Skip to main content

Multiple passwords for one user, UIC uniqueness and the system password on OpenVMS

13-05-2018 | Remy van Elst | Text only version of this article


Table of Contents


openvms

(You can read all my OpenVMS articles by clicking the picture above)

In the book I bought about OpenVMS for this article on filesystems, Getting Started with OpenVMS by M. Duffy, I've read a few interesting things in the chapter that introduces user accounts and system login. Namely that a user can have multiple passwords, that user ID's are not unique and that there can be a system password. This article goes in to those three topics.

If you like this article, consider sponsoring me by trying out a Digital Ocean VPS. With this link you'll get a $5 VPS for 2 months free (as in, you get $10 credit). (referral link)

Add a new user to experiment on

For this article I added a new test user on my OpenVMS 8.4 install. It has the same privileges as the system user so be carefull with it. Change the root device and directory if needed:

 $ SET DEFAULT SYS$SYSTEM
 $ RUN AUTHORIZE
 ADD REMY /PASSWORD=TEMP /OWNER="Remy van Elst" /DEV=DKA0 /DIR=[USERS.REMY] /UIC=[200,201] /FLAG=NODISUSER /PRIV=ALL 

Create the home folder for the user and set permissons:

$ CREATE /DIRECTORY DKA0:[USERS.REMY]
$ SET DIRECTORY /OWNER=REMY DKA0:[USERS.REMY]

Logout the SYSTEM user:

 $ LOG

Login as your new user and change the password (which is TEMP):

   Welcome to OpenVMS (TM) Alpha Operating System, Version V8.4

Your password has expired; you must set a new password to log in


New password:
Verification:

$

Try to create a file and see if you setup the folder and permissions correctly:

$ dir
%DIRECT-W-NOFILES, no files found
$ create example
hello
CTRL+Z

$ dir

Directory DKA0:[USERS.REMY]

EXAMPLE.;1

Total of 1 file.

Do note that OpenVMS passwords are case-insensitive. Read here for more information, there is a flag you can toggle to make passwords case sensitive.

A user password can contain up to 32 alphanumeric and special characters. Unless your system manager has set the PWDMIX flag in your authorization account record, the only special characters permitted are the dollar sign and underscore. Without the PWDMIX authorization, all lowercase characters are converted to uppercase before the password is encrypted. For example, "eagle" is the same as "EAGLE."

Furthermore, spaces are ignored:

Blank spaces are permissible within a password, but they are not considered part of the password, and OpenVMS ignores them. For example, "MY PASSWORD" is an acceptable password, but the system only records "MYPASSWORD." This means that "MYPA SSWORD" is also a valid password for the account in question.

Licensing error?

After adding the user and trying to login I got a licensing error:

No license is active for this software product

It also spammed the terminal with AUDIT server logs:

%%%%%%%%%%%  OPCOM  10-MAY-2018 19:52:05.87  %%%%%%%%%%%
Message from user AUDIT$SERVER on REMY1
Security alarm (SECURITY) and security audit (SECURITY) on REMY1, system id: 104
9
Auditable event:          Local interactive login failure
Event time:               10-MAY-2018 19:52:05.87
PID:                      0000021C
Process name:             REMY
Username:                 REMY
Process owner:            [REMY]
Terminal name:            _TTA0:
Image name:               REMY1$DKA0:[SYS0.SYSCOMMON.][SYSEXE]LOGINOUT.EXE
Posix UID:                -2
Posix GID:                -2 (%XFFFFFFFE)
Status:                   %LICENSE-F-NOLICENSE, no license is active for this software product

Somehow all my licenses disappeared:

$ SHOW LICENSE /USAGE

View of loaded licenses from node REMY1                 10-MAY-2018 19:58:37.10
%SHOW-I-NOLICENSE, no licenses exist

After re-adding my hobbyist license it still did not work. I had to add the hostname (REMY1) for the error to go away:

$ LICENSE MODIFY OPENVMS-ALPHA /INCLUDE=REMY1

After which all was well and I could login with the new user:

$ SHOW LICENSE OPENVMS-ALPHA

Active licenses on node REMY1:

------- Product ID --------    ---- Rating ----- -- Version --
Product            Producer    Units Avail Activ Version Release    Termination
OPENVMS-ALPHA      DEC             0  0     100    0.0  (none)       1-APR-2019

Unsure why this happens. Now let's get on to the exciting stuff.

Secondary password

The first thing I want to cover is the secondary password. A user account on OpenVMS can have more than 1 password, the main password and the secondary password. This can be usefull in high-security environments where two people are needed to access a user account (that could have special privileges). Read more on UIC codes in the documentation.

Chapter 4, User accounts, Overview states:

Your system manager may create user accounts that require zero, one, or two passwords, but accounts with one password are the norm.

From the documentation:

Secondary password. The second of two passwords to be entered for an account requiring both primary and secondary passwords. The secondary password provides an additional level of security on user accounts. Typically, the primary user does not know the secondary password; a supervisor or other key person must be present to supply it. For certain applications, the supervisor may also decide to remain present while the account is in use. Thus, secondary passwords facilitate controlled logins and the actions taken after a login. Secondary passwords can be time-consuming and inconvenient. They are justified only at sites with maximum security requirements. An example of an account that justifies dual passwords would be one that bypasses normal access controls to permit emergency repair to a database.

The text above already gives an example and I can imagine a few more. Take two users of different functions in the organization, say a programmer and a director. If the sysadmins are not available (hit by a bus, holiday) these two users can gain access to a special account to do maintenance. In other operating systems you can achieve this by giving either one a part of the password. The OpenVMS way feels more thought out since you can check which accounts require secondary passwords and the different password attempts are logged as well.

To set up a secondary password, open the AUTHORIZATION program and use MODIFY.

 $ SET DEFAULT SYS$SYSTEM
 $ RUN AUTHORIZE
 MODIFY REMY /PASSWORD=("", example) /NOPWDEXPIRED

The first user password is not modified, hence the ("",. If you want to modify both passwords, replace the "" with a password. If you have a user with two passwords and want to modify only the first password, use /PASSWORD=example. To modify both passwords, /PASSWORD=(FIRST_PASS, SECONDARY_PASS).

The /NOPWDEXPIRED flag is set because otherwise the user would have to change the secondary password at first login and in the use case of a secondary password that is not what you want (since it involves two users).

If you logout (LOG) and login as the user, you will be asked for a password twice. The first prompt is for the first password, the second for the secondary password:

 Welcome to OpenVMS (TM) Alpha Operating System, Version V8.4

Username: remy
Password:
Password:
   Welcome to OpenVMS (TM) Alpha Operating System, Version V8.4
    Last interactive login on Friday, 11-MAY-2018 20:20:33.58

$

To remove a secondary password, remove all passwords from a user and set a new password:

$ SET DEFAULT SYS$SYSTEM
$ RUN AUTHORIZE
UAF> MODIFY REMY /NOPASSWORD
%UAF-I-PWDLESSMIN, new password is shorter than minimum password length
%UAF-I-MDFYMSG, user record(s) updated
UAF> MODIFY REMY /PASSWORD=TEMP
%UAF-I-MDFYMSG, user record(s) updated

When the user logs in now, it will require one password and the user has to change that after first login.

You can read more on the AUTHORIZE program here.

User ID's (UIC) are not unique

The second interesting point I want to show and talk about is the UIC uniqueness. Linux has the UID and GID, OpenVMS combines them into one number. A UIC consists of: GROUP,MEMBER and has the form of [200,201]. Group ID 200, User (member) ID 201. System users have a UID below 10 (by default). UIC codes can be both numeric as in these examples as well as alphanumeric ([WELDING,JACK]).

Chapter 4, User Identification Code (UIC), states:

UICs Are Not Necessarily Unique It is important to note that a UIC does not necessarily identify one particular user. It is possible for the system manager to assign the same UIC to two or more user accounts. It is also possible to reuse a UIC previously assigned to a user account that has been deleted.

File protection (not ACL's) relies on User Identification Codes, thus a system manager can choose to create a user with the same UIC as another user. (Not the same username though). This way one account that is not a privileged account can access the files of another user without special permissions, since for the system it is the same UIC.

You might use this when someone is away for a longer period, or when a user is replaced by someone else. In Linux systems, the UID is recommended to be unique, but it is not required. In my experience however it gives more problems than solutions and using groups, SElinux or ACL's will fix your problem better.

I cover this because as far as I know now, in OpenVMS, the file protection bits are exclusively looking at the UIC. I'm not sure how that is on a linux system.

Earlier in the article we created a new user with the UIC [200,201]. Let's create an example file and make that not accessible for other users:

$ CREATE EXAMP.TXT
this is a test
 CTRL+Z

Check the default permissions:

$ DIR /SECURITY

Directory DKA0:[USERS.REMY]

EXAMP.TXT;1          [REMY]                           (RWED,RWED,RE,)

Total of 1 file.

This means that:

  • System: read, write, execute, delete
  • Owner: read, write, execute, delete
  • Group: read, execute
  • World: none

Change it so that the group to which the user belongs (201) also cannot access the file:

$ SET FILE/PROTECTION=(S:RWED,O:RWED,G,W) EXAMP.TXT;1

Now create another user with a different UIC to test the rights. Make sure it has no system permissions otherwise it will still be able to access the file.

 $ SET DEFAULT SYS$SYSTEM
 $ RUN AUTHORIZE
 ADD REMY2 /PASSWORD=TEMP /OWNER="Remy2" /DEV=DKA0 /DIR=[USERS.REMY2] /UIC=[300,401] /FLAG=NODISUSER 
 CTRL+Z ! to exit UAF>

$ CREATE /DIRECTORY DKA0:[USERS.REMY2]
$ SET DIRECTORY /OWNER=REMY2 DKA0:[USERS.REMY2]

Login as that user (REMY2) and check if you can access that file. It should fail:

$ TYPE DKA0:[USERS.REMY]EXAMP.TXT;1
%TYPE-W-OPENIN, error opening DKA0:[USERS.REMY]EXAMP.TXT;1 as input
-RMS-E-PRV, insufficient privilege or file protection violation

Cool. Now, as the system user, run AUTHORIZE and change the UIC code of this second user. Note, don't do this on a live system since it can have unwanted side-effects (namely permission errors for all your users files).

UAF> MODIFY REMY2 /UIC=[200,201]

%UAF-E-RDBMDFYERR, unable to modify identifier REMY2
-SYSTEM-F-DUPIDENT, duplicate identifier
%UAF-I-MDFYMSG, user record(s) updated

Disregard the error, check with SHOW REMY2 to see the actual change:

UAF> SHOW REMY2

Username: REMY2                            Owner:  Remy2
Account:                                   UIC:    [200,201] ([REMY])
CLI:      DCL                              Tables: DCLTABLES
Default:  DKA0:[USERS.REMY2]
LGICMD:
Flags:

Log back in as that user (REMY2). The file of the different user with the same UIC (REMY) should be readable now:

$ TYPE DKA0:[USERS.REMY]EXAMP.TXT;1
this is a test

As well as the home folder of the user:

$ DIR DKA0:[USERS.REMY]

Directory DKA0:[USERS.REMY]

EXAMP.TXT;1

Total of 1 file.

However, as stated above, you won't be able to view your own files and folders anymore, since your UIC changed:

$ SHOW DEF
  DKA0:[USERS.REMY2]
$ DIR
%DIRECT-E-OPENIN, error opening DKA0:[USERS.REMY2]*.*;* as input
-RMS-E-PRV, insufficient privilege or file protection violation

System password

The last of the interesting bits I want to discuss is the system password.

Chapter 5, logging in and out of the system, the login sequence states:

Some OpenVMS systems have a system password enabled. This is a rarely used, extra security feature. Such systems require you to type a password, which will not be displayed, even before presenting you with a Username: prompt. You will have no indication that anything at all is happening until the system password is accepted.

From the documentation:

The System password controls access to particular terminals and is required at the discretion of the security administrator. System passwords are usually necessary to control access to terminals that might be targets for unauthorized use, such as dialup and public terminal lines.

To setup the system password, set the password and then choose the terminals where you want to require the system password.

Start up AUTHORIZE:

 $ SET DEFAULT SYS$SYSTEM
 $ RUN AUTHORIZE

Set the password:

UAF> MODIFY/SYSTEM_PASSWORD=example
%UAF-I-SYSPWDMOD, system password modified

Then on a terminal where you want to require the system password, execute this command:

$ SET TERMINAL/SYSPWD/PERMANENT

You can use the SHOW TERM command to check if the password is active. Look for Syspassword.

$ SHOW TERM
Terminal: _TTA0:      Device_Type: Unknown       Owner: _TTA0:
                                              Username: SYSTEM

   Input:    9600     LFfill:  0      Width:  80      Parity: None
   Output:   9600     CRfill:  0      Page:   24

Terminal Characteristics:
   Interactive        Echo               Type_ahead         No Escape
   No Hostsync        TTsync             Lowercase          No Tab
   Wrap               Scope              No Remote          No Eightbit
   Broadcast          No Readsync        No Form            Fulldup
   No Modem           No Local_echo      Autobaud           No Hangup
   No Brdcstmbx       No DMA             No Altypeahd       Set_speed
   No Commsync        Line Editing       Overstrike editing No Fallback
   No Dialup          No Secure server   No Disconnect      No Pasthru
   Syspassword        No SIXEL Graphics  No Soft Characters No Printer Port
   Numeric Keypad     No ANSI_CRT        No Regis           No Block_mode
   No Advanced_video  No Edit_mode       No DEC_CRT         No DEC_CRT2
   No DEC_CRT3        No DEC_CRT4        No DEC_CRT5        No Ansi_Color
   VMS Style Input    <CTRL-H> Backspace

The documentation states that you can require this for remote logins, but I have trouble getting the networking part working, due to issues with Windows 10. No way for me to test that yet.

This is a GIF I recorded with the Windows On Screen Keyboard to show that the system password is required before being able to do anything:


Tags: alpha  blog  dec  decus  itanium  openvms  passwords  pdp  security  simh  vax  vms