13-05-2018 | Remy van Elst
(You can read all my OpenVMS articles by clicking the picture above)
In the book I bought about OpenVMS for this article on filesystems, Getting Started with OpenVMS by M. Duffy, I've read a few interesting things in the chapter that introduces user accounts and system login. Namely that a user can have multiple passwords, that user ID's are not unique and that there can be a system password. This article goes in to those three topics.
For this article I added a new test user on my OpenVMS 8.4 install. It has the same privileges as the system user so be carefull with it. Change the root device and directory if needed:
$ SET DEFAULT SYS$SYSTEM $ RUN AUTHORIZE ADD REMY /PASSWORD=TEMP /OWNER="Remy van Elst" /DEV=DKA0 /DIR=[USERS.REMY] /UIC=[200,201] /FLAG=NODISUSER /PRIV=ALL
Create the home folder for the user and set permissons:
$ CREATE /DIRECTORY DKA0:[USERS.REMY] $ SET DIRECTORY /OWNER=REMY DKA0:[USERS.REMY]
Login as your new user and change the password (which is
Welcome to OpenVMS (TM) Alpha Operating System, Version V8.4 Your password has expired; you must set a new password to log in New password: Verification: $
Try to create a file and see if you setup the folder and permissions correctly:
$ dir %DIRECT-W-NOFILES, no files found $ create example hello CTRL+Z $ dir Directory DKA0:[USERS.REMY] EXAMPLE.;1 Total of 1 file.
Do note that OpenVMS passwords are case-insensitive. Read here for more information, there is a flag you can toggle to make passwords case sensitive.
A user password can contain up to 32 alphanumeric and special characters. Unless your system manager has set the PWDMIX flag in your authorization account record, the only special characters permitted are the dollar sign and underscore. Without the PWDMIX authorization, all lowercase characters are converted to uppercase before the password is encrypted. For example, "eagle" is the same as "EAGLE."
Furthermore, spaces are ignored:
Blank spaces are permissible within a password, but they are not considered part of the password, and OpenVMS ignores them. For example, "MY PASSWORD" is an acceptable password, but the system only records "MYPASSWORD." This means that "MYPA SSWORD" is also a valid password for the account in question.
After adding the user and trying to login I got a licensing error:
No license is active for this software product
It also spammed the terminal with AUDIT server logs:
%%%%%%%%%%% OPCOM 10-MAY-2018 19:52:05.87 %%%%%%%%%%% Message from user AUDIT$SERVER on REMY1 Security alarm (SECURITY) and security audit (SECURITY) on REMY1, system id: 104 9 Auditable event: Local interactive login failure Event time: 10-MAY-2018 19:52:05.87 PID: 0000021C Process name: REMY Username: REMY Process owner: [REMY] Terminal name: _TTA0: Image name: REMY1$DKA0:[SYS0.SYSCOMMON.][SYSEXE]LOGINOUT.EXE Posix UID: -2 Posix GID: -2 (%XFFFFFFFE) Status: %LICENSE-F-NOLICENSE, no license is active for this software product
Somehow all my licenses disappeared:
$ SHOW LICENSE /USAGE View of loaded licenses from node REMY1 10-MAY-2018 19:58:37.10 %SHOW-I-NOLICENSE, no licenses exist
After re-adding my hobbyist license it still did not work. I had to add the hostname (
REMY1) for the error to go away:
$ LICENSE MODIFY OPENVMS-ALPHA /INCLUDE=REMY1
After which all was well and I could login with the new user:
$ SHOW LICENSE OPENVMS-ALPHA Active licenses on node REMY1: ------- Product ID -------- ---- Rating ----- -- Version -- Product Producer Units Avail Activ Version Release Termination OPENVMS-ALPHA DEC 0 0 100 0.0 (none) 1-APR-2019
Unsure why this happens. Now let's get on to the exciting stuff.
The first thing I want to cover is the secondary password. A user account on OpenVMS can have more than 1 password, the main password and the secondary password. This can be usefull in high-security environments where two people are needed to access a user account (that could have special privileges). Read more on UIC codes in the documentation.
Chapter 4, User accounts, Overview states:
Your system manager may create user accounts that require zero, one, or two passwords, but accounts with one password are the norm.
From the documentation:
Secondary password. The second of two passwords to be entered for an account requiring both primary and secondary passwords. The secondary password provides an additional level of security on user accounts. Typically, the primary user does not know the secondary password; a supervisor or other key person must be present to supply it. For certain applications, the supervisor may also decide to remain present while the account is in use. Thus, secondary passwords facilitate controlled logins and the actions taken after a login. Secondary passwords can be time-consuming and inconvenient. They are justified only at sites with maximum security requirements. An example of an account that justifies dual passwords would be one that bypasses normal access controls to permit emergency repair to a database.
The text above already gives an example and I can imagine a few more. Take two users of different functions in the organization, say a programmer and a director. If the sysadmins are not available (hit by a bus, holiday) these two users can gain access to a special account to do maintenance. In other operating systems you can achieve this by giving either one a part of the password. The OpenVMS way feels more thought out since you can check which accounts require secondary passwords and the different password attempts are logged as well.
To set up a secondary password, open the
AUTHORIZATION program and use
$ SET DEFAULT SYS$SYSTEM $ RUN AUTHORIZE MODIFY REMY /PASSWORD=("", example) /NOPWDEXPIRED
The first user password is not modified, hence the
("",. If you want to modify both passwords, replace the
"" with a password. If you have a user with two passwords and want to modify only the first password, use
/PASSWORD=example. To modify both passwords,
/NOPWDEXPIRED flag is set because otherwise the user would have to change the secondary password at first login and in the use case of a secondary password that is not what you want (since it involves two users).
If you logout (
LOG) and login as the user, you will be asked for a password twice. The first prompt is for the first password, the second for the secondary password:
Welcome to OpenVMS (TM) Alpha Operating System, Version V8.4 Username: remy Password: Password: Welcome to OpenVMS (TM) Alpha Operating System, Version V8.4 Last interactive login on Friday, 11-MAY-2018 20:20:33.58 $
To remove a secondary password, remove all passwords from a user and set a new password:
$ SET DEFAULT SYS$SYSTEM $ RUN AUTHORIZE UAF> MODIFY REMY /NOPASSWORD %UAF-I-PWDLESSMIN, new password is shorter than minimum password length %UAF-I-MDFYMSG, user record(s) updated UAF> MODIFY REMY /PASSWORD=TEMP %UAF-I-MDFYMSG, user record(s) updated
When the user logs in now, it will require one password and the user has to change that after first login.
You can read more on the
AUTHORIZE program here.
The second interesting point I want to show and talk about is the
UIC uniqueness. Linux has the
GID, OpenVMS combines them into one number. A UIC consists of:
GROUP,MEMBER and has the form of
[200,201]. Group ID 200, User (member) ID 201. System users have a
UID below 10 (by default). UIC codes can be both numeric as in these examples as well as alphanumeric (
Chapter 4, User Identification Code (UIC), states:
UICs Are Not Necessarily Unique It is important to note that a UIC does not necessarily identify one particular user. It is possible for the system manager to assign the same UIC to two or more user accounts. It is also possible to reuse a UIC previously assigned to a user account that has been deleted.
File protection (not ACL's) relies on User Identification Codes, thus a system manager can choose to create a user with the same UIC as another user. (Not the same username though). This way one account that is not a privileged account can access the files of another user without special permissions, since for the system it is the same UIC.
You might use this when someone is away for a longer period, or when a user is replaced by someone else. In Linux systems, the UID is recommended to be unique, but it is not required. In my experience however it gives more problems than solutions and using groups, SElinux or ACL's will fix your problem better.
I cover this because as far as I know now, in OpenVMS, the file protection bits are exclusively looking at the UIC. I'm not sure how that is on a linux system.
Earlier in the article we created a new user with the UIC
[200,201]. Let's create an example file and make that not accessible for other users:
$ CREATE EXAMP.TXT this is a test CTRL+Z
Check the default permissions:
$ DIR /SECURITY Directory DKA0:[USERS.REMY] EXAMP.TXT;1 [REMY] (RWED,RWED,RE,) Total of 1 file.
This means that:
Change it so that the group to which the user belongs (201) also cannot access the file:
$ SET FILE/PROTECTION=(S:RWED,O:RWED,G,W) EXAMP.TXT;1
Now create another user with a different UIC to test the rights. Make sure it has no system permissions otherwise it will still be able to access the file.
$ SET DEFAULT SYS$SYSTEM $ RUN AUTHORIZE ADD REMY2 /PASSWORD=TEMP /OWNER="Remy2" /DEV=DKA0 /DIR=[USERS.REMY2] /UIC=[300,401] /FLAG=NODISUSER CTRL+Z ! to exit UAF> $ CREATE /DIRECTORY DKA0:[USERS.REMY2] $ SET DIRECTORY /OWNER=REMY2 DKA0:[USERS.REMY2]
Login as that user (
REMY2) and check if you can access that file. It should fail:
$ TYPE DKA0:[USERS.REMY]EXAMP.TXT;1 %TYPE-W-OPENIN, error opening DKA0:[USERS.REMY]EXAMP.TXT;1 as input -RMS-E-PRV, insufficient privilege or file protection violation
Cool. Now, as the system user, run
AUTHORIZE and change the UIC code of this second user. Note, don't do this on a live system since it can have unwanted side-effects (namely permission errors for all your users files).
UAF> MODIFY REMY2 /UIC=[200,201] %UAF-E-RDBMDFYERR, unable to modify identifier REMY2 -SYSTEM-F-DUPIDENT, duplicate identifier %UAF-I-MDFYMSG, user record(s) updated
Disregard the error, check with
SHOW REMY2 to see the actual change:
UAF> SHOW REMY2 Username: REMY2 Owner: Remy2 Account: UIC: [200,201] ([REMY]) CLI: DCL Tables: DCLTABLES Default: DKA0:[USERS.REMY2] LGICMD: Flags:
Log back in as that user (
REMY2). The file of the different user with the same UIC (
REMY) should be readable now:
$ TYPE DKA0:[USERS.REMY]EXAMP.TXT;1 this is a test
As well as the home folder of the user:
$ DIR DKA0:[USERS.REMY] Directory DKA0:[USERS.REMY] EXAMP.TXT;1 Total of 1 file.
However, as stated above, you won't be able to view your own files and folders anymore, since your UIC changed:
$ SHOW DEF DKA0:[USERS.REMY2] $ DIR %DIRECT-E-OPENIN, error opening DKA0:[USERS.REMY2]*.*;* as input -RMS-E-PRV, insufficient privilege or file protection violation
The last of the interesting bits I want to discuss is the system password.
Chapter 5, logging in and out of the system, the login sequence states:
Some OpenVMS systems have a system password enabled. This is a rarely used, extra security feature. Such systems require you to type a password, which will not be displayed, even before presenting you with a Username: prompt. You will have no indication that anything at all is happening until the system password is accepted.
From the documentation:
The System password controls access to particular terminals and is required at the discretion of the security administrator. System passwords are usually necessary to control access to terminals that might be targets for unauthorized use, such as dialup and public terminal lines.
To setup the system password, set the password and then choose the terminals where you want to require the system password.
$ SET DEFAULT SYS$SYSTEM $ RUN AUTHORIZE
Set the password:
UAF> MODIFY/SYSTEM_PASSWORD=example %UAF-I-SYSPWDMOD, system password modified
Then on a terminal where you want to require the system password, execute this command:
$ SET TERMINAL/SYSPWD/PERMANENT
You can use the
SHOW TERM command to check if the password is active. Look for
$ SHOW TERM Terminal: _TTA0: Device_Type: Unknown Owner: _TTA0: Username: SYSTEM Input: 9600 LFfill: 0 Width: 80 Parity: None Output: 9600 CRfill: 0 Page: 24 Terminal Characteristics: Interactive Echo Type_ahead No Escape No Hostsync TTsync Lowercase No Tab Wrap Scope No Remote No Eightbit Broadcast No Readsync No Form Fulldup No Modem No Local_echo Autobaud No Hangup No Brdcstmbx No DMA No Altypeahd Set_speed No Commsync Line Editing Overstrike editing No Fallback No Dialup No Secure server No Disconnect No Pasthru Syspassword No SIXEL Graphics No Soft Characters No Printer Port Numeric Keypad No ANSI_CRT No Regis No Block_mode No Advanced_video No Edit_mode No DEC_CRT No DEC_CRT2 No DEC_CRT3 No DEC_CRT4 No DEC_CRT5 No Ansi_Color VMS Style Input <CTRL-H> Backspace
The documentation states that you can require this for remote logins, but I have trouble getting the networking part working, due to issues with Windows 10. No way for me to test that yet.
This is a GIF I recorded with the Windows On Screen Keyboard to show that the system password is required before being able to do anything: