Irlet Thomas, Dr. Gruppe für Rüstungsdienste Stauffacherstrasse 65 CH-3000 Bern 22 Switzerland BREAK: A Terminal-Blocker ************************* Version 1.1 Abstract: When you run this program on a appropriate terminal, then the screen is erased and a prompt ask you for your login-password. You can't do anything on this terminal until you gave the correct password. The SYSGEN-parameters LGI_BRK_LIM and LGI_HID_TIM are considered for granting access to the teminalsession. Failures are logged on OPCOM. This Version is only for VMS Versions 5.4 and higher! Compilation and Installation: ***************************** There is a commandprocedure to comile and link the files (BUILD.COM). Three files are used: - KAFFEE.FOR : The Mainprogram in Fortran. - UAFPARAMS.MAR : The definitions of the offsets in the SYSUAF.DAT. - HPWD.MAR : Found on the DECUS-VAX in Munich; the algorithm to encrypt the password. For VMS Versions 5.4 and higher, this is no longer useful. Instead, you have the systemcall SYS$HASH_PASSWORD. To read the SYSUAF.DAT you need SYSPRV, that's why we have to install the image. The commandprocedure to do that is INSTALL.COM. Use and security-constraints: ***************************** To use it, you simply have to type BREAK. If you work on a terminal of the type TTxy, TXxy or LTxy, the screen is erased. At the top left the actual time is displayed. Beneath is the number of retries you have currently used and the time you started the break. Under this text ist the password-prompt. When you come to such a terminal, you can see, if somebody was trying to get into your session by confirming the retrycount ( x. Versuch). Then confirm that the starttime is the time you left the terminal. Every passwordfailure is logged on OPCOM. As long as LGI_BRK_LIM is not reached, only failure in program KAFFEE is written to OPCOM. As soon as LGI_BRK_LIM is reached, further actions are started: - if a wrong password is specified, the specified password is written to OPCOM. - if the correct password is specified, then the password isn't written to OPCOM. Now it depends if LGI_HID_TIM is reached or not since the last failure. If it is over, access is granted, otherwise not. Tfhe program waits for 5 seconds between a wrong password and the next passwordprompt. The SYSUAF.DAT is only read once at the beginning. So if the password is changed in between, this program waits still for the old one. Terminaltypes are only TTxy, TXxy, LTxy. You can also allow RTxy, if you have no Workstations. Workstationterminals can't be blocked with this program: in VWS you can easly create a second window of the same user. In DECWindows you should use the PAUSE option of the sessionmanager. Because you can't know what type of terminal is behind a remote-terminal, remote- terminals has been disabled. How the program works: ********************** First the username is evaluated. Then the terminal is changed to passthru and all control_... are disabled. The encrypted password is now read from the SYSUAF.DAT. To have some control of who is using it, the processname is changed to 'KAFFEE pid'. For the user the clock will now start, and the password-inquiry thereafter. After entry of a CR or after typing 80 characters the inputbuffer is analyzed: only alphanumberics ans $ and _ are taken to make the passwordcheck. Now the retrycount and lgi_hid_tim are are checked. If all checks are good, the processname, the terminalcharacteristics and the control-environment are restored. Otherwise the process waits 5 seconds before the next passwordinquiry starts.