Skip to main content

Raymii.org Logo (IEC resistor symbol)logo

Quis custodiet ipsos custodes?
Home | About | All pages | RSS Feed | Gopher

Multiple passwords for one user, UIC uniqueness and the system password on OpenVMS

Published: 13-05-2018 | Author: Remy van Elst | Text only version of this article


Table of Contents


openvms

(You can read all my OpenVMS articles by clicking the picture above)

In the book I bought about OpenVMS for this article on filesystems, GettingStarted with OpenVMS by M. Duffy, I've read a few interesting things in thechapter that introduces user accounts and system login. Namely that a user canhave multiple passwords, that user ID's are not unique and that there can be asystem password. This article goes in to those three topics.

If you like this article, consider sponsoring me by trying out a Digital OceanVPS. With this link you'll get $100 credit for 60 days). (referral link)

Add a new user to experiment on

For this article I added a new test user on my OpenVMS 8.4 install. It has thesame privileges as the system user so be carefull with it. Change the rootdevice and directory if needed:

 $ SET DEFAULT SYS$SYSTEM $ RUN AUTHORIZE ADD REMY /PASSWORD=TEMP /OWNER="Remy van Elst" /DEV=DKA0 /DIR=[USERS.REMY] /UIC=[200,201] /FLAG=NODISUSER /PRIV=ALL 

Create the home folder for the user and set permissons:

$ CREATE /DIRECTORY DKA0:[USERS.REMY]$ SET DIRECTORY /OWNER=REMY DKA0:[USERS.REMY]

Logout the SYSTEM user:

 $ LOG

Login as your new user and change the password (which is TEMP):

   Welcome to OpenVMS (TM) Alpha Operating System, Version V8.4Your password has expired; you must set a new password to log inNew password:Verification:$

Try to create a file and see if you setup the folder and permissions correctly:

$ dir%DIRECT-W-NOFILES, no files found$ create examplehelloCTRL+Z$ dirDirectory DKA0:[USERS.REMY]EXAMPLE.;1Total of 1 file.

Do note that OpenVMS passwords are case-insensitive. Read here for moreinformation, there is a flag you can toggle to make passwords case sensitive.

A user password can contain up to 32 alphanumeric and special characters.Unless your system manager has set the PWDMIX flag in your authorization accountrecord, the only special characters permitted are the dollar sign andunderscore. Without the PWDMIX authorization, all lowercase characters areconverted to uppercase before the password is encrypted. For example, "eagle" isthe same as "EAGLE."

Furthermore, spaces are ignored:

Blank spaces are permissible within a password, but they are not consideredpart of the password, and OpenVMS ignores them. For example, "MY PASSWORD" is anacceptable password, but the system only records "MYPASSWORD." This means that"MYPA SSWORD" is also a valid password for the account in question.

Licensing error?

After adding the user and trying to login I got a licensing error:

No license is active for this software product

It also spammed the terminal with AUDIT server logs:

%%%%%%%%%%%  OPCOM  10-MAY-2018 19:52:05.87  %%%%%%%%%%%Message from user AUDIT$SERVER on REMY1Security alarm (SECURITY) and security audit (SECURITY) on REMY1, system id: 1049Auditable event:          Local interactive login failureEvent time:               10-MAY-2018 19:52:05.87PID:                      0000021CProcess name:             REMYUsername:                 REMYProcess owner:            [REMY]Terminal name:            _TTA0:Image name:               REMY1$DKA0:[SYS0.SYSCOMMON.][SYSEXE]LOGINOUT.EXEPosix UID:                -2Posix GID:                -2 (%XFFFFFFFE)Status:                   %LICENSE-F-NOLICENSE, no license is active for this software product

Somehow all my licenses disappeared:

$ SHOW LICENSE /USAGEView of loaded licenses from node REMY1                 10-MAY-2018 19:58:37.10%SHOW-I-NOLICENSE, no licenses exist

After re-adding my hobbyist license it still did not work. I had to add thehostname (REMY1) for the error to go away:

$ LICENSE MODIFY OPENVMS-ALPHA /INCLUDE=REMY1

After which all was well and I could login with the new user:

$ SHOW LICENSE OPENVMS-ALPHAActive licenses on node REMY1:------- Product ID --------    ---- Rating ----- -- Version --Product            Producer    Units Avail Activ Version Release    TerminationOPENVMS-ALPHA      DEC             0  0     100    0.0  (none)       1-APR-2019

Unsure why this happens. Now let's get on to the exciting stuff.

Secondary password

The first thing I want to cover is the secondary password. A user account onOpenVMS can have more than 1 password, the main password and the secondarypassword. This can be usefull in high-security environments where two people areneeded to access a user account (that could have special privileges). Read moreon UIC codes in the documentation.

Chapter 4, User accounts, Overview states:

Your system manager may create user accounts that require zero, one, or twopasswords, but accounts with one password are the norm.

From the documentation:

Secondary password. The second of two passwords to be entered for an accountrequiring both primary and secondary passwords. The secondary password providesan additional level of security on user accounts. Typically, the primary userdoes not know the secondary password; a supervisor or other key person must bepresent to supply it. For certain applications, the supervisor may also decideto remain present while the account is in use. Thus, secondary passwordsfacilitate controlled logins and the actions taken after a login. Secondarypasswords can be time-consuming and inconvenient. They are justified only atsites with maximum security requirements. An example of an account thatjustifies dual passwords would be one that bypasses normal access controls topermit emergency repair to a database.

The text above already gives an example and I can imagine a few more. Take twousers of different functions in the organization, say a programmer and adirector. If the sysadmins are not available (hit by a bus, holiday) these twousers can gain access to a special account to do maintenance. In other operatingsystems you can achieve this by giving either one a part of the password. TheOpenVMS way feels more thought out since you can check which accounts requiresecondary passwords and the different password attempts are logged as well.

To set up a secondary password, open the AUTHORIZATION program and useMODIFY.

 $ SET DEFAULT SYS$SYSTEM $ RUN AUTHORIZE MODIFY REMY /PASSWORD=("", example) /NOPWDEXPIRED

The first user password is not modified, hence the ("",. If you want to modifyboth passwords, replace the "" with a password. If you have a user with twopasswords and want to modify only the first password, use /PASSWORD=example.To modify both passwords, /PASSWORD=(FIRST_PASS, SECONDARY_PASS).

The /NOPWDEXPIRED flag is set because otherwise the user would have to changethe secondary password at first login and in the use case of a secondarypassword that is not what you want (since it involves two users).

If you logout (LOG) and login as the user, you will be asked for a passwordtwice. The first prompt is for the first password, the second for the secondarypassword:

 Welcome to OpenVMS (TM) Alpha Operating System, Version V8.4Username: remyPassword:Password:   Welcome to OpenVMS (TM) Alpha Operating System, Version V8.4    Last interactive login on Friday, 11-MAY-2018 20:20:33.58$

To remove a secondary password, remove all passwords from a user and set a newpassword:

$ SET DEFAULT SYS$SYSTEM$ RUN AUTHORIZEUAF> MODIFY REMY /NOPASSWORD%UAF-I-PWDLESSMIN, new password is shorter than minimum password length%UAF-I-MDFYMSG, user record(s) updatedUAF> MODIFY REMY /PASSWORD=TEMP%UAF-I-MDFYMSG, user record(s) updated

When the user logs in now, it will require one password and the user has tochange that after first login.

You can read more on the AUTHORIZE program here.

User ID's (UIC) are not unique

The second interesting point I want to show and talk about is the UICuniqueness. Linux has the UID and GID, OpenVMS combines them into onenumber. A UIC consists of: GROUP,MEMBER and has the form of [200,201]. GroupID 200, User (member) ID 201. System users have a UID below 10 (by default).UIC codes can be both numeric as in these examples as well as alphanumeric([WELDING,JACK]).

Chapter 4, User Identification Code (UIC), states:

UICs Are Not Necessarily Unique It is important to note that a UIC does notnecessarily identify one particular user. It is possible for the system managerto assign the same UIC to two or more user accounts. It is also possible toreuse a UIC previously assigned to a user account that has been deleted.

File protection (not ACL's) relies on User Identification Codes, thus a systemmanager can choose to create a user with the same UIC as another user. (Not thesame username though). This way one account that is not a privileged account canaccess the files of another user without special permissions, since for thesystem it is the same UIC.

You might use this when someone is away for a longer period, or when a user isreplaced by someone else. In Linux systems, the UID is recommended to be unique,but it is not required. In my experience however it gives more problems thansolutions and using groups, SElinux or ACL's will fix your problem better.

I cover this because as far as I know now, in OpenVMS, the file protection bitsare exclusively looking at the UIC. I'm not sure how that is on a linux system.

Earlier in the article we created a new user with the UIC [200,201]. Let'screate an example file and make that not accessible for other users:

$ CREATE EXAMP.TXTthis is a test CTRL+Z

Check the default permissions:

$ DIR /SECURITYDirectory DKA0:[USERS.REMY]EXAMP.TXT;1          [REMY]                           (RWED,RWED,RE,)Total of 1 file.

This means that:

Change it so that the group to which the user belongs (201) also cannot accessthe file:

$ SET FILE/PROTECTION=(S:RWED,O:RWED,G,W) EXAMP.TXT;1

Now create another user with a different UIC to test the rights. Make sure ithas no system permissions otherwise it will still be able to access the file.

 $ SET DEFAULT SYS$SYSTEM $ RUN AUTHORIZE ADD REMY2 /PASSWORD=TEMP /OWNER="Remy2" /DEV=DKA0 /DIR=[USERS.REMY2] /UIC=[300,401] /FLAG=NODISUSER  CTRL+Z ! to exit UAF>$ CREATE /DIRECTORY DKA0:[USERS.REMY2]$ SET DIRECTORY /OWNER=REMY2 DKA0:[USERS.REMY2]

Login as that user (REMY2) and check if you can access that file. It shouldfail:

$ TYPE DKA0:[USERS.REMY]EXAMP.TXT;1%TYPE-W-OPENIN, error opening DKA0:[USERS.REMY]EXAMP.TXT;1 as input-RMS-E-PRV, insufficient privilege or file protection violation

Cool. Now, as the system user, run AUTHORIZE and change the UIC code of thissecond user. Note, don't do this on a live system since it can have unwantedside-effects (namely permission errors for all your users files).

UAF> MODIFY REMY2 /UIC=[200,201]%UAF-E-RDBMDFYERR, unable to modify identifier REMY2-SYSTEM-F-DUPIDENT, duplicate identifier%UAF-I-MDFYMSG, user record(s) updated

Disregard the error, check with SHOW REMY2 to see the actual change:

UAF> SHOW REMY2Username: REMY2                            Owner:  Remy2Account:                                   UIC:    [200,201] ([REMY])CLI:      DCL                              Tables: DCLTABLESDefault:  DKA0:[USERS.REMY2]LGICMD:Flags:

Log back in as that user (REMY2). The file of the different user with the sameUIC (REMY) should be readable now:

$ TYPE DKA0:[USERS.REMY]EXAMP.TXT;1this is a test

As well as the home folder of the user:

$ DIR DKA0:[USERS.REMY]Directory DKA0:[USERS.REMY]EXAMP.TXT;1Total of 1 file.

However, as stated above, you won't be able to view your own files and foldersanymore, since your UIC changed:

$ SHOW DEF  DKA0:[USERS.REMY2]$ DIR%DIRECT-E-OPENIN, error opening DKA0:[USERS.REMY2]*.*;* as input-RMS-E-PRV, insufficient privilege or file protection violation

System password

The last of the interesting bits I want to discuss is the system password.

Chapter 5, logging in and out of the system, the login sequence states:

Some OpenVMS systems have a system password enabled. This is a rarely used,extra security feature. Such systems require you to type a password, which willnot be displayed, even before presenting you with a Username: prompt. You willhave no indication that anything at all is happening until the system passwordis accepted.

From the documentation:

The System password controls access to particular terminals and is required atthe discretion of the security administrator. System passwords are usuallynecessary to control access to terminals that might be targets for unauthorizeduse, such as dialup and public terminal lines.

To setup the system password, set the password and then choose the terminalswhere you want to require the system password.

Start up AUTHORIZE:

 $ SET DEFAULT SYS$SYSTEM $ RUN AUTHORIZE

Set the password:

UAF> MODIFY/SYSTEM_PASSWORD=example%UAF-I-SYSPWDMOD, system password modified

Then on a terminal where you want to require the system password, execute thiscommand:

$ SET TERMINAL/SYSPWD/PERMANENT

You can use the SHOW TERM command to check if the password is active. Look forSyspassword.

$ SHOW TERMTerminal: _TTA0:      Device_Type: Unknown       Owner: _TTA0:                                              Username: SYSTEM   Input:    9600     LFfill:  0      Width:  80      Parity: None   Output:   9600     CRfill:  0      Page:   24Terminal Characteristics:   Interactive        Echo               Type_ahead         No Escape   No Hostsync        TTsync             Lowercase          No Tab   Wrap               Scope              No Remote          No Eightbit   Broadcast          No Readsync        No Form            Fulldup   No Modem           No Local_echo      Autobaud           No Hangup   No Brdcstmbx       No DMA             No Altypeahd       Set_speed   No Commsync        Line Editing       Overstrike editing No Fallback   No Dialup          No Secure server   No Disconnect      No Pasthru   Syspassword        No SIXEL Graphics  No Soft Characters No Printer Port   Numeric Keypad     No ANSI_CRT        No Regis           No Block_mode   No Advanced_video  No Edit_mode       No DEC_CRT         No DEC_CRT2   No DEC_CRT3        No DEC_CRT4        No DEC_CRT5        No Ansi_Color   VMS Style Input    <CTRL-H> Backspace

[The documentation [states that you can require this for remote logins, butI have trouble getting [the networking part working, due to issues with Windows10. No way for me to [test that yet.

This is a GIF I recorded with the Windows On Screen Keyboard to show that thesystem password is required before being able to do anything:

Tags: alpha, blog, dec, decus, itanium, openvms, passwords, pdp, security, simh, vax, vms