From:	CRDGW2::CRDGW2::MRGATE::"SMTP::CRVAX.SRI.COM::RELAY-INFO-VAX" 23-MAY-1989 09:06
To:	MRGATE::"ARISIA::EVERHART"
Subj:	Re: Password Verification

Received: From KL.SRI.COM by CRVAX.SRI.COM with TCP; Mon, 22 MAY 89 19:08:13 PDT
Received: from TGV.COM by KL.SRI.COM with TCP; Mon, 22 May 89 19:02:11 PDT
Date:     Mon, 22 May 89 19:01:01 PDT
From: adelman@TGV.COM (Kenneth Adelman)
Reply-To: Adelman@TGV.COM (Kenneth Adelman)
Message-Id: <890522185526.41b@TGV.COM>
Subject:  Re: Password Verification
To: amdahl!pacbell!ditka!bucket!servio!penneyj@apple.com
Cc: info-vax@kl.sri.com

> We have written a "secure" network demon that will - among other things -
> create processes upon request for a given user.  (This is NOT DECnet, so
> VMS's wonderful DECnet features do not apply here.)

    ...

> This is EXTREMELY SLOW (and frought with potential failures)!
> There *must* be a better way (what does Wollongong FTP do, for instance?)

    There are two ways to do this:

    1) Look at the fiche for loginout and in particular the HPWD.MAR
       module. Encrypt the password yourself and compare it to the
       one stored in the SYSUAF file. If it matches, you may also want
       to do other checks like the DISUSER flag, etc. Then you hop into
       kernel mode to set up your process (username, UIC, ACEs, etc).

    2) Use the same hook which DECnet uses to create the NETSERVER jobs.
       Basically there is a 'real' hook which allows you to use LOGINOUT
       to validate and setup your job. Look at the fiche for NETACP and
       LOGINOUT.

    The current version of Wollongong's FTP server uses scheme #1 and
they and the other VMS TCP vendors which do this took a lot of heat at
DECUS because what you don't get is breakin detection and evasion,
auditing, and support for non-UIC ACLs unless you explicitly copy all
of that LOGINOUT code (they didn't).

    Our FTP server (MultiNet) uses #2; This was a big win because we
get the full VMS security features without having to simulate them
with a lot of code.

							Ken