Conference vaxaxp::vmsnotes

   To my knowledge, external authentication is not yet available under
   OpenVMS, for anything other than LANMANAGER.  (No peer-to-peer, no
   Kerberos, etc.)  There are callouts latent that may allow the user
   to extend the existing authentication to support Kerberos or similar,
   and there is work going on to add support for other authentication
   mechanisms.  (We said as much at the last DECUS.)

   There is no supported way to generate a UNIX password file from an
   OpenVMS SYSUAF -- the password encryption will be a sticking point,
   as UNIX and OpenVMS use different hashing schemes.

   For information on DCE and the DCE Security Services, see the DCE
   notes conferences.

We've been working on a similar problem here at the N.Y. Mercantile Exchange. 
Our prblem is to pre-validate a username/password that will be sent from an
NT workstation to a VMS host as part of a transation packet. 

Using $GETUIA, it is possible to retrieve and check this data, although 
applying all the checks used in loginout.exe is more than a bit tedious.

Here is a sample function to show the general idea:

---------------------------------------------------------------------------
/*
**++
**  FACILITY:  c21_password.c
**
**  MODULE DESCRIPTION:
**
**	Given a username and password, the module:
**	     validates the username (by	retrieving user data from SYSUAF)
**	     checks the password
**	     calculates	the number of days until expiration
**	     retrieves and translates the users rights identifiers
**	     optionally, sets a new password.
**
**  AUTHORS:
**
**      David A. Bowers
**	Digital Equipment Corp.
**
**  CREATION DATE:  7-Mar-1996
**
**  DESIGN ISSUES:
**
**      SYSPRV is required for execution.
**	
**	Since we are using $GETUIA, all checking of SYSUAF values must be done
**	explcitly within the module. We will therefore need to get operations
**	to agree to use only those features that we're checking, so that any
**	username/password combination that gets past us will also get past
**	loginout.
**	This version checks username, password and password expiration only.
**
**  FORMAL PARAMETERS:
**
**      usr:
**          the username to be validated.
**       
**      pass:
**          the password to be validated.
**	 
**      npass:
**          user's new password | 0 if not entered.
**
**	rightsw:
**	    if == 0, rights lookup is bypassed.
**
**  RETURN VALUES:
**	password validation block containing:
**	    username (for sanity check)
**	    login_status = 1:	success
**			   0:	invalid username/password
**			  -1:	system error
**	    password_change status = 1:	pasword changed
**				     0:	no change requested
**				    -1:	system error
**	    days_to_go: number of days until password expiration
**	    rights_count: number of rights identifiers returned
**	    right[]: up to 16 rights identifier names 
**
**--
*/

/***********************************************************************
**  INCLUDE FILES
***********************************************************************/

#include "c21_password.h"
#include <ctype.h>
#include <descrip.h>
#include <lib$routines.h>
#include <libdtdef.h>
#include <opcdef.h>
#include <opcmsg.h>
#include <ssdef.h>
#include <starlet.h>
#include <stdlib.h>
#include <string.h>
#include <uaidef.h>

 
/***********************************************************************
**  c21_password()
***********************************************************************/

struct user_val_block c21_password (char *usr, char *pass, char *npass, int 
rightsw)
{
    struct itlst
    {
	short   bufflen;
	short   itcode;
	void    *buffaddr;
	short   *retlen;
    };

    struct  itlst   itmlst_a[7],
		    itmlst_b[2];

    struct user_val_block ret_block;

    struct dsc$descriptor _username = { 0,
					DSC$K_DTYPE_T, 
					DSC$K_CLASS_S,
					0};
    struct dsc$descriptor _password = { 0,
					DSC$K_DTYPE_T, 
					DSC$K_CLASS_S,
					0};
    struct dsc$descriptor _rtname =   { 0,
					DSC$K_DTYPE_T,
					DSC$K_CLASS_S,
					0};

    struct 
    {
	char		request;
	unsigned int    target : 24;
	unsigned long   msg;
	char		text[64];
    } opbuf;

    struct dsc$descriptor _opbuf = { 0,
				    DSC$K_DTYPE_T, 
				    DSC$K_CLASS_S,
				    0};

    unsigned int    i,
		    j,
		    stat = 0,
		    cvt_opt = LIB$K_DELTA_DAYS,
		    uic[2] = {0, 0},
		    wrkright,
		    ctx = 0,
		    ctx2 = 0;

    char    encrypt,
	    pwd[8],
	    pwd_date[8],
	    pwd_life[8],
	    password[32],
	    newpass[32],
	    rtname[32];

    short   salt;

    short   encryptlen = 0,
	    pwdlen = 0,
	    dtlen = 0,
	    lifelen = 0,
	    saltlen = 0,
	    uiclen = 0,
	    rightlen = 0;

    char    hash[8],
	    today[8],
	    pwd_exp[8],
	    dt_diff[8];

/***********************************************************************
**  Initialize string descriptors
***********************************************************************/

    _username.dsc$w_length = strlen (usr);
    _username.dsc$a_pointer = ret_block.username;
    _password.dsc$w_length = strlen (pass);
    _password.dsc$a_pointer = password;
    _rtname.dsc$w_length = 32;
    _rtname.dsc$a_pointer = rtname;

/***********************************************************************
**  Set up OPCOM transmit buffer for privilege errors
***********************************************************************/

    opbuf.request = OPC$_RQ_RQST;
    opbuf.target = opbuf.target | OPC$M_NM_CENTRL | 
		   OPC$M_NM_NTWORK | OPC$M_NM_SECURITY;
    opbuf.msg = OPC$_USERMSG;
    memset (opbuf.text, ' ', sizeof opbuf.text);
    strcpy (opbuf.text, "Unable to validate passwords. SYSPRV required");
    _opbuf.dsc$w_length = sizeof opbuf;
    _opbuf.dsc$a_pointer = (char *) &opbuf;

/***********************************************************************
**  Set up item list for sys$getuai
***********************************************************************/

    itmlst_a[0].bufflen = 1;
    itmlst_a[0].itcode = UAI$_ENCRYPT;
    itmlst_a[0].buffaddr = &encrypt;
    itmlst_a[0].retlen = &encryptlen;
    itmlst_a[1].bufflen = 8;
    itmlst_a[1].itcode = UAI$_PWD;
    itmlst_a[1].buffaddr = pwd;
    itmlst_a[1].retlen = &pwdlen;
    itmlst_a[2].bufflen = 8;
    itmlst_a[2].itcode = UAI$_PWD_DATE;
    itmlst_a[2].buffaddr = pwd_date;
    itmlst_a[2].retlen = &dtlen;
    itmlst_a[3].bufflen = 8;
    itmlst_a[3].itcode = UAI$_PWD_LIFETIME;
    itmlst_a[3].buffaddr = pwd_life;
    itmlst_a[3].retlen = &lifelen;
    itmlst_a[4].bufflen = 2;
    itmlst_a[4].itcode = UAI$_SALT;
    itmlst_a[4].buffaddr = &salt;
    itmlst_a[4].retlen = &saltlen;
    itmlst_a[5].bufflen = 4;
    itmlst_a[5].itcode = UAI$_UIC;
    itmlst_a[5].buffaddr = &uic[0];
    itmlst_a[5].retlen = &uiclen;
    itmlst_a[6].itcode = 0;

/***********************************************************************
**  Set up item list for sys$setuai
***********************************************************************/

    itmlst_b[0].bufflen = sizeof newpass;
    itmlst_b[0].itcode = UAI$_PASSWORD;
    itmlst_b[0].buffaddr = newpass;
    itmlst_b[0].retlen = &pwdlen;
    itmlst_b[1].bufflen = 0;
    itmlst_b[1].itcode = 0;

/***********************************************************************
**  Upcase username and password. Init ret_block fields.
***********************************************************************/

    for (i = 0;  i < strlen (usr);  ++i)
    {
    	ret_block.username[i] = toupper (usr[i]);
    }
    ret_block.username[strlen(usr)] = '\0';

    for (i = 0;  i < strlen (pass);  ++i)
    {
    	password[i] = toupper (pass[i]);
    }

    ret_block.login_status = 0;
    ret_block.pwd_change_status = 0;
    ret_block.days_to_go = 0;
    ret_block.rights_count = 0;

/***********************************************************************
**  Retrieve SYSUAF data. Send OPCOM message if we don't have SYSPRV.
***********************************************************************/

    stat = sys$getuai ( 0,  0,  &_username,  itmlst_a,  0,  0,  0);
    if (stat == SS$_NOGRPPRV || stat == SS$_NOSYSPRV)
    {
        sys$sndopr (&_opbuf, 0);
	ret_block.login_status = -1;
	return ret_block;
    }
    if (stat != SS$_NORMAL)
    {
	return ret_block;
    }

/***********************************************************************
**  Check Password
***********************************************************************/

    stat = sys$hash_password ( &_password, encrypt, salt, &_username, hash);
    if (stat != SS$_NORMAL)
    {
	ret_block.login_status = -1;
	return ret_block;
    }
	
    if(memcmp (pwd, hash, 8) != 0)
    {
	return ret_block;
    }

/***********************************************************************
**  Calculate days remaining until expiration 
***********************************************************************/

    stat = sys$gettim (today);
    if (stat != SS$_NORMAL)
    {
	ret_block.login_status = -1;
	return ret_block;
    }

    lib$add_times (pwd_date, pwd_life, pwd_exp);
    lib$sub_times (pwd_exp, today, dt_diff);
    lib$cvt_from_internal_time (&cvt_opt, &ret_block.days_to_go, dt_diff);
    
    if (ret_block.days_to_go <= 0) 
    {
	return ret_block;
    }
    else
	ret_block.login_status = 1;

/***********************************************************************
**  Retrieve and translate rights identifiers
***********************************************************************/

    if (rightsw != 0)
    {
	i = 0;
	while (stat == SS$_NORMAL)
	{
	    stat = sys$find_held (uic, &wrkright, 0, &ctx);
	    if (stat == SS$_NORMAL)
	    {
		stat = sys$idtoasc (wrkright, &rightlen, &_rtname, 0, 0, 
ctx2);
		strncpy (ret_block.right[i], _rtname.dsc$a_pointer, rightlen);
		ret_block.right[i][rightlen] = '\0';
		++i;
	    }
	}

	ret_block.rights_count = i;
	ret_block.login_status = 1;    
    }
/***********************************************************************
**  If we have a new password, update SYSUAF
***********************************************************************/

    if (npass != 0)
    {
        memset (newpass, ' ', sizeof newpass);
        for (i = 0;  i< strlen (npass);  ++i)
        {
        	newpass[i] = toupper (npass[i]);
        }

        stat = sys$setuai (0, 0, &_username, itmlst_b, 0, 0, 0);
        if (stat != SS$_NORMAL)
        {
    	ret_block.pwd_change_status = -1;
        }
	else
	{
	    ret_block.pwd_change_status = 1;
	}
    }
    return ret_block;
}

    re .0
    
    Since V7.1 of VMS supports external authentication from LANMANAGER
    perhaps the customer could ask whether Digital UNIX supports the same
    in which case the installation of a LANMANAGER PDC, even if they do
    nothing else with it, would give them what they want (apparently) - and
    of course weaken their security lots.
    
    What problem are they trying to solve? Perhaps there are other
    solutions.

    Thanks Steve, Dave, Derek, will relay information to customer, post any
    more specifics he provides.
    
    Sheldon

Some input from Colin Blake, which I'll forward to the customer:
    
With regard to common username/passwords across OpenVMS, UNIX and NT, I see 
two options.

Option 1. With OpenVMS V7.1 comes the "external authentication". This 
allows you to have users authenticated by some means other than the SYSUAF, 
via a "plug-in". Currently the only plug-in available is for LANManager 
authentication, but this does allow users in a cross Windows (NT, Win95, 
WFWG) and OpenVMS environment to have a single username and password across 
all platforms (OpenVMS will use the LANManager Logon Service, hence the 
user's single username and password will be his Windows account name and 
password).  I know that the UNIX folks were looking into providing  a 
similar external authentication scheme on their platform, and so if this is 
available, it would be provide a good solution.

Option 2. Use DCE on all platforms. OpenVMS, UNIX and NT all support DCE. 
By using the login and authentication service provided by DCE, users would 
be able to have a single username and password across all platforms.
    

    Below are additional questions from the user.  I'll pass along answers
    or pointers.  
    
    Thanks,
    
    Sheldon
    
    ---------------------------
     
    For "external authentication":

	- Can we use "external authentication" of OpenVMS V7.1 for LANManager
	  without Pathworks for Windows 6.0 ?

	- Doesn't "external authentication" of OpenVMS V7.1 use SYSUAF ?

	- Does "external authentication" of OpenVMS V7.1 have authorization
	  database other than SYSUAF ?

	- Does "OpenVMS will use the LANManager Logon Service" mean that
	  WindowsNT Domain Controller serves user authorization information to
	  OpenVMS ?

	- Can't OpenVMS be a Domain Controller which serves user authorization
	  information to WindowsNT ?

	- Can all kinds of process creation (ex. batch process, network
	  process via DECnet, etc.) on OpenVMS use "LANManager Logon Service" ?

	- Or do some kinds of process creation need to use SYSUAF separately ?

	- If it's true, then how can user authorization information of SYSUAF
	  and "LANManager Logon Service" be synchronized ?

    For DCE:

	- Can all kinds of process creation be Kerberized if we use Digital's
	  DCE ? For example, can we create batch process on OpenVMS based on
	  the user authorization information served by Kerberos rather than
	  SYSUAF ?

	- Can Digital's DCE take authorization information from SYSUAF ?

	- Can any DCE implementations for WindowsNT support integrated user
	  authorization for WindowsNT, IIS, and SQL server ?

re .6
    
    Has the customer read the V7.1 Release Notes and the V7.1 New Features
    Manual?
    
>	- Doesn't "external authentication" of OpenVMS V7.1 use SYSUAF ?
    
    The VMS system still needs a SYSUAF for a number of reasons e.g. it is
    SYSUAF that says that a user is allowed to be authenticated externally
    and SYSUAF contains a whole lot of other stuff that VMS needs in order to
    do the rest of the login anyway.
    
    However VMS does not *need* the SYSUAF for the actual authentication.
    (VMS may, if requested to and allowed to, perform authentication locally.
    You might request this if the authentication service is unreachable.)
    
    Note that since there can be some users who are not externally
    authenticated, SYSUAF could sometimes be used for them too.

>	- Does "external authentication" of OpenVMS V7.1 have authorization
>	  database other than SYSUAF ?
    
    Nothing else on VMS as far as I know - unless you count VMS itself 
    acting as Primary Domain Controller where I would expect two
    "independent" user databases to exist on the one machine.
    
    NB: authorisation is not the same as authentication.

>	- Does "OpenVMS will use the LANManager Logon Service" mean that
>	  WindowsNT Domain Controller serves user authorization information to
>	  OpenVMS ?
    
    That could be the case i.e. one possible configuration. I imagine that
    the user of the authentication service doesn't much care what kind of
    machine provides it (although hopefully it can trust it).

>	- Can't OpenVMS be a Domain Controller which serves user authorization
>	  information to WindowsNT ?
    
    The Release Notes imply that VMS can act as Primary Domain Controller
    which should mean that it serves authentication info (NB: not
    authorisation) to itself and to other LANmanager netizens.

>	- Can all kinds of process creation (ex. batch process, network
>	  process via DECnet, etc.) on OpenVMS use "LANManager Logon Service" ?
    
    DECnet network logins (e.g. remote file access) should work.
    
    Batch processes are not authenticated so the question does not arise.
    
>	- Or do some kinds of process creation need to use SYSUAF separately ?
    
    Not that I am aware of.
    
    However some applications may perform their own authentication
    independently of VMS (not surprising since most if not all versions of
    VMS do not provide interfaces for doing this). [UCX would be the prime
    candidate here.] These applications can still work if the LAN Manager
    username is the same as the VMS username (recommended anyway) and VMS
    has a "good" copy of the password. See the above references for "Password
    Synchronization".

    (can't help with the DCE questions)

re .7 correctly answers the questions you posed. Details are in the new features
manual and release notes. You'll want to have the customer be aware of the
restrictions mentioned there when evaluating the suitability of this mechanism
to their needs.

Now, to give you the picture from 30,000 feet - in 7.1, we introduced external
authentication by LAN Manager for interactive and network logins controlled by
LOGINOUT.EXE and for password changes with SET PASSWORD.

In this context, external authentication means the following:

	"For users that have the EXTAUTH flag set in their SYSUAF.DAT account
	 record, authentication will be based on an external policy (in this
	 case LAN Manager username and password) rather than the password
	 stored in the SYSUAF.DAT file. All other SYSUAF.DAT information
	 remains in effect (ie., modal restrictions, DISUSER, quotas, etc.)"

What does this accomplish?

For interactive and network logins, the user is able to use the same username
and password for logins to OpenVMS or LAN Manager (Windows 3.x, Windows 95,
Windows NT). The actual LAN Manager username and password is used - not
synchronized copies. For password changes from SET PASSWORD, the actual LAN
Manager password is updated.

As re.7 mentions, external authentication is not a panacea. All existing OpenVMS
applications that need to perform some form of their own authentication will
continue to operate using the SYSUAF.DAT policy. This software will not know
about the LAN Manager policy. In order for this software to work correctly, the
SYSUAF.DAT password must be kept synchronized with the LAN Manager policy - this
is not always possible. There's plenty of room for confusion depending on the
application mix. Again, the customer should read the release notes.

The solution for the problems just mentioned would be for OpenVMS to provide an
authentication system service that provides native and external authentication
policy enforcement in a consistent fashion for use by trusted application. (This
should not be construed as a commitment - just an observation at the moment. ;)