Multiple passwords for one user, UIC uniqueness and the system password on OpenVMS
Published: 13-05-2018 | Author: Remy van Elst | Text only version of this article
Table of Contents
(You can read all my OpenVMS articles by clicking the picture above)
In the book I bought about OpenVMS for this article on filesystems, GettingStarted with OpenVMS by M. Duffy, I've read a few interesting things in thechapter that introduces user accounts and system login. Namely that a user canhave multiple passwords, that user ID's are not unique and that there can be asystem password. This article goes in to those three topics.
Add a new user to experiment on
For this article I added a new test user on my OpenVMS 8.4 install. It has thesame privileges as the system user so be carefull with it. Change the rootdevice and directory if needed:
$ SET DEFAULT SYS$SYSTEM $ RUN AUTHORIZE ADD REMY /PASSWORD=TEMP /OWNER="Remy van Elst" /DEV=DKA0 /DIR=[USERS.REMY] /UIC=[200,201] /FLAG=NODISUSER /PRIV=ALL
Create the home folder for the user and set permissons:
$ CREATE /DIRECTORY DKA0:[USERS.REMY]$ SET DIRECTORY /OWNER=REMY DKA0:[USERS.REMY]
Login as your new user and change the password (which is
Welcome to OpenVMS (TM) Alpha Operating System, Version V8.4Your password has expired; you must set a new password to log inNew password:Verification:$
Try to create a file and see if you setup the folder and permissions correctly:
$ dir%DIRECT-W-NOFILES, no files found$ create examplehelloCTRL+Z$ dirDirectory DKA0:[USERS.REMY]EXAMPLE.;1Total of 1 file.
Do note that OpenVMS passwords are case-insensitive. Read here for moreinformation, there is a flag you can toggle to make passwords case sensitive.
A user password can contain up to 32 alphanumeric and special characters.Unless your system manager has set the PWDMIX flag in your authorization accountrecord, the only special characters permitted are the dollar sign andunderscore. Without the PWDMIX authorization, all lowercase characters areconverted to uppercase before the password is encrypted. For example, "eagle" isthe same as "EAGLE."
Furthermore, spaces are ignored:
Blank spaces are permissible within a password, but they are not consideredpart of the password, and OpenVMS ignores them. For example, "MY PASSWORD" is anacceptable password, but the system only records "MYPASSWORD." This means that"MYPA SSWORD" is also a valid password for the account in question.
After adding the user and trying to login I got a licensing error:
No license is active for this software product
It also spammed the terminal with AUDIT server logs:
%%%%%%%%%%% OPCOM 10-MAY-2018 19:52:05.87 %%%%%%%%%%%Message from user AUDIT$SERVER on REMY1Security alarm (SECURITY) and security audit (SECURITY) on REMY1, system id: 1049Auditable event: Local interactive login failureEvent time: 10-MAY-2018 19:52:05.87PID: 0000021CProcess name: REMYUsername: REMYProcess owner: [REMY]Terminal name: _TTA0:Image name: REMY1$DKA0:[SYS0.SYSCOMMON.][SYSEXE]LOGINOUT.EXEPosix UID: -2Posix GID: -2 (%XFFFFFFFE)Status: %LICENSE-F-NOLICENSE, no license is active for this software product
Somehow all my licenses disappeared:
$ SHOW LICENSE /USAGEView of loaded licenses from node REMY1 10-MAY-2018 19:58:37.10%SHOW-I-NOLICENSE, no licenses exist
After re-adding my hobbyist license it still did not work. I had to add thehostname (
REMY1) for the error to go away:
$ LICENSE MODIFY OPENVMS-ALPHA /INCLUDE=REMY1
After which all was well and I could login with the new user:
$ SHOW LICENSE OPENVMS-ALPHAActive licenses on node REMY1:------- Product ID -------- ---- Rating ----- -- Version --Product Producer Units Avail Activ Version Release TerminationOPENVMS-ALPHA DEC 0 0 100 0.0 (none) 1-APR-2019
Unsure why this happens. Now let's get on to the exciting stuff.
The first thing I want to cover is the secondary password. A user account onOpenVMS can have more than 1 password, the main password and the secondarypassword. This can be usefull in high-security environments where two people areneeded to access a user account (that could have special privileges). Read moreon UIC codes in the documentation.
Chapter 4, User accounts, Overview states:
Your system manager may create user accounts that require zero, one, or twopasswords, but accounts with one password are the norm.
From the documentation:
Secondary password. The second of two passwords to be entered for an accountrequiring both primary and secondary passwords. The secondary password providesan additional level of security on user accounts. Typically, the primary userdoes not know the secondary password; a supervisor or other key person must bepresent to supply it. For certain applications, the supervisor may also decideto remain present while the account is in use. Thus, secondary passwordsfacilitate controlled logins and the actions taken after a login. Secondarypasswords can be time-consuming and inconvenient. They are justified only atsites with maximum security requirements. An example of an account thatjustifies dual passwords would be one that bypasses normal access controls topermit emergency repair to a database.
The text above already gives an example and I can imagine a few more. Take twousers of different functions in the organization, say a programmer and adirector. If the sysadmins are not available (hit by a bus, holiday) these twousers can gain access to a special account to do maintenance. In other operatingsystems you can achieve this by giving either one a part of the password. TheOpenVMS way feels more thought out since you can check which accounts requiresecondary passwords and the different password attempts are logged as well.
To set up a secondary password, open the
AUTHORIZATION program and use
$ SET DEFAULT SYS$SYSTEM $ RUN AUTHORIZE MODIFY REMY /PASSWORD=("", example) /NOPWDEXPIRED
The first user password is not modified, hence the
("",. If you want to modifyboth passwords, replace the
"" with a password. If you have a user with twopasswords and want to modify only the first password, use
/PASSWORD=example.To modify both passwords,
/NOPWDEXPIRED flag is set because otherwise the user would have to changethe secondary password at first login and in the use case of a secondarypassword that is not what you want (since it involves two users).
If you logout (
LOG) and login as the user, you will be asked for a passwordtwice. The first prompt is for the first password, the second for the secondarypassword:
Welcome to OpenVMS (TM) Alpha Operating System, Version V8.4Username: remyPassword:Password: Welcome to OpenVMS (TM) Alpha Operating System, Version V8.4 Last interactive login on Friday, 11-MAY-2018 20:20:33.58$
To remove a secondary password, remove all passwords from a user and set a newpassword:
$ SET DEFAULT SYS$SYSTEM$ RUN AUTHORIZEUAF> MODIFY REMY /NOPASSWORD%UAF-I-PWDLESSMIN, new password is shorter than minimum password length%UAF-I-MDFYMSG, user record(s) updatedUAF> MODIFY REMY /PASSWORD=TEMP%UAF-I-MDFYMSG, user record(s) updated
When the user logs in now, it will require one password and the user has tochange that after first login.
You can read more on the
AUTHORIZE program here.
User ID's (UIC) are not unique
The second interesting point I want to show and talk about is the
UICuniqueness. Linux has the
GID, OpenVMS combines them into onenumber. A UIC consists of:
GROUP,MEMBER and has the form of
[200,201]. GroupID 200, User (member) ID 201. System users have a
UID below 10 (by default).UIC codes can be both numeric as in these examples as well as alphanumeric(
Chapter 4, User Identification Code (UIC), states:
UICs Are Not Necessarily Unique It is important to note that a UIC does notnecessarily identify one particular user. It is possible for the system managerto assign the same UIC to two or more user accounts. It is also possible toreuse a UIC previously assigned to a user account that has been deleted.
File protection (not ACL's) relies on User Identification Codes, thus a systemmanager can choose to create a user with the same UIC as another user. (Not thesame username though). This way one account that is not a privileged account canaccess the files of another user without special permissions, since for thesystem it is the same UIC.
You might use this when someone is away for a longer period, or when a user isreplaced by someone else. In Linux systems, the UID is recommended to be unique,but it is not required. In my experience however it gives more problems thansolutions and using groups, SElinux or ACL's will fix your problem better.
I cover this because as far as I know now, in OpenVMS, the file protection bitsare exclusively looking at the UIC. I'm not sure how that is on a linux system.
Earlier in the article we created a new user with the UIC
[200,201]. Let'screate an example file and make that not accessible for other users:
$ CREATE EXAMP.TXTthis is a test CTRL+Z
Check the default permissions:
$ DIR /SECURITYDirectory DKA0:[USERS.REMY]EXAMP.TXT;1 [REMY] (RWED,RWED,RE,)Total of 1 file.
This means that:
- System: read, write, execute, delete
- Owner: read, write, execute, delete
- Group: read, execute
- World: none
Change it so that the group to which the user belongs (201) also cannot accessthe file:
$ SET FILE/PROTECTION=(S:RWED,O:RWED,G,W) EXAMP.TXT;1
Now create another user with a different UIC to test the rights. Make sure ithas no system permissions otherwise it will still be able to access the file.
$ SET DEFAULT SYS$SYSTEM $ RUN AUTHORIZE ADD REMY2 /PASSWORD=TEMP /OWNER="Remy2" /DEV=DKA0 /DIR=[USERS.REMY2] /UIC=[300,401] /FLAG=NODISUSER CTRL+Z ! to exit UAF>$ CREATE /DIRECTORY DKA0:[USERS.REMY2]$ SET DIRECTORY /OWNER=REMY2 DKA0:[USERS.REMY2]
Login as that user (
REMY2) and check if you can access that file. It shouldfail:
$ TYPE DKA0:[USERS.REMY]EXAMP.TXT;1%TYPE-W-OPENIN, error opening DKA0:[USERS.REMY]EXAMP.TXT;1 as input-RMS-E-PRV, insufficient privilege or file protection violation
Cool. Now, as the system user, run
AUTHORIZE and change the UIC code of thissecond user. Note, don't do this on a live system since it can have unwantedside-effects (namely permission errors for all your users files).
UAF> MODIFY REMY2 /UIC=[200,201]%UAF-E-RDBMDFYERR, unable to modify identifier REMY2-SYSTEM-F-DUPIDENT, duplicate identifier%UAF-I-MDFYMSG, user record(s) updated
Disregard the error, check with
SHOW REMY2 to see the actual change:
UAF> SHOW REMY2Username: REMY2 Owner: Remy2Account: UIC: [200,201] ([REMY])CLI: DCL Tables: DCLTABLESDefault: DKA0:[USERS.REMY2]LGICMD:Flags:
Log back in as that user (
REMY2). The file of the different user with the sameUIC (
REMY) should be readable now:
$ TYPE DKA0:[USERS.REMY]EXAMP.TXT;1this is a test
As well as the home folder of the user:
$ DIR DKA0:[USERS.REMY]Directory DKA0:[USERS.REMY]EXAMP.TXT;1Total of 1 file.
However, as stated above, you won't be able to view your own files and foldersanymore, since your UIC changed:
$ SHOW DEF DKA0:[USERS.REMY2]$ DIR%DIRECT-E-OPENIN, error opening DKA0:[USERS.REMY2]*.*;* as input-RMS-E-PRV, insufficient privilege or file protection violation
The last of the interesting bits I want to discuss is the system password.
Chapter 5, logging in and out of the system, the login sequence states:
Some OpenVMS systems have a system password enabled. This is a rarely used,extra security feature. Such systems require you to type a password, which willnot be displayed, even before presenting you with a Username: prompt. You willhave no indication that anything at all is happening until the system passwordis accepted.
From the documentation:
The System password controls access to particular terminals and is required atthe discretion of the security administrator. System passwords are usuallynecessary to control access to terminals that might be targets for unauthorizeduse, such as dialup and public terminal lines.
To setup the system password, set the password and then choose the terminalswhere you want to require the system password.
$ SET DEFAULT SYS$SYSTEM $ RUN AUTHORIZE
Set the password:
UAF> MODIFY/SYSTEM_PASSWORD=example%UAF-I-SYSPWDMOD, system password modified
Then on a terminal where you want to require the system password, execute thiscommand:
$ SET TERMINAL/SYSPWD/PERMANENT
You can use the
SHOW TERM command to check if the password is active. Look for
$ SHOW TERMTerminal: _TTA0: Device_Type: Unknown Owner: _TTA0: Username: SYSTEM Input: 9600 LFfill: 0 Width: 80 Parity: None Output: 9600 CRfill: 0 Page: 24Terminal Characteristics: Interactive Echo Type_ahead No Escape No Hostsync TTsync Lowercase No Tab Wrap Scope No Remote No Eightbit Broadcast No Readsync No Form Fulldup No Modem No Local_echo Autobaud No Hangup No Brdcstmbx No DMA No Altypeahd Set_speed No Commsync Line Editing Overstrike editing No Fallback No Dialup No Secure server No Disconnect No Pasthru Syspassword No SIXEL Graphics No Soft Characters No Printer Port Numeric Keypad No ANSI_CRT No Regis No Block_mode No Advanced_video No Edit_mode No DEC_CRT No DEC_CRT2 No DEC_CRT3 No DEC_CRT4 No DEC_CRT5 No Ansi_Color VMS Style Input <CTRL-H> Backspace
[The documentation [states that you can require this for remote logins, butI have trouble getting [the networking part working, due to issues with Windows10. No way for me to [test that yet.
This is a GIF I recorded with the Windows On Screen Keyboard to show that thesystem password is required before being able to do anything:
Tags: alpha, blog, dec, decus, itanium, openvms, passwords, pdp, security, simh, vax, vms