Password Strength Server

A password strength server (PSS) ensures that newly created or modified passwords follow specified rules of password composition. The password strength server (if active) installed with DSS tests new passwords (created or modified) and forces them to conform to the password composition rules.

If your DSS installation requires password composition rules other that those provided you can modify and recompile the PSS daemon to customize the rules. The password strength server that ships with DSS allows changes to the customer composition and history.

Customers should tailor the following parameters when creating their own password strength server:

SERVER_PNAME
OBJUUID

SERVER_PNAME will be the unique identity of each potentially available strength server running within the cell. There can be multiple strength servers running in a cell at the same time, however, only ONE of these strength servers can be assigned to each user account at a time. For DSS,

lspwsd

is the default assignment. When creating a new strength server from this code, you must compile under this name. This is the name of the error log for this server.

OBJUUID is a string that is the unique identifier for this server. The OBJUUID allows the server to communicate with multiple parts of DSS. The string MUST be changed for each new strength server to run in any cell. The attain a new uuid for this parameter:

Go to an active DCE session window. Type: uuidgen
Press enter.
A new and unique uuid will be returned. Replace the current OBJUUID with the new uuid.

The only other location in the code that a customer needs to alter is the actual password composition check. To find this location in the code search for the string

CUSTOMER COMPOSITION CHECKING

The following code is contained in the

lspwsd.c

header information:

#define SERVER_PNAME "lspwsd"    /* server principal name, program name                                    (.exe name), and error log name */
#define OBJUUID  "9bdda41-1940-11cf-8f92-000233002ab7"  /* object uuid */
#define CDSPATH "/.:/subsys/dce/pwd_mgmt/" SERVER_PNAME  /* export bindings */

All strength servers, whether provided by IBM or built by customers, should use the principal name as a "simple" suffix to the CDS namespace path. This convention must be held to if OS/2 DCE configuration procedures in support of strength servers are to function properly and conveniently for you.

The password strength server has been modified to:

Call routine strength_unregister() to do most exit cleanup. One reason for isolating this into a separate routine is to allow OS/2 DCE an option on where and how deregistration occurs.
Unexport information in the CDS namespace during initialization. This eases transition in the event that a strength server is to be located to a different machine. Server keytable must be moved manually, but CDS information can be handled by code.
Unexport information in the CDS namespace during initialization in case the strength server shutdown from the previous run did not go cleanly.

Use the "cds style" way of catching signals and terminating. The essential features of this style are:

Separate thread to do rpc_server_listen
Use of mutex and condition variable between signal catcher and main thread.
Elimination of TRY/ENDTRY macros, etc.

The following code is contained in the

rser_pwd_mgmt_str_chk

passwd_len - strlen((char *) pwd->key.tagged_union.plain);  /* check password against effective */                                                            /* policies for LAN Server and DCE */
password_validity = check_plain_pwd (  (char *) pwd->key.tagged_union.plain,   /* in */
                                    passwd_len,                                /* in */
                                    plcyí0ůattr_value.tagged_union.signed      /* in */
                                    plycí1ůattr_value.tagged_union.signed      /* in */
                                    stp);                                      /* out */
if(password_validity)
{
  plain_OR_encrytped = PLAINTEXT
  password_validity = Net32PasswordStrengthCheck(  (const char * )NULL,                  /* in */
                                                   (const char * )princ,                 /* in */
                                                   (void * )pwd->key.tagged_union.plain  /* in */
                                                   stp);                                 /* out */
/* if(password_validity)
    {
     ADD CUSTOMER PASSWORD COMPOSITION CHECKING FUNCTION HERE AND
     RETURN A TRUE(1) OR FALSE (0) VALUE IN PASSWORD VALIDITY.

     i.e. password_validity = CustPwdCompCheck((const char *)NULL,                      /* in */
                                               (const char *)princ,                     /* in */
                                               (void *)pwd->key.tagged_union.plain      /* in */
                                               stp);                                    /* out */
     } */
}
if(!(password_validity))
{
  if((*stp == NERR_PasswordTooRecent)
      ||
     (*stp == NERR_PasswordHistConflict)
      ||
     (*stp == NERR_PasswordTooShort)
      ||
     (*stp == NERR_AllAlphNum)
      ||
     (*stp == NERR_PasswordAllSpaces))
  {

/* Call DosGetMessage to get the message from the message file.  Ignore  */
/* the return code because if there is an error, the text for that error */
/* is returned in mesg_buf.                                              */

   DosGetMessage(NULL,         /* pointer to substitution strings */
                 0,            /* number of substitution strings */
                 msgbuf,       /* return buffer */
                 MSGBUF_LEN,
                *stp,         /* message number */
                "net.msg"     /* message file name */
             &msglen);    /* length of returned message */
   strcpyf(net_msgbuf,MSG_HEADER);
   strcatf(net_msgbuf,prin);
   strcatf(net_msgbuf,' ' );
   switch(* stp)
     {
      case NERR_PasswordTooRecent:
         strcatf(net_msgbuf,"NERR_PasswordTooRecent ");
         break;
      case NERR_PasswordHistConflict:
         strcatf(net_msgbuf,"NERR_PasswordHistConflict");
         break;
      case NERR_PasswordTooShort:
         strcatf(net_msgbuf,"NERR_PasswordTooShort ");
         break;
      case NERR_PasswordAllAlphNum:
         strcatf(net_msgbuf,"NERR_PasswordAllAlphNum");
         break;
      case NERR_PasswordAllSpaces:
         strcatf(net_msgbuf,"NERR_PasswordAllSpaces");
         break;
      }
    strcatf(net_msgbuf,msgbuf);

    Net32ErrorLogWrite (NULL,
                         stp,
                       (const unsigned char *)"LSPWSD"
                       (const unsigned char *)net_msgbuf,
                       sizeof(net_msgbuf),
                       NULL,
                       0,
                       NULL);
    DSSgetmessage;
    }
   }
 }

/* THIS PASSWORD COMPOSITION CHECK **MUST** RETURN **ONLY** A TRUE OR */
/* FALSE AS TO PASSWORD VALIDITY */

return (bollean32)password_validity;
}

Note: Replace the OBJUUID with UUID Gen on command line. This will generate a unique object id.

For more information concerning Password Strength Server, refer to IBM Directory and Security Server Administrator's Reference.

[Back] [Next]