OpenVMS Password Policysm Documentation
The steps to start using the PARSEC Group OpenVMS Password Policysm are:
- Request a license for each system from PARSEC Group. Provide the necessary information:
- Architecture: Integrity Servers, Alpha, VAX
- Node name of each node
- Install the license using VMSLICENSE.COM
- Install the password policy
- Edit PG$PASSWORD_SYSTARTUP.COM to configure the policy
- Execute PG$PASSWORD_STARTUP.COM to start the policy
- Modify the startup procedures to start the policy each time the system is booted
There are four classifications of characters used by the password policy. They are:
This includes all upper-case characters A-Z
This includes all lower-case characters a-z (available with OpenVMS V7.3-2 and later). These are not allowed on accounts which do not have the pwdmix flag set. Any portion of the password policy relating to lower-case characters is ignored for those accounts.
This includes the numbers 0-9
This includes all punctuation and other characters. For accounts which do not have the pwdmix flag set, this is the dollar sign and underscore characters ($ _). For accounts which do have the pwdmix flag set, this includes almost every printable character.
One of the following versions of OpenVMS is required:
- VSI OpenVMS I64 V8.4-1H1 or later
- HP OpenVMS I64 V8.2 or later
- VSI OpenVMS Alpha V8.4-2L1 or later
- HP OpenVMS Alpha V6.2 or later
- OpenVMS VAX V6.2 or later
Startup and Shutdown
The OpenVMS Password Policysm is started using the SYS$STARTUP:PG$PASSWORD_STARTUP.COM command procedure. This procedure:
- Executes SYS$MANAGER:PG$PASSWORD_SYSTARTUP.COM to define logical names for defining the policy and configuring other options
- Installs the executable image that enforces the policy
- Sets the LOAD_PWD_POLICY system parameter
- Restarts the ACME (Authentication and Credential Management Extensions) server if it is running
The policy may be shut down using SYS$STARTUP:PG$PASSWORD_SHUTDOWN.COM. This procedure:
- Resets the LOAD_PWD_POLICY system parameter
- Restarts the ACME server if it is running
- Uninstalls the executable image that enforces the policy
Logical names are used to configure the OpenVMS Password Policysm. Each of these logical names must be defined system-wide or cluster-wide in executive mode. These are normally defined in SYS$MANAGER:PG$PASSWORD_SYSTARTUP.COM.
This specifies the minimum number of character sets required to be included in the password. The default value of 3 means that each password must include characters in at least three of the four classifications of characters described above. For accounts which do not have the pwdmix flag set, the value greater is limited to 3 since lower-case characters are not allowed in the password for those accounts.
This specifies the minimum number of upper-case characters required to be included in the password. The default value of 0 does not set a minimum on this set of characters.
This specifies the minimum number of lower-case characters required to be included in the password. The default value of 0 does not set a minimum on this set of characters.
This specifies the minimum number of numeric characters required to be included in the password. The default value of 0 does not set a minimum on this set of characters.
This specifies the minimum number of non-alphanumeric characters required to be included in the password. The default value of 0 does not set a minimum on this set of characters.
This defines which special characters are allowed. The default value of an empty string allows all characters to be enabled by OpenVMS. This may be used to disable the use of some characters, such as a space, which can interfere with access control strings used in network requests.
This specifies the maximum number of consecutive characters allowed in the password. The default value of 2 prevents the use of AAA764B since the character A has been repeated more than two times.
This specifies the maximum adjacent characters, such as ABC or 987, allowed in the password. The default value of 3 prevents the use of A5678_J since 5678 is more than 3 sequential characters.
This specifies the minimum length for acceptable passwords. OpenVMS allows setting a minimum password length for each account. This provides a system-wide minimum.
When defined to a non-zero value, this sets the maximum number of characters to be checked in the password. This allows the password to be enforced in the first portion of the password while still allowing longer passwords to be used. If not defined, the default is to check the entire password.
If defined to a non-zero value, this disallows a password which contains the username as a portion of the password. For example, the password 2SMITH500 will not be allowed for the username SMITH. The check against the username is not case sensitive. By default, this check is enabled.
If defined to a non-zero value, this disallows a password which contains any component of the owner field which has more than one character. For example, the password 2SMITH500 will not be allowed for an account which has the owner field set to "John R Smith". The letter R will be allowed in the password since this is a single character. This check is not case sensitive. By default, this check is enabled.
If defined to a non-zero value, messages will be displayed to the user indicating which portion of the password policy is not met when attempting to set an unacceptable password. By default, this is not enabled.
Note: Do not enable this feature when using the ACME enabled version of LOGINOUT. This may be checked by looking for ACMELOGIN in the output from PRODUCT SHOW HISTORY.
When defined to a non-zero value, the hashed value of the password is checked for either half containing a value of 0 or -1. By default, this check is enabled.
These logical names enable the check of the password against a database of password hashes. See the section on Pwned Passwords below for details.
Current guidelines recommending checking any password against those obtained in previous data breaches. A collection of these passwords is available at Have I Been Pwned. This OpenVMS password policy can check a new password against a database of the hashed value of those passwords. To enable this feature, download the SHA-1 hashes and load into a MySQL or MariaDB database table named "hashes". That table must have two columns from that download.
- hash - A 40 character or longer char or varchar containing the hash value
- instance - An int containing the number of times each password has been seen in the breach
Configure an account in the database which will have read only access to the hashes table. Then configure the policy to check the database. Each of the first four logical names must be defined; they do not have default values.
This specifies the name or IP address of the MySQL or MariaDB database server
This specifies the username of the database user with read access to the hashes table
This specifies the password of the database user with read access to the hashes table
This specifies the name of the database containing the hashes table
Setting this to a non-zero value allows the use of passwords which have been seen only a limited number of times in past data breaches
Note: This feature is not available on VAX.
The system administrator can create an identifier named PG$PASSWORD_EXCLUDE and grant it to specific users that should be excluded from enforcement of the password policy. For example:
$ set default sys$system $ run authorize UAF> add/identifier pg$password_exclude %UAF-I-RDBADDMSG, identifier PG$PASSWORD_EXCLUDE value %X8001008E added to rights database UAF> grant/identifier pg$password_exclude williams %UAF-I-GRANTMSG, identifier PG$PASSWORD_EXCLUDE granted to WILLIAMS UAF>
A utility named pg$password_policy is provided which allows testing a password for compliance with the policy without updating the account. This utility may be used by system administrators and individual users. It may be invoked in command procedures to validate a password before it is used in the authorize utility.
This utility accepts two parameters. The first parameter is the password to be validated which should be enclosed in quotes ("). The second parameter is an optional username. If not specified, then it defaults to the username of the process invoking the utility.
This utility does not check portions of the password policy which are part of standard OpenVMS; such as password history, password dictionary and minimum password length for individual accounts. It does not convert the entered password to upper case as done by OpenVMS for accounts which do not have the PWDMIX flag set.
$ check_password :== $pg$password_policy $ check_password "hard2_Break" williams $ check_password "weakpass" Password must contain characters from 3 or more of the following groups of characters: Upper case letters (A-Z) Lower case letters (a-z) Numeric characters (0-9) Other characters %SYSTEM-E-PWDWEAK, password is too easy to guess; please choose another string
For additional information, to request a demo license, or to purchase the OpenVMS Password Policysm, please contact us at (888) 472-7732 or 888-4PARSEC, send an e-mail to email@example.com or use our inquiry form.