From: CRDGW2::CRDGW2::MRGATE::"SMTP::CRVAX.SRI.COM::RELAY-INFO-VAX" 23-MAY-1989 09:06 To: MRGATE::"ARISIA::EVERHART" Subj: Re: Password Verification Received: From KL.SRI.COM by CRVAX.SRI.COM with TCP; Mon, 22 MAY 89 19:08:13 PDT Received: from TGV.COM by KL.SRI.COM with TCP; Mon, 22 May 89 19:02:11 PDT Date: Mon, 22 May 89 19:01:01 PDT From: adelman@TGV.COM (Kenneth Adelman) Reply-To: Adelman@TGV.COM (Kenneth Adelman) Message-Id: <890522185526.41b@TGV.COM> Subject: Re: Password Verification To: amdahl!pacbell!ditka!bucket!servio!penneyj@apple.com Cc: info-vax@kl.sri.com > We have written a "secure" network demon that will - among other things - > create processes upon request for a given user. (This is NOT DECnet, so > VMS's wonderful DECnet features do not apply here.) ... > This is EXTREMELY SLOW (and frought with potential failures)! > There *must* be a better way (what does Wollongong FTP do, for instance?) There are two ways to do this: 1) Look at the fiche for loginout and in particular the HPWD.MAR module. Encrypt the password yourself and compare it to the one stored in the SYSUAF file. If it matches, you may also want to do other checks like the DISUSER flag, etc. Then you hop into kernel mode to set up your process (username, UIC, ACEs, etc). 2) Use the same hook which DECnet uses to create the NETSERVER jobs. Basically there is a 'real' hook which allows you to use LOGINOUT to validate and setup your job. Look at the fiche for NETACP and LOGINOUT. The current version of Wollongong's FTP server uses scheme #1 and they and the other VMS TCP vendors which do this took a lot of heat at DECUS because what you don't get is breakin detection and evasion, auditing, and support for non-UIC ACLs unless you explicitly copy all of that LOGINOUT code (they didn't). Our FTP server (MultiNet) uses #2; This was a big win because we get the full VMS security features without having to simulate them with a lot of code. Ken