cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
BookmarkSubscribeRSS Feed
jakarman
Barite | Level 11 jakarman
Barite | Level 11

Re: "CREATE INTERNAL ACCOUNT - PASSWORD UPDATE" in SAS 9.4

Posted 05-06-2015 01:16 AM (1016 views)  |   In reply to Micheal_S

Andreas, thanx for your extensive explanation. I agree with you argmumentation, so where is the point we are in disagree.
That is the external connection option AUTHDOMAIN=.  What is up there, that we are in disagreement?

- The user and password validation is done by the external side, for instance Oracle, SQL-server, Postgres Teradta or whatever.

  That password validation is done by unknown routines by SAS and the external doesn't know anything of SAS.

- The only option I see how this can work is that the User/Password is handed over is some part of the interface of the connection.

   As the ODBC interface client of the RDBMS is support encryption over the wire by his own dedicated than the place the password is clear text must be a that interface.

- The external  Authdomain is stored often the PWencode option.

My conclusion is that that part must be reversible and not a one way hash.       

---->-- ja karman --<-----
0 Likes
Reply
jakarman
Barite | Level 11 jakarman
Barite | Level 11

Re: "CREATE INTERNAL ACCOUNT - PASSWORD UPDATE" in SAS 9.4

Posted 05-06-2015 01:43 PM (1016 views)  |   In reply to Micheal_S

Kurt, Andreas, I agree that hashes shouldn't be a reverse hash like AES TLS. This is how normally user passwords are treated.
Now see this one: SAS(R) 9.4 Intelligence Platform: Security Administration Guide, Second Edition It is documented by SAS you can downgrade to MD5 (sas002)

" Set the following options:                                                                                                                              

  • STOREPASSWORDS="SAS002"
  • HashPasswords="MD5"                                                                     
Note: The latter setting is within the InternalAuthenticationPolicy section of the omaconfig.xml file."
It is followed by the description of a process you can reencrypt the existing stored passwords.
Please explain how this is possible when then decryption of the original password is not possible. It is a contradiction isn't it?   
---->-- ja karman --<-----
0 Likes
Reply
AndreasMenrath
Pyrite | Level 9 AndreasMenrath
Pyrite | Level 9

Re: "CREATE INTERNAL ACCOUNT - PASSWORD UPDATE" in SAS 9.4

Posted 05-07-2015 09:44 AM (1016 views)  |   In reply to jakarman

No, it's not a contradiction. But you need to distinguish between two types of passwords:

1) SAS Internal passwords, which are only used for SAS Internal Accounts which are hashed in MD5 or SHA1.

2) SAS encoded passwords for all the rest (database users, OS users, LDAP, etc.). Encoded passwords use the SAS internal algorithm SAS001, SAS002, SAS003 or SAS004 and can be decoded back to the original password in clear text by SAS.

The documentation you referenced says it only supports reencrypt existing stored passwords and exchange the master passphrase for SAS003 and SAS004 encoded passwords.

0 Likes
Reply

suga badge.PNGThe SAS Users Group for Administrators (SUGA) is open to all SAS administrators and architects who install, update, manage or maintain a SAS deployment. 

Join SUGA 

CLI in SAS Viya

Learn how to install the SAS Viya CLI and a few commands you may find useful in this video by SAS’ Darrell Barton.

Watch CLI in SAS Viya on YouTube

Find more tutorials on the SAS Users YouTube channel.

Discussion stats
  • 17 replies
  • ‎04-28-2015 03:30 PM
  • 5045 views
  • 8 likes
  • 5 in conversation