VMS Help  —  LGI Routines, LGI$ICR_AUTHENTICATE, Description
    All logins involving a password invoke the LGI$ICR_AUTHENTICATE
    callout routine. The routine is not called for subprocesses,
    network jobs invoked by proxy logins, or logged-in DECterm
    sessions.

    The following pointers are used in password authentication:

    o  Longword LGI$A_ICR_PWDCOUNT points to a location that contains
       the number of OpenVMS passwords for a particular account.
       Nonexistent accounts are assigned a password count of 1 to
       avoid revealing them by the absence of a password prompt.

    o  For DECwindows logins only, longword LGI$A_ICR_PWD1 points to
       a location that contains the user's primary password.

    o  For DECwindows logins only, longword LGI$A_ICR_PWD2 points
       to a location that contains the user's secondary password, if
       applicable.

    For all logins except DECwindows logins, the LGI$ICR_AUTHENTICATE
    callout routine may use the following callback routine sequence:

    o  Call LGI$ICB_PASSWORD for standard password prompting with an
       optional nonstandard prompt and the option of checking or just
       returning the password or other information obtained.

    o  Call LGI$ICB_GET_INPUT for completely customized prompting for
       each required piece of authentication information.

    For DECwindows logins, neither the LGI$ICB_PASSWORD callback
    routine nor the LGI$ICB_GET_INPUT callback routine needs to
    be called. The user enters the password using the DECwindows
    login dialog box before LOGINOUT issues the LGI$ICR_AUTHENTICATE
    callout.

    For a complete description of the DECwindows flow of control, see
    the description of the LGI$ICR_DECWINIT callout routine.

    All logins involving a password may invoke the LGI$ICB_VALIDATE
    callback routine. This routine validates against SYSUAF.DAT
    passwords obtained by customized prompting using descriptors
    for the user name and passwords. Optionally, the login may call
    the LGI$_ICB_CHECK_PASS callback routine to validate passwords.

    For interactive jobs, the LGI$ICR_AUTHENTICATE routine should
    check the DISUSER flag using the LGI$ICB_DISUSER callback routine
    to preserve the consistency of the "invalid user" behavior for
    disabled accounts. For other types of jobs, use the LGI$ICR_
    CHKRESTRICT callout routine to check the DISUSER flag.

                                   NOTE

       LOGINOUT checks the DISUSER flag as part of the
       authentication process because, if it is checked later,
       an intruder could determine that the correct user name and
       password had been entered and that the account is disabled.
       This is deliberately hidden by keeping the user in the retry
       loop for a disabled account.

       If the DISUSER flag is checked with other access
       restrictions in the authorization portion, this causes an
       immediate exit from LOGINOUT.

    Break-in detection, intrusion evasion, and security auditing are
    done in the case of any failure return from LGI$ICR_AUTHENTICATE.

    If this routine returns LGI$_SKIPRELATED, the user is fully
    authenticated, and no further authentication is done by either
    the site or OpenVMS. If this routine returns an error for
    an interactive job, the system retries the identification
    and authentication portions of LOGINOUT. For character-cell
    terminals, this consists of calling the LGI$ICR_IDENTIFY and
    LGI$ICR_AUTHENTICATE callout routines; for DECwindows terminals,
    this consists of calling the LGI$ICR_DECWINIT routine. The number
    of retries is specified by the SYSGEN parameter LGI_RETRY_LIM.
Close Help