSGEN> EXIT
$

Obviously, you must include the install in the system startup so the image is reinstalled at boot, and you must make the SYSGEN changes permanent, preferably by adding them to MODPARAMS.DAT and performing an AUTOGEN.

And that's it.

To disable the policy, flip the SYSGEN parameter to zero and write active.

Posted at July 21, 2004 3:44 PM
Tag Set:
Comments

interesting!

Posted by: Darlene at July 21, 2004 4:17 PM

Comments are closed