![[Digital logo]](../../IMAGES/DIGITAL-LOGO.GIF){kind=logo}
![[HR]](../../IMAGES/REDBAR.GIF)
There is a correspondence between the lifetime of a password history list and the number of passwords allowed on the list. For example, if you increase the password history lifetime to 4 years and your passwords expire every 2 weeks, you would need to increase the password history limit to at least 104 (4 years times 26 passwords a year). The password history lifetime and limit can be changed dynamically, but they should be consistent across all nodes on the cluster.
Sites using secondary passwords may need to double the password limit to account for the secondary password storage.
The password history list is located in SYS$SYSTEM. You can move the list off the system disk by using the logical name VMS$PASSWORD_HISTORY. Define this logical name as /SYSTEM/EXEC, and place it in SYS$MANAGER:SYLOGICALS.COM.
You disable the history search with the DISPWDHIS option to the /FLAGS qualifier in AUTHORIZE.
Besides screening passwords against a system dictionary and a history list, you can develop a site-specific password filter to ensure that passwords are properly constructed and are not words readily associated with your site. A filter can check for password length, the use of special characters or combinations of characters, and the use of product names or personnel names.
To create a list of site-specific words, you write the source code, create a shareable image, install the image, and, finally, enable the policy by setting a system parameter. See the OpenVMS Programming Concepts Manual for instructions.
Installing and enabling a site-specific password filter requires both SYSPRV and CMKRNL privileges. Multiple security alarms are generated when the password filter image is installed if INSTALL and SYSPRV file-access auditing are enabled and the required change to the system parameter is noted on the operator console.
The shareable image contains two global routines that are called by the Set Password utility (SET PASSWORD) whenever a user changes a password.
Caution
The two global routines let you obtain both the proposed plaintext password and its equivalent quadword hash value. All security administrators should be aware of this feature because its subversion by a malicious privileged user will compromise the system's security.Digital recommends that you place security Alarm ACEs on the password filter image and its parent directory. See the OpenVMS Programming Concepts Manual for instructions.
In addition to all the recommendations included in Section 3.8, observe the following guidelines to protect passwords:
The following actions reduce the potential of password detection or limit the extent of the damage if passwords are discovered or bypassed:
External authentication allows users to log in (or sign on) at the OpenVMS login prompt using their external user IDs and passwords. The PATHWORKS authentication module is supported as an external authenticator, providing LAN Manager authentication of OpenVMS users.
When successfully authenticated, the external user ID is mapped to the appropriate OpenVMS user name and the correct user profile is obtained.
By default, external authentication is disabled at both the system and user levels.
Before users can log in, the system administrator must enable external authentication by performing the following:
These tasks are discussed in the following sections.
Defining External Authentication Logical Names
At the system level, external authentication is enabled by defining two system-wide executive-mode logical names:
Define the SYS$SINGLE_SIGNON logical name in SYSTARTUP_VMS.COM during system startup after all dependent products (such as PATHWORKS) have been started. For example:
$ DEFINE/SYSTEM/EXECUTIVE SYS$SINGLE_SIGNON 1
If the SYS$SINGLE_SIGNON logical name is not set, external authentication is disabled regardless of any other settings. (See Table 7-5 for more information on the SYS$SINGLE_SIGNON logical name bits.)
An ACME module is an interface to the external authenticator. Specify the external authenticator (in this case, PATHWORKS) by defining the SYS$ACME_MODULE logical name and installing it as a shareable image.
For example:
$ DEFINE/SYSTEM/EXEC SYS$ACME_MODULE SYS$SHARE:PWRK$ACME_MODULE.EXE !PATHWORKS module $ INSTALL ADD SYS$ACME_MODULE /OPEN/HEAD/SHARE
Marking User Accounts in the SYSUAF
At the user level, external authentication is enabled by a new flag, EXTAUTH, in the SYSUAF record. When set, the EXTAUTH flag denotes that the user is to be externally authenticated. For example, in the Authorize utility, you would enter commands similar to the following:
$ SET DEFAULT SYS$SYSTEM $ RUN AUTHORIZE UAF> ADD username /FLAGS=([NO]EXTAUTH) UAF> MODIFY username /FLAGS=([NO]EXTAUTH)
(See the OpenVMS System Management Utilities Reference Manual: A--L for more information on the Authorize utility EXTAUTH flag. See the OpenVMS System Services Reference Manual: GETQUI--Z for more information on the UAI$V_EXTAUTH bit in the SYS$GETUAI and SYS$SETUAI system services UAI$_FLAGS item code.)
Privileged users can enter the /LOCAL_PASSWORD qualifier after their OpenVMS user name at the login prompt to inform OpenVMS to perform local authentication instead of external authentication. Users should specify their OpenVMS user name and password when using the /LOCAL_PASSWORD qualifier.
Because the use of the /LOCAL_PASSWORD qualifier is effectively overriding the security policy established by the system manager, it is only allowed under the following conditions:
See the OpenVMS Utility Routines Manual for more information on the /LOCAL_PASSWORD qualifier to LOGINOUT.
If you are an externally authenticated user, the DCL command SET PASSWORD sends the password change request to the external authenticator and changes your password on your OpenVMS system.
A system manager can set an externally authenticated user's password by using a utility provided by the external authenticator. In the case of LAN Manager, PATHWORKS provides a NET PASSWORD command. Using this method, the new password is propagated to the external authenticator immediately.
You can enter a case-sensitive user name at the OpenVMS username prompt if you enclose it in quotes. If you do not enclose the user name in quotes, LOGINOUT converts the user name to uppercase characters.
You can restore previous behavior on your OpenVMS system by setting the forced uppercase configuration bit (bit 3) in the SYS$SINGLE_SIGNON logical name. (See Table 7-5 for more information.)
OpenVMS and LAN Manager user names are not case-sensitive. Therefore, quotes are not necessary if you enter an OpenVMS user name or a LAN Manager user ID.
Valid characters for LAN Manager user IDs and passwords belong to the standard IBM extended (8-bit) ASCII character set. LOGINOUT and SET PASSWORD pass these strings to LAN Manager case preserved, although the external authentication service uppercases both strings according to this character set.
LAN Manager passwords can contain characters that are not valid in OpenVMS passwords. If a LAN Manager password contains a character that is invalid in an OpenVMS password, password synchronization is not performed and a message is issued.
OpenVMS passwords are limited to the 7-bit ASCII characters A-Z, 0-9, _, and $.)
To be externally authenticated, a user provides his or her external user ID and password at the OpenVMS login prompt. When performing user name mapping, OpenVMS first tries to locate a match in the SYSUAF and uses that name if it finds a match; otherwise, it queries the external authentication database for a matching user ID. When successfully authenticated, the LAN Manager user ID is mapped to the appropriate OpenVMS user name to obtain the correct user profile, and the login sequence is completed.
External authentication is supported for interactive logins (including DECwindows) and network logins where a proxy is used or user ID/password is supplied.
If you have external authentication enabled on your system, target user names specified in DECnet proxies or Auto-Login (ALF) databases must exist in the SYSUAF. Externally-authenticated users who want to use DECnet proxies must have the same user name in the SYSUAF file and LAN Manager database.
When using DECnet proxies, it is important to maintain unique user names across OpenVMS and LAN Manager domains. If the same user name appears in the SYSUAF file and LAN Manager database identifying two different users, the use of this user name as a proxy is ambiguous. LOGINOUT treats the name as an OpenVMS user name for login purposes, even though the same name in LAN Manager may map to a different OpenVMS user name. This occurs because name-mapping rules specify that OpenVMS attempt to find a match in the SYSUAF before LAN Manager.
Externally authenticated users are considered to have a single password and are not subject to normal OpenVMS password policy (password expiration, password history, minimum and maximum password length restrictions), but are instead subject to any defined external authenticator policy. All other OpenVMS account restrictions remain in effect, such as disabled accounts, modal time restrictions, quotas, and so on.
Externally authenticated users are identified by having the EXTAUTH flag set in their SYSUAF record. OpenVMS users whose accounts do not have the EXTAUTH flag set are not affected by external authentication.
Although passwords are verified using the external authenticator database, OpenVMS attempts to keep the external and SYSUAF password fields synchronized.
Password synchronization is enabled by default.
Synchronization takes place at the completion of a successful externally authenticated login. If the external password is different than the password stored in the SYSUAF file, LOGINOUT updates the SYSUAF password field with the external password. (Synchronization may not be possible due to the different sets of valid characters allowed by OpenVMS and the external authenticator.)
If required, password synchronization can be selectively turned off. (See Table 7-5 for more information on the SYS$SINGLE_SIGNON logical name bits, which control the enabling and disabling of password synchronization.)
The SYS$SINGLE_SIGNON system-wide executive-mode logical name controls overall external authentication operation. The logical name is translated as a hexadecimal string and treated as a bit vector, with each bit controlling a separate component.
Table 7-5 contains the definitions of the SYS$SINGLE_SIGNON logical name bits, which are numbered from right to left (with the least significant bit first).
| Bit | Status | Description |
|---|---|---|
| 0 | ON | Enable external authentication. Users who are tagged in the SYSUAF file as externally authenticated use the external authenticator to log in. |
| OFF | Disable external authentication. If local authentication is enabled (that is, bit 1 is ON), then the system attempts local authentication with the user's normal SYSUAF user name and password. If local authentication is disabled, login is not allowed for externally authenticated users. | |
| 1 | ON | Enable local authentication. If external authentication is disabled (that is, bit 0 is OFF), then a user can log in using local authentication; otherwise, the login is not allowed. |
| OFF | Disable local authentication. A user can force local authentication using the /LOCAL_PASSWORD qualifier. You must have SYSPRV privilege to use this qualifier when bit 1 is OFF. | |
| 2 | ON | Reserved by Digital. |
| OFF | Reserved by Digital. | |
| 3 | ON | Enable forced uppercase terminal input during login; this is equivalent to the RMS ROP$V_CVT option for the login device. Setting this bit restores previous OpenVMS behavior but does not allow case-sensitive input of user name and password. |
| OFF | Disable forced uppercase terminal input during login. | |
| 4 | ON | Disable local password synchronization. The system does not perform password synchronization from the external authenticator to the SYSUAF. |
| OFF | Enable local password synchronization. During a successful login, the system attempts to synchronize the SYSUAF password with the external password (if they are different) by calculating the OpenVMS hash value of the external password used for logins and storing the hash value in the SYSUAF file. | |
| 31 | ON | Enable OPCOM debug messages, which are displayed when users log in or use the SET PASSWORD command. These messages can help diagnose potential problems with the configuration of external authentication. |
| OFF | Disable OPCOM debug messages. |
If SYS$SINGLE_SIGNON is undefined or equates to an invalid hexadecimal string, all bits are considered OFF.
The following example definition enables external authentication (bit 0). All other components take their default values.
$ DEFINE/SYSTEM/EXECUTIVE SYS$SINGLE_SIGNON 1
The following example definition enables external authentication (bit 0), forces uppercase terminal input at the username prompt (bit 3), and disables password synchronization (bit 4).
$ DEFINE/SYSTEM/EXECUTIVE SYS$SINGLE_SIGNON 19 !19 HEX
This section describes many operating system features designed to secure systems from unauthorized users.
This section describes how you can control the display of various pieces of information that appear by default at login time, such as announcement, welcome, last login, and new mail messages. So that you can understand the effect of login restrictions, it also describes how the operating system processes the login fields of the system user authorization file (SYSUAF.DAT). In addition, this section describes the use of the secure server and how to set up intrusion detection.
To provide an announcement message on your system, define the system logical name SYS$ANNOUNCE in the site-specific startup command procedure SYS$MANAGER:SYSTARTUP_VMS.COM. The OpenVMS System Manager's Manual describes how to do this. The announcement message appears at login.
The definition you provide here affects all users on the system. Because this message may provide a clue to the identity of the operating system, you may decide not to display it.
Similar to the announcement message, the welcome message is controlled through a system logical name, SYS$WELCOME. If you do not define SYS$WELCOME, a standard welcome message is provided for all users. This welcome message reveals the operating system and version number, as well as the node if SYS$NODE is defined.
To define another message for SYS$WELCOME, you can create a text file containing the message. To display the contents of this file, use the following line in SYSTARTUP_VMS.COM:
$ DEFINE/SYSTEM SYS$WELCOME "@SYS$MANAGER:WELCOME.TXT"
To disable the welcome message, place the following DCL command in SYS$MANAGER:SYSTARTUP_VMS.COM. This command prints a blank line in place of the standard welcome message.
$ DEFINE/SYSTEM SYS$WELCOME " "
If you prefer to selectively disable the message for individual users, you can use the AUTHORIZE qualifier /FLAGS=DISWELCOME on individual UAF records.
By default, the system displays three messages that provide information about the last logins and the number of failed login attempts (see Section 3.4.3). You can selectively disable the appearance of these three messages. Enter the AUTHORIZE qualifier /FLAGS=DISREPORT for specific users.
By default, the system tells users the number of new mail messages when they log in. You can prevent users from receiving this notice by specifying the AUTHORIZE qualifier /FLAGS=DISNEWMAIL.
The new mail announcement is primarily a user convenience, not a security issue. If a user with a restricted account cannot invoke the Mail utility (MAIL), then you might want to disable the new mail message at the same time you prohibit mail access. The following AUTHORIZE qualifier accomplishes both tasks:
/FLAGS=(DISMAIL,DISNEWMAIL)
Virtual terminals let users maintain more than one disconnected process at a time. Virtual terminals are also required by the secure server feature (see Section 7.5.4). You may want to restrict the use of virtual terminals. For example, if you are concerned about the amount of nonpaged pool, you may not want to enable this feature on a systemwide basis.
Virtual terminals can be disabled at the terminal, user, or system level:
You can also set the amount of time allowed for reconnection to less than the default of 15 minutes with the system parameter TTY_TIMEOUT. A process that remains disconnected for longer than the timeout value is automatically logged out by the system. Limiting the connection time tends to minimize the number of users who receive messages, but it also affects the usefulness of the connection feature.
For more information on setting up and reconnecting to virtual terminals, refer to the OpenVMS System Manager's Manual.
You can assign accounts to particular terminals to enable an automatic login feature (see Section 7.2.6). This feature permits users to log in without specifying a user name. The operating system associates the user name with the terminal (or terminal server port) and maintains these assignments in the file SYS$SYSTEM:SYSALF.DAT, referred to as the automatic login file or the ALF file. Maintain this file with the following System Management utility (SYSMAN) commands:
| Task | Command | Example |
|---|---|---|
| Adding terminal/user name association | ALF ADD | ALF ADD TTA5 RENOLDS |
| Adding terminal server/user name association | ALF ADD/PORT | "M34C3/LC-1-2" RENOLDS |
| Displaying records in ALF file | ALF SHOW |
ALF SHOW TTA5
ALF SHOW /USERNAME=PONTRE |
| Removing terminal/user name association | ALF REMOVE |
ALF REMOVE TTA3
ALF REMOVE /USERNAME=DOUGLAS |
The ALF file consists of one record for each terminal on which automatic logins are enabled. Each record consists of two fields: the device name or terminal server port name of the terminal, followed by the user name of an account. The device names must be unique within the file. However, the same user name can occur in any number of records; that is, one account can be automatically logged in to an unlimited number of terminals.
The ALF file is an indexed file that does not need to be purged, but it should be backed up after a modification.
Section 3.8 describes password grabbers as a class of programs designed to steal passwords from unsuspecting users who log in to terminals left on. The operating system provides a secure terminal server that stops any currently executing process before the start of a login at that terminal.
Invoke the secure server separately for each terminal with the following DCL command:
SET TERMINAL/PERMANENT/SECURE/DISCONNECT term-id
The user must then press the Break key followed by the Return key to start a login. The login proceeds as usual.
If you apply the secure server to all terminals, you can make the login procedure consistent throughout the site by putting the SET TERMINAL commands in the site-specific startup command procedure. However, certain applications that may use the terminal as a communications line need to use the Break key for their own purposes, which would be incompatible with the secure terminal server.
The secure terminal server feature is also incompatible with autobaud handling. However, because autobaud handling is necessary only on modem terminals (switched and dialup terminals), the modem handling on such terminals performs the equivalent of secure server functions. For secure operation, set up the terminal characteristics as follows:
/NOMODEM/SECURE/DISCONNECT/NOAUTOBAUD/PERMANENT
/MODEM/AUTOBAUD/NOSECURE/DISCONNECT/PERMANENT
Specify the /DIALUP qualifier if the terminal port is accessible through a telephone line or the equivalent, regardless of the path (direct modem, data switch, terminal server, or public data network).
Always specify the /DISCONNECT qualifier to guard against password grabbers. To prevent disconnected jobs from filling up your system, set the system parameter TTY_TIMEOUT to a low timeout value, which determines when disconnected processes are deleted.
If you decide to apply the secure server to individual terminals, include directly wired terminals located in public areas or remote, unsecured areas. Terminals never used for local or dialup logins are not subject to this security problem. Terminals closely supervised during logins may also not require this measure.
Occasionally people fail to log in correctly because they enter an expired password or make a typing error. But not all failures are benign: some occur because an unauthorized person is trying to log in through an expired account or with an unknown user name or is attempting to guess passwords on a valid account.
6346P012.HTM OSSG Documentation 22-NOV-1996 13:05:08.27
Copyright © Digital Equipment Corporation 1996. All Rights Reserved.