HP OpenVMS Systems Documentation

OpenVMS User's Manual

If your system manager does not require use of the automatic password generator, the SET PASSWORD command prompts you to enter the new password. It then prompts you to reenter the new password for verification, as follows:

$ SET PASSWORD
New password:
Verification:

If you fail to enter the same new password twice, the password is not changed. If you succeed in these two steps, there is no notification. The command changes your password and Enters you to the DCL prompt.

Even though your security administrator might not require the password generator, you are strongly encouraged to use it to promote the security of your system.

1.7.2 Using Generated Passwords

If your system security administrator decides that you must let the system generate the password for you automatically, the system provides you with a list of password choices when you enter the DCL command SET PASSWORD. (If your system is not set up to use automatically generated passwords, you can use them by specifying the SET PASSWORD command with the /GENERATE qualifier.) The character sequence resembles native language words to make it easy to remember, but it is unusual enough to be difficult for outsiders to guess.
Because system-generated passwords vary in length, they become even more difficult to guess.

In the following example, the system automatically generates a list of passwords made up of random sequences of characters. The minimum password length for the user in the following example has been set to 8 characters in their UAF record.

$ SET PASSWORD
Old password:           (1)

reankuna      rean-ku-na    (2)
cigtawdpau    cig-tawd-pau
adehecun      a-de-he-cun
ceebatorai    cee-ba-to-rai
arhoajabad    ar-hoa-ja-bad

Choose a password from this list, or press Enter to get a new list (3)
New password:           (4)
Verification:           (5)
$ (6)

Note the following about the example:

1. The user correctly specifies the old password and presses the Enter key.
2. The system responds with a list of five password choices ranging in length from 8 to 10 characters. Usually, the password that is easiest to pronounce is easiest to remember; therefore, it is the best choice.
   On OpenVMS VAX systems, representations of the same word divided into syllables are displayed to the right of each password choice (as shown here).
3. The system informs the user that it is possible to request a new list by pressing the Enter key in response to the prompt for a new password.
4. The user enters one of the first five possible passwords and presses the Enter key.
5. The system recognizes that this password is one provided by the automatic password generator and responds with the verification prompt. The user enters the new password again and presses Enter.
6. The system changes the password and responds with the DCL prompt.

There are two disadvantages to using generated passwords:

• There is a possibility that you might not remember your password choice. However, if you dislike all the password choices in your list or think none are easy to remember, you can always request another list.
• There is a potential for disclosure of password choices from the display that the command produces. To protect your account, change your password in private. If you perform the change on a video terminal, clear the display of password choices from the screen after the command finishes. If you use a printing terminal, properly dispose of all hardcopy output.
  If you later realize that you failed to protect your password in these ways, change your password immediately. Depending on site policy or your own judgment concerning the length of time your account was exposed, you should notify your security administrator that a security breach could have occurred through your account.

To change a secondary password, use the DCL command SET PASSWORD/SECONDARY. You are prompted to specify the old secondary password and the new secondary password, just as in the procedure for changing the primary password. To remove a secondary password, press the Enter key when you are prompted for a new password and verification.

You can change primary and secondary passwords independently, but both are subject to the same change frequency because they share the same password lifetime.

1.7.5 Changing Passwords at Login

Even if your current password has not yet expired, you can change your password when you log in to the system by including the /NEW_PASSWORD qualifier with your user name. When you enter the /NEW_PASSWORD qualifier after your user name, the system prompts you to set a new password immediately after login.

The following example shows how to change your password when you log in:

  WILLOW - A member of the Forest Cluster

Username: RWOODS/NEW_PASSWORD
Password:
         Welcome to OpenVMS on node WILLOW
            Last interactive login on Tuesday, 7-NOV-2002 10:20
            Last non-interactive login on Monday, 6-NOV-2002 14:20

Your password has expired; you must set a new password to log in
New password:
Verification:

Your system manager can set up your account so that your password, or the account itself, expires automatically on a particular date and time. Password expiration times promote system security by forcing you to change your password on a regular basis. Account expiration times help to ensure that accounts are available only for as long as they are needed.

1.8.1 Expired Passwords

As you approach the expiration time of your password, you receive an advance warning message. The message first appears 5 days before the expiration date and at each subsequent login. The message appears immediately below the new mail message and sounds the bell character on your terminal to attract your attention. The message indicates that your password is expiring, as follows:

WARNING -- Your password expires on Thursday 11-DEC-2002 15:00

If you fail to change your password before it expires, you receive the following message when you log in:

Your password has expired; you must set a new password to log in
New password:

The system prompts you for a new password or, if automatic password generation is enabled, asks you to select a new password from those listed. You can abort the login by pressing Ctrl/Y. At your next login attempt, the system again prompts you to change your password.

1.8.2 Using Secondary Passwords

If secondary passwords are in effect for your account (see Section 1.3.4), the secondary password expires at the same time as the primary one. You are prompted to change both passwords. If you change the primary password and press Ctrl/Y before changing the secondary password, the login fails. The system does not record a password change.

1.8.3 Failure to Change Passwords

If the system manager decides not to force you to change your expired password upon logging in, you receive one final warning when you log in after your password expires, as follows:

WARNING -- Your password has expired; update immediately with
SET PASSWORD!

At this point, if you do not change the password or if the system fails before you have the opportunity to do so, you will be unable to log in again. To regain access, see your system manager.

1.8.4 Expired Accounts

If you need your account for a specific purpose for a limited time only, the person who creates your account may specify a period of time after which the account lapses. For example, student accounts at universities are typically authorized for a single semester at a time.

Expired accounts deny logins automatically. You receive no advance warning message before the account expiration date, so it is important to know in advance your account duration. The account expiration resides in the UAF record, which can be accessed and displayed only through the use of the OpenVMS Authorize utility (AUTHORIZE) by users with the SYSPRV privilege or equivalent---normally, your system manager or security administrator.

When your account expires, you receive an authorization failure message at your next attempted login. If you need an extension, follow the procedures defined at your site.

1.9 Guidelines for Protecting Your Password

Illegal system accesses involving the use of a correct password are more often traced to disclosure of the password by its owner than to surreptitious discovery. It is vital that you do not reveal your password to anyone.

You can best protect your password by observing the following rules:

• Select reasonably long passwords that cannot be guessed easily. Avoid using words in your native language that appear in a dictionary. Consider including numbers in your password. Alternatively, let the system generate passwords for you automatically.
• Never write down your password.
• Never give your password to another user. If another user obtains your password, change it immediately.
• Do not include your password in any file, including the body of an electronic mail message. (If anyone else reveals a password to you, delete the information promptly.)
  The character strings that appear in conjunction with your actual password can make it easy for someone to find your password in a file. For example, a quotation mark followed by two colons ("::) always comes after a user name and password in an access control string. Someone attempting to break into the system could obtain your password by searching inadequately protected files for this string. Another way in which you might reveal your password is by using the word "password" in a text file, for example:

  My password is GOBBLEDYGOOK.

• Do not use the same password for accounts on different systems.
  An unauthorized user can try one password on every system where you have an account. The account that first reveals the password might hold little information of interest, but another account might yield more information or more privileges, ultimately leading to a far greater security breach.
• Before you log in to a terminal that is already on, invoke the secure terminal server feature (if enabled) by pressing the Break key. This is particularly relevant when you are working in a public terminal room.
• Change your password every 3 to 6 months. Compaq warns against sharing passwords. If you do share your password, change it every month.
• Change your password immediately if you have any reason to suspect it might have been discovered. Report such incidents to your security administrator.
• Log off a terminal you expect to leave unattended.
  Unauthorized users could use the terminal for malicious purposes, such as loading a password-stealing program.
• Check your last login messages routinely. Be alert for login failure counts seem unusual. If you observe any unusual failure during a login, change your password immediately and notify your security administrator.

The system responds to the commands you enter in one or more of the following ways:

• By executing the command. Generally, you know your command has executed successfully when the system prompt Enters (by default, the dollar sign).
• By executing the command and informing you in a message what it has done.
• By informing you of errors, if execution of a command is unsuccessful.
• By supplying values (defaults) you have not supplied.

A default is the value supplied by the operating system when you do not specify one yourself. For example, if you do not specify the number of copies as a qualifier for the PRINT command, the system uses the default value 1. The operating system supplies default values in several areas, including command qualifiers and parameters. The defaults that the operating system uses with specific commands are described in each command's entry in the OpenVMS DCL Dictionary.

1.10.2 Informational System Messages

The system responds to some commands by displaying information in a system message about what it has done. For example, when you use the PRINT command, the system displays the job identification number it assigned to the print job and shows the name of the print queue the job has entered.

$ PRINT MYFILE.LIS
     Job MYFILE (queue SCALE_PRINT, entry 210) started on SYS$PRINT

Not all commands display informational messages. Successful completion of a command is usually indicated when the DCL prompt Enters. Unsuccessful completion is always indicated by one or more error messages.

1.10.3 System Error Messages

If you enter a command incorrectly, the system displays a system message and prompts you for the correct command string, as the following example shows:

$ CAPY )
%DCL-W-IVVERB, unrecognized command verb - check validity and spelling
 \CAPY\
$

The format for the 3-part code is:

where:

You can also receive system error messages during command execution if the system cannot perform the function you have requested. For example, if you type a PRINT command correctly but the file you specify does not exist, the PRINT command informs you of the error with a message like the following:

$ PRINT NOFILE.DAT
%PRINT-E-OPENIN, error opening CLASS1:[MAYMON]NOFILE.DAT; as input
-RMS-E-FNF, file not found
$

The first message is from the PRINT command. It tells you it cannot open the specified file. The second message indicates the reason for the first; that is, the file cannot be found. RMS refers to the OpenVMS file-handling software, Record Management Services; error messages related to filehandling are generally OpenVMS RMS messages.

1.10.4 Checking Your Current Process

If you suspect that your process is not doing what you think it should be doing, press Ctrl/T. Ctrl/T displays a single line of statistical information about the current process. The statistical information includes node and user name, current time, current process, central processing unit (CPU) usage, number of page faults, level of I/O activity, and memory usage, which is listed in number of CPU-specific pages.

When you press Ctrl/T during an interactive terminal session, it momentarily interrupts the current command, command procedure, or image to display statistics. Although Ctrl/T disrupts the characters on the screen, it does not affect any procedure or editing session. For example, if a user named MCCARTHY on node GREEN presses Ctrl/T while using the EVE editor, the following line is displayed in the EVE message window:

GREEN::MCCARTHY  13:45:02 EVE    CPU=00:00:03.33 PF=778 IO=295 MEM=315

To refresh the screen, press Ctrl/W.

Ctrl/T is disabled by default. If you know your system is running and Ctrl/T does not display statistical information, you can enable Ctrl/T with the DCL command SET CONTROL=T. Enter the command at DCL level (at the dollar sign ($) prompt), then press Ctrl/T again. Ctrl/T will remain in effect for the duration of your process, unless it is disabled from a program or command such as SET NOCONTROL=T. Note that your terminal must be set to BROADCAST mode for Ctrl/T to display on your screen. BROADCAST mode controls whether reception of broadcast messages (such as those issued by MAIL and REPLY) is enabled. To set your terminal to BROADCAST mode, enter the DCL command SET TERMINAL/BROADCAST at the DCL prompt.

1.11 Getting Help About the System

When you are logged in to the operating system, you can obtain information about using the system and available commands by using the HELP command. You can also get help on system messages by entering the HELP/MESSAGE command as shown in Section 1.11.3.

1.11.1 Using Online Help

Use the following procedure to get help on OpenVMS commands and utilities:

The following example shows the commands that you would enter to look for help about the SHOW USERS command:

$ HELP

HELP
.
. (HELP message text and subtopics)
.

Topic? SHOW USERS

SHOW

  USERS

     Displays the user name and node name (in a VAXcluster environment)
     of interactive, subprocess, and batch users on the system.

     Format

       SHOW USERS  [username]



    Additional information available:

    PARAMETER  QUALIFIER
    /BATCH     /CLUSTER   /FULL      /INTERACTIVE     /NETWORK   /NODE
    /OUTPUT    /SUBPROCESS
    Examples

SHOW USERS Subtopic? EXAMPLES

SHOW

  USERS

    Examples
.
. (SHOW USERS Examples message text and subtopics, if any)
.
SHOW USERS Subtopic?
SHOW Subtopic?
Topic?
$

If you know the command you need information about, enter HELP and the command name. For example, to get help about the SHOW USERS command enter the following command:

$ HELP SHOW USERS

If you need help but do not know what command or system topic to specify, enter the command HELP with the word HINTS as a parameter. Each task name listed in the HINTS text is associated with a list of related command names and system information topics.

The OpenVMS DCL Dictionary contains more information about the HELP command.

1.11.3 Getting Help on System Messages

Use the Help Message utility (MSGHLP) to get online help for system messages. To display information on how the last command completed, type:

$  HELP/MESSAGE

You can also display information about a specific message by including the message identifier or words from the message text. For example:

$  HELP/MESSAGE BADACP

A message and its description can also be accessed by entering the message status code. For example:

$  HELP/MESSAGE/STATUS=%X00038090

$  SHOW SYMBOL $STATUS
  $STATUS == "%X00038090"

The Help Message utility allows you to update the messages database with your own messages or to add comments to existing message descriptions. You can also extract a subset of messages from the messages database to create and print your own customized messages documentation. For details on how to use the Help Message utility, see OpenVMS System Messages: Companion Guide for Help Message Users.