From: HENRY::IN%"spear%afwl-vax.arpa%sri-kl.ARPA%relay.cs.net@rca.com" 17-FEB-1987 19:01 To: info-vax Subj: Re: Password Verification via DECnet kludge While we are giving an earlier poster the keyboard lashing of his life (many with bad info since $SET TERM/NOECHO, $INQUIRE no longer (as of VMS 4.4? 4.5?) stores the response in the DCL recall buffer), let me mention yet another problem or two with his scheme of using a DECnet file access (with access control string) to verify a user's password. 1) It's harder to keep the innards of the verification command procedure secret since you can still enter 'F$VERIFY(1) at the $INQUIRE prompt and turn on verify mode. Another reason to use $READ instead - you don't need a $SET NOVERIFY after each one. 2) If the user has an account on another system on the DECnet (perhaps he carries around a MicroVAX-2000 disguised as a lunchbox), he might really be using the UAF file on a remote machine over which you have no control. He need only $DEFINE LOCAL_NODE_NAME REMOTE_NODE:: and/or $DEFINE 0 REMOTE_NODE:: and the file access is rerouted. To fix this, see if F$TRNLNM("0") turns up anything. Capt Jon L. Spear AFWL/NTC, KAFB, NM 87117-6008 Disclaimer: This information is provided for comparison purposes only. Your actual mileage may be different. ------