From:	HENRY::IN%"spear%afwl-vax.arpa%sri-kl.ARPA%relay.cs.net@rca.com" 17-FEB-1987 19:01
To:	info-vax <info-vax@sri-kl.arpa>
Subj:	Re: Password Verification via DECnet kludge

While we are giving an earlier poster the keyboard lashing of his life (many
with bad info since $SET TERM/NOECHO, $INQUIRE no longer (as of VMS 4.4? 4.5?)
stores the response in the DCL recall buffer), let me mention yet another
problem or two with his scheme of using a DECnet file access (with access
control string) to verify a user's password. 

1) It's harder to keep the innards of the verification command procedure secret
since you can still enter 'F$VERIFY(1) at the $INQUIRE prompt and turn on
verify mode. Another reason to use $READ instead - you don't need a $SET
NOVERIFY after each one. 

2) If the user has an account on another system on the DECnet (perhaps he
carries around a MicroVAX-2000 disguised as a lunchbox), he might really be
using the UAF file on a remote machine over which you have no control. He need
only $DEFINE LOCAL_NODE_NAME REMOTE_NODE:: and/or $DEFINE 0 REMOTE_NODE:: and
the file access is rerouted. To fix this, see if F$TRNLNM("0") turns up
anything. 

Capt Jon L. Spear
AFWL/NTC, KAFB, NM 87117-6008

Disclaimer: This information is provided for comparison purposes only. Your
actual mileage may be different.
------