"Peter_A._Hwang.WBST147"@Xerox.COM.UUCP (03/25/87)
Greetings, I have a few questions for the VMS guru on the netland. 1. Could someone offer some insight into how DCL RECALL works? RECALL recalls the previous DCL commands (up to 20) that the user has typed in during the session. I have an application to wipe out these stored commands, if possible. 2. Does anyone have, and is willing to give away, a routine (in any language) to find out the password of a user's own account? Peter Hwang Xerox
LEICHTER-JERRY@YALE.ARPA.UUCP (03/28/87)
1. Could someone offer some insight into how DCL RECALL works? RECALL
recalls the previous DCL commands (up to 20) that the user has typed in
during the session. I have an application to wipe out these stored
commands, if possible.
Among the "extended operations" available from the terminal driver are the
abilities to (a) selectively disable recall by the driver itself, so that the
application - here DCL - receives up and down arrow; and (b) "prime" the input
buffer with a string that will be echoed and then appears exactly as if the
user had actually typed it. Using this, DCL can save away the last 20 command
lines, then see that the user type up arrow, grab the appropriate command
line, and restart the read "primed" with that command line. User programs can
do the same thing, though with VMS 4.4 they don't need to go through all the
effort themselves - SMG$READ_COMPOSED_LINE will do it for them.
DCL saves the command lines in a circular buffer somewhere in P1 space. A
suitably-privileged program (CMEXEC) can easily erase the buffer. Depending
on your level of paranoia, you can either really erase the circular buffer, or
just change the pointers. The buffer and pointers are all undocumented, so
of course anything you do in this way may very well break with the next ver-
sion of VMS. You'll have to stare at the microfiche to figure out what's
involved.
I've seen programs to do this, but unfortunately none that I'm at liberty to
distribute.
2. Does anyone have, and is willing to give away, a routine (in any
language) to find out the password of a user's own account?
The password is not stored anywhere in a readable form - all that is stored is
the result of passing the password through a function that is believed to be
impractical to invert - a so-called one-way function. I haven't heard any
claims of a way to invert this function. (In any case, since the function
is many-to-one - it maps passwords of up to 31 characters into either 4 or 8
bytes, I forget which - the best you could hope for would be SOME password
with the same encrypted value; there is, in general, NO way to recover the
original password, even in principle.)
(You may wonder how VMS checks your password if it doesn't know what your
password IS. The technique, used on just about all modern systems, is simple.
Suppose F is this one-way function; so F(X) is easy to compute from X, but
given F(X) it's very, very hard to get X back. Let P be your password. VMS
stores away F(P). When you enter your response R to the "Password:" prompt,
VMS computes F(R). If F(R) equals the stored F(P) - which it certainly will
if R equals P! - VMS lets you in. If R is not equal to P, it is very unlikely
(1 chance in 4 billion, if F produces a 4-byte quantity) that F(R) and F(P)
will happen to be equal.
The advantage of this approach is that even if the password file is acciden-
tally revealed, all that's lost is F(P), from which it is impractical to com-
pute P. (In fact, it's even impractical to compute ANY R with F(R)=F(P).)
The disadvantage is that there is no way to recover you password if you forget
it.)
-- Jerry
-------MACALLSTR@vax1.physics.oxford.ac.UK.UUCP (03/28/87)
This is positively a hacker's question! If anyone knows of a way, don't answer. If anyone knows of a way, there'll be a lot of worried people in DEC and elsewhere! John