OpenVMS Password Policysm Documentation
The steps to start using the PARSEC Group OpenVMS Password Policysm are:
- Request a license for each system from PARSEC Group. Provide the necessary information:
- Integrity Servers: Node name and number of cores
- Alpha: Node name
- VAX: Node name
- Install the license using VMSLICENSE.COM.
- Install the password policy.
- Edit PG$PASSWORD_SYSTARTUP.COM to configure the policy.
- Execute PG$PASSWORD_STARTUP.COM to start the policy.
- Modify the startup procedures to start the policy each time the system is booted.
There are four classifications of characters as used by the password policy. They are:
This includes all upper-case characters A-Z.
This includes all lower-case characters a-z (available with OpenVMS V7.3-2 and later). These are not allowed on accounts which do not have the pwdmix flag set. Any portion of the password policy relating to lower-case characters is ignored for those accounts.
This includes the numbers 0-9.
This includes all punctuation and other characters. For accounts which do not have the pwdmix flag set, this is the dollar sign and underscore characters ($ _). For accounts which do have the pwdmix flag set, this includes almost every printable character.
One of the following versions of OpenVMS is required:
- OpenVMS I64 V8.2 or later
- OpenVMS Alpha V6.2 or later
- OpenVMS VAX V6.2 or later
Startup and Shutdown
The OpenVMS Password Policysm is started using the SYS$STARTUP:PG$PASSWORD_STARTUP.COM command procedure. This procedure:
- Executes SYS$MANAGER:PG$PASSWORD_SYSTARTUP.COM to define logical names for defining the policy and configuring other options.
- Installs the executable image that enforces the policy.
- Sets the LOAD_PWD_POLICY system parameter.
- Restarts the ACME (Authentication and Credential Management Extensions) server if it is running.
The policy may be shut down using SYS$STARTUP:PG$PASSWORD_SHUTDOWN.COM. This procedure:
- Resets the LOAD_PWD_POLICY system parameter.
- Restarts the ACME server if it is running.
- Uninstalls the executable image that enforces the policy.
Logical names are used to configure the OpenVMS Password Policysm. Each of these logical names must be defined system-wide or cluster-wide in executive mode. These are normally defined in SYS$MANAGER:PG$PASSWORD_SYSTARTUP.COM.
This specifies the minimum number of character sets required to be included in the password. The default value of 3 means that each password must include characters in at least three of the four classifications of characters described above. For accounts which do not have the pwdmix flag set, the value greater is limited to 3 since lower-case characters are not allowed in the password for those accounts.
This specifies the minimum number of upper-case characters required to be included in the password. The default value of 0 does not set a minimum on this set of characters.
This specifies the minimum number of lower-case characters required to be included in the password. The default value of 0 does not set a minimum on this set of characters.
This specifies the minimum number of numeric characters required to be included in the password. The default value of 0 does not set a minimum on this set of characters.
This specifies the minimum number of non-alphanumeric characters required to be included in the password. The default value of 0 does not set a minimum on this set of characters.
This specifies the maximum number of consecutive characters allowed in the password. The default value of 2 prevents the use of AAA764B since the character A has been repeated more than two times.
This specifies the maximum adjacent characters, such as ABC or 987, allowed in the password. The default value of 3 prevents the use of A5678_J since 5678 is more than 3 sequential characters.
This specifies the minimum length for acceptible passwords. OpenVMS allows setting a minimum password length for each account. This provides a system-wide minimum.
When defined to a non-zero value, this sets the maximum number of characters to be checked in the password. This allows the password to be enforced in the first portion of the password while still allowing longer passwords to be used. If not defined, the default is to check the entire password.
If defined to a non-zero value, this disallows a password which contains the username as a portion of the password. For example, the password 2SMITH500 will not be allowed for the username SMITH. The check against the username is not case sensitive. By default, this check is enabled.
If defined to a non-zero value, this disallows a password which contains any component of the owner field which has more than one character. For example, the password 2SMITH500 will not be allowed for an account which has the owner field set to "John R Smith". The letter R will be allowed in the password since this is a single character. This check is not case sensitive. By default, this check is enabled.
If defined to a non-zero value, messages will be displayed to the user indicating which portion of the password policy is not met when attempting to set an unacceptible password. By default, this is not enabled.
Note: Do not enable this feature when using the ACME enabled version of LOGINOUT. This may be checked by looking for ACMELOGIN in the output from PRODUCT SHOW HISTORY.
When defined to a non-zero value, the hashed value of the password is checked for either half containing a value of 0 or -1. By default, this check is enabled.
The system administrator can create an identifier named PG$PASSWORD_EXCLUDE and grant it to specific users that should be excluded from enforcement of the password policy. For example:
$ set default sys$system $ run authorize UAF> add/identifier pg$password_exclude %UAF-I-RDBADDMSG, identifier PG$PASSWORD_EXCLUDE value %X8001008E added to rights database UAF> grant/identifier pg$password_exclude williams %UAF-I-GRANTMSG, identifier PG$PASSWORD_EXCLUDE granted to WILLIAMS UAF>
A utility named pg$password_policy is provided which allows testing a password for compliance with the policy without updating the account. This utility may be used by system administrators and individual users. It may be invoked in command procedures to validate a password before it is used in the authorize utility.
This utility accepts two parameters. The first parameter is the password to be validated which should be enclosed in quotes ("). The second parameter is an optional username. If not specified, then it defaults to the username of the process invoking the utility.
This utility does not check portions of the password policy which are part of standard OpenVMS; such as password history, password dictionary and minimum password length for individual accounts. It does not convert the entered password to upper case as done by OpenVMS for accounts which do not have the PWDMIX flag set.
$ check_password :== $pg$password_policy $ check_password "hard2_Break" williams $ check_password "weakpass" Password must contain characters from 3 or more of the following groups of characters: Upper case letters (A-Z) Lower case letters (a-z) Numeric characters (0-9) Other characters %SYSTEM-E-PWDWEAK, password is too easy to guess; please choose another string
For additional information, to request a demo license, or to purchase the OpenVMS Password Policysm, please contact us at (888) 472-7732 or 888-4PARSEC, send an e-mail to firstname.lastname@example.org or use our inquiry form.