04-11-2008 10:14 AM
We had a user who generally uses SSH to connect to the VMS servers - In mid-March her password was expired and she set a new password which included "@" (which of course is an invalid character for password). SSH/VMS allowed the password change - and she continued to login with that password since.
Yesterday - she needed to transfer a file from her desktop to VMS, and she could not connect with FTP (SFTP would have worked). Audit Server was reporting "%LOGIN-F-INVPWD, invalid password"
Not knowing about the 'invalid character' in the password - we thought she was a bad typist, had a bad keyboard ?.. but were persistant in troubleshooting for about 45 minutes. Finally someone asked for her password, otherwise we may have never known what happened.
I tested and the problem occurs on both AlphaVMS v7.3-2/TCPIP v5.4 ECO 4 and IA64 VMS v8.3/TCPIP v5.6 ECO 2.
You can login with invalid characters in your password via SSH or SFTP, but not FTP, DECNet (set host), or Telnet - that's as far as I went with it.
04-11-2008 11:26 AM
I wonder if the ssh/sftp interface drops the @. So, would the password with the @ removed have been valid via telnet.
That might make it a problem with the client software you're using, and not with VMS.
04-14-2008 12:14 PM
04-15-2008 12:27 PM
If you do NOT have PWDMIX flag set - SSH ignores that fact and allows 'extended' characters in the password. The user cannot login any other method afterwards.
This little bug is being reported to engineering.
04-15-2008 12:29 PM