SSH login w/expired password allows new password change containing invalid characters (338 Views)
Reply
Advisor
Cindy Railey_1
Posts: 12
Registered: ‎11-06-2003
Message 1 of 5 (338 Views)

SSH login w/expired password allows new password change containing invalid characters

I just reported this to HP, but thought I would post it in case anyone else encounters an issue like this -

We had a user who generally uses SSH to connect to the VMS servers - In mid-March her password was expired and she set a new password which included "@" (which of course is an invalid character for password). SSH/VMS allowed the password change - and she continued to login with that password since.

Yesterday - she needed to transfer a file from her desktop to VMS, and she could not connect with FTP (SFTP would have worked). Audit Server was reporting "%LOGIN-F-INVPWD, invalid password"

Not knowing about the 'invalid character' in the password - we thought she was a bad typist, had a bad keyboard ?.. but were persistant in troubleshooting for about 45 minutes. Finally someone asked for her password, otherwise we may have never known what happened.

I tested and the problem occurs on both AlphaVMS v7.3-2/TCPIP v5.4 ECO 4 and IA64 VMS v8.3/TCPIP v5.6 ECO 2.

You can login with invalid characters in your password via SSH or SFTP, but not FTP, DECNet (set host), or Telnet - that's as far as I went with it.
Frequent Advisor
Gregg Parmentier
Posts: 68
Registered: ‎05-11-2006
Message 2 of 5 (338 Views)

Re: SSH login w/expired password allows new password change containing invalid characters




I wonder if the ssh/sftp interface drops the @. So, would the password with the @ removed have been valid via telnet.

That might make it a problem with the client software you're using, and not with VMS.
Advisor
Cindy Railey_1
Posts: 12
Registered: ‎11-06-2003
Message 3 of 5 (338 Views)

Re: SSH login w/expired password allows new password change containing invalid characters

To rule out the terminal emulation software we use - I connected to a VMS server via SSH (using the password with illegal characters) then connected directly to another VMS server in the same Cluster using TELNET, FTP, DECnet (Set Host), SSH, & SFTP. Only SSH and SFTP would allow login with the password. All other protocols failed login.
Advisor
Cindy Railey_1
Posts: 12
Registered: ‎11-06-2003
Message 4 of 5 (338 Views)

Re: SSH login w/expired password allows new password change containing invalid characters

HP responded - if the UAF records have the PWDMIX flag set - then the issue described does not occur.

If you do NOT have PWDMIX flag set - SSH ignores that fact and allows 'extended' characters in the password. The user cannot login any other method afterwards.

This little bug is being reported to engineering.
Advisor
Cindy Railey_1
Posts: 12
Registered: ‎11-06-2003
Message 5 of 5 (338 Views)

Re: SSH login w/expired password allows new password change containing invalid characters

closing this thread as the problem will be resolved eventually. main reason for posting was to help others who may come across this issue.
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.