Using Passwords to Control System Access

If both a Table of Contents and Search form are not displayed in separate frames along with this one, you may wish to redisplay this book in a frameset, beginning with the first page.

HP OpenVMS Guide to System Security

Security for the System Administrator

Managing System Access

Assigning Appropriate Accounts to Users

Enabling External Authentication

Using Passwords to Control System Access

A site needing average security protection always requiresuse of passwords. Sites with more security needs frequently imposea generated password scheme (see Generated Passwords) and possibly system passwords as well.

This section describes password management.

Types of Passwords

With the exception of an automatic login account, all usersmust have at least one password to log in. Sites with moderate orhigh security requirements may impose additional passwords (see Types of PasswordsTable 3-2).

Externally authenticated users enter their external passwordat the OpenVMS password prompt. See Enabling External Authentication for more information.

This section explains how to assign passwords using DCL andAUTHORIZE commands.

Primary Passwords

When you open an account for a new user with AUTHORIZE, youmust give the user a user name and an initial password. When youassign temporary initial passwords, observe all guidelines recommendedin Guidelines for Protecting Your Password"Guidelinesfor Protecting Your Password" on page 53. Avoidany obvious pattern when you assign passwords. You may want to usethe automatic password generator.

Touse the automatic password generator while using AUTHORIZE to openan account, add the /GENERATE_PASSWORD qualifier to either the ADDor the COPY command. The system responds by offering you a listof automatically generated password choices. Select one of thesepasswords, and continue setting up the account.

There are restrictions on using the /GENERATE_PASSWORDqualifier with the /PWDMINIMUM qualifier. Generated passwords havean absolute length of 12 characters (see Requiring a Minimum Password Length). Whenever there is a conflict between the valueof /PWDMINIMUM and a generated password, the operating system usesthe lesser of the two values.

Passwords you specify with AUTHORIZE are defined as expiredby default. This forces the user to change the initial passwordwhen first logging in. See Enforcing Minimum Password Standards for more information. Be sure to include informationon the first login in your user training so that users know whatto expect. If you do not want the password you define with AUTHORIZEto be pre-expired, add the qualifier /NOPWDEXPIRED when enteringthe password. This is necessary for accounts when users are notpermitted to set their own password.

Pre-expired passwords are conspicuous in the UAF record listing.The entry for the date of the last password change carries the followingnotation:(pre-expired)

System Passwords

Entering a System Password"Enteringa System Password" on page 43 introduces systempasswords, which control access to particular terminals. Systempasswords are used to control access to terminals that might betargets for unauthorized use, as follows:

All terminals using dialup lines orpublic data networks for access

Terminals on lines that are publicly accessibleand not tightly secured, such as those in computer laboratoriesat universities

Terminals not frequently inspected

Terminals intended for use only as spare devices

Terminals you want to reserve for security operations

Execute thefollowing steps to implement system passwords:

Establish a recordin the SYSUAF database for a system password by invoking the Authorizeutility and entering the following command:

UAF> MODIFY/SYSTEM_PASSWORD=password

You need to establish a record in the SYSUAF databaseonly the first time a system password is set up on the system. However,if no record is present,the SET PASSWORD/SYSTEM command returnsthe following error:

%SET-F-UAFERR, error accessing authorization file-RMS-E-RNF, record not found

Decide which terminals require system passwords.Then, for each terminal, enter the DCL command SET TERMINAL/SYSPWD/PERMANENT.When you are satisified that you have selected the right terminals, incorporatethese commands into SYS$MANAGER:SYSTARTUP_VMS.COM so that the terminalsetup work is done automatically at system startup. You can removethe restriction on a terminal at any time by invoking the DCL commandSET TERMINAL/NOSYSPWD/PERMANENT for that terminal.

Choose a system password, and implement it withthe DCL command SET PASSWORD/SYSTEM, which requires the SECURITYprivilege. This command prompts you for the password and then promptsyou again for verification, just as for user passwords. To requestautomatic password generation, include the /GENERATE qualifier.

To enable the use of the system password for the remote classof logins (those accomplished through the DCL command SET HOST),set the appropriate bit in the default terminal characteristicsparameter by using AUTOGEN. This is bit 19 (hexadecimal value 80000)in the parameter TTY_DEFCHAR2. Note that if you set this bit, youmust invoke the DCL command SET TERMINAL/NOSYSPWD/PERMANENT to disablesystem passwords for each terminal where you do not want the feature.(As before, consider placing the SET TERMINAL commands you havetested in SYS$MANAGER:SYSTARTUP_VMS.COM.) Then follow the previouslydefined steps to set the system password.

When choosing a system password, follow the recommendationspresented in Guidelines for Protecting Your Password"Guidelines for Protecting Your Password" onpage 53. Choose a string of characters and digits, witha minimum length of 6, that is not a valid word. Although the systempassword is not subject to expiration, change the password frequently. Alwayschange the system password as soon as a person who knows the passwordleaves the group. Share the system password only with those whoneed to know.

The system passwordis stored in a separate UAF record and cannot be displayed. TheDCL command SET PASSWORD/SYSTEM (the normal means of setting andchanging the system password) requires that you enter the old systempassword before changing it. Use the AUTHORIZE command MODIFY/SYSTEM_PASSWORDto change the system password without specifying the old password,as shown in the following command:

UAF> MODIFY/SYSTEM_PASSWORD=ABRACADABRA

The primary function of the system password is to form a firstline of defense for publicly accessible ports and to prevent potentialintruders from learning the identity of the system. However, requiringsystem passwords can appear confusing when authorized users areunaware that they are required on certain terminals. To avoid falsereports of defective terminals or systems, inform your users whichterminals allocated for their use require system passwords.

Where system passwords are not applied to either control accessthrough dialup lines or on publicly accessed lines, few people mayknow the system password. Operations are hampered if the personnelwho know the password are unavailable, incapacitated, or forgetful.Solve this problem by invoking AUTHORIZE and entering the MODIFY/SYSTEM_PASSWORDcommand. SYSPRV privilege is required.

Secondary Passwords

Sites with high-level security concerns can require a secondpassword on user accounts. Typically, the user does not know thesecondary password, and a supervisor or other key person must bepresent to supply it. For certain applications, the supervisor mayalso decide to remain present while the account is in use. The effectivenessof a secondary password depends on the trustworthiness of the supervisorwho supplies it because the supervisor can remove the secondarypassword by changing it to a null string.

Although the use of dual passwords is cumbersome, they dooffer the following advantages:

When used on a widespread basis, dualpasswords help verify the identity of each user at login time becausethe supervisor or other key person can check each user.

When used in limited cases, dual passwords singleout accounts that can be logged in to only when two persons arepresent.

Dual passwords also prevent the use of access controlstrings when users access accounts through DECnet software.

Sites with medium security requirements may use dual passwordsas a tool when there are unexplained intrusions after the passwordhas been changed and use of the password generator has been enforced.Select problem accounts, and make them a temporary target of thisrestriction. If the problem goes away when you institute personalverification through the secondary password, you know you have apersonnel problem. Most likely, the authorized user is revealingthe password for the account to one or more other users who are abusingthe account.

Implement dual passwords with the AUTHORIZE qualifier /PASSWORD.For example, to impose dual passwords on a new account, invoke AUTHORIZEand use the following form of the ADD command: ADD newusername /PASSWORD=(primarypwd, secondarypwd)

To impose a secondary password on an existing account, usethe following form of the MODIFY command:MODIFY username /PASSWORD=("", secondarypwd)

This command does not affect the primary password that alreadyexists for the account but adds the requirement that a secondarypassword be provided at each subsequent login. The secondary password acquiresthe same password lifetime and minimum length values in effect forthe primary password. If the /FLAGS=GENPWD qualifier has been specifiedfor this account, the secondary password can be changed only underthe control of the automatic password generator. You cannot use wildcardsin the user name parameter to apply a secondary password to multipleusers with a single command.

Whileyou can specify secondary passwords for accounts requiring remoteaccess through the DCL command SET HOST, you cannot specify themfor accounts requiring network file access using access controlstrings. If an account with a secondary password is to be used fornetwork access (for example, remote file access), you must set upproxy access for all remote nodes from which the account may beaccessed.

Console Passwords

The console terminal controls operation of the CPU and, consequently,operation of the system. Sites with high security requirements shouldconsider using the password security feature when it is available.(Certain VAXstation 3100s and later models offer it.)

Once the console password is enabled, operators must enterit before using any privileged command in console mode. Privilegedcommands include the following two types:

Commands that examine or modify memoryand registers, such as SET, EXAMINE, DEPOSIT, FIND, and SHOW.

Commands that transfer control of the CPU from theconsole monitor to another program, such as BOOT and START. (Invokingthe default boot, which requires a BOOT command with no parameters,is not a privileged command and is allowed without the password.)

To enable the console password feature, take the followingsteps:

Enter the privilegedcommand:
```
>>> SET PSWD 
```

In response, the console prompts for a password:
```
1 >>>
```
Enter the new password, and press the Return key. Note thatthe console does not display the password as you enter it.

The password must be a hexadecimal string of characters (0through 9 and A through F) with a length of exactly 16 characters.

If the password character string is of the rightlength, the console prompts for you to reenter the new passwordfor verification:
```
2 >>>     
```
Reenter the new password, and press Return. Again, note thatthe password is not displayed.

Enable the password security feature with the followingcommand:
```
>>> SET PSE 1
```

To place the workstation in privileged mode and make all consolecommands accessible, use the LOGIN command. The SHOW PSE commanddisplays the current status of the password feature. (If a 1 isdisplayed, the feature is enabled; a 0 indicates it is disabled.)To disable the feature, use the SET PSE command with a 0 argument.

Because the password is stored in nonvolatile memory, youmust call the Customer Support Center if you forget it.

Authentication Cards

Rather than distribute passwords and account information,some sites choose to provide system users with hand-held devicescalled authentication cards or smart tokens.

Authentication devices have the user's password programmedonto them. Depending on the complexity of the hardware design, thesedevices can support additional login information (for example, anaccount name and billing reference number). A variety of authenticationdevices are available from third-party vendors. Such devices aresupported by a software module that communicates with the loginprogram (LOGINOUT.EXE). See the HP OpenVMS Utility RoutinesManual for a description of the LOGINOUT routines supporting authenticationcards.

Enforcing Minimum Password Standards

You can use AUTHORIZE to impose minimum password standardsfor individual users. Specifically, qualifiers and login flags providedby AUTHORIZE control how soon passwords will expire, whether theuser is forced to change passwords at expiration, and the minimumpassword length.

Expiring Passwords

With the AUTHORIZE qualifier /PWDLIFETIME, you can establishthe maximum length of time that can elapse before the user is forcedto change the password or lose access to the account. By default,the value of /PWDLIFETIME is 90 days. You can change the frequencyrequirements for user password changes by specifying a differentdelta time value for the qualifier. For example, to require a userto change the password every 30 days, you would specify the qualifieras /PWDLIFETIME=30-0.

The /PWDLIFETIME qualifier applies to both primary and secondaryuser passwords but not to the system password. Each primary andsecondary password for a user is subject to the same maximum lifetime. However,the passwords can change at separate times. As soon as the usercompletes a password change, that individual password's clock isreset; the new password value can exist unchanged for the lengthof time dictated by /PWDLIFETIME.

The qualifier /NOPWDLIFETIME specifies that primary and secondarypasswords do not expire.

Specifying /NOPWDLIFETIME removes the default behaviorthat initial passwords be reset. However, if you want to have initialpasswords reset but you do not want password expiration, you canspecify /PWDLIFETIME="9999-".

AUTHORIZEalso provides two login flags related to primary and secondary passwordexpiration. These flags, PWD_EXPIRED and PWD2_EXPIRED, are specifiedwith the /FLAGS qualifier. The first flag, PWD_EXPIRED, is set afterthe primary password expires and the user has had one last chanceto change the password and has failed to do so. The second flag,PWD2_EXPIRED, is set after the secondary password expires and theuser has had one last chance to change the secondary password andhas failed to do so. If either PWD_EXPIRED or PWD2_EXPIRED is set,the account is disabled for logins because the user failed to employthe last chance to change the password during the last login.

As soon as the user successfully changes the password, thesystem resets the flags, as appropriate. The flag PWD_EXPIRED becomesNOPWD_EXPIRED as soon as the primary password is changed. Similarly,the flag PWD2_EXPIRED becomes NOPWD2_EXPIRED as soon as the secondarypassword is changed. As security administrator, you may choose toinvoke AUTHORIZE and reset the flags, giving the user another chanceto reset the password.

The use of a password lifetime forces the user to change passwordsregularly. The lifetime can be different for different users. Userswith access to critical files generally should have the shortestpassword lifetimes.

Systempasswords have an unlimited lifetime. It is your responsibilityas security administrator to change the system password regularly.

SYS$PASSWORD_HISTORY_LIFETIME should be made largerthan the UAF parameter PWDLIFETIME. If you set the SYS$PASSWORD_HISTORY_LIFETIMEvalue to less than PWDLIFETIME, passwords will expire out of thehistory file before they expire in SYSUAF. This defeats the purposeof the password history file. For more information about PWDLIFETIMEparameter, see Enforcing Change of Expired Password.

Enforcing Change of Expired Password

By default, users are forcedto change expired passwords when logging in. Users whose passwordshave expired are prompted for new passwords at login. This passwordfeature is valid only when a password expiration date is specifiedwith the /PWDLIFETIME qualifier.

To disable forced password changes, specify the followingqualifier to the ADD or the MODIFY command:/FLAGS=DISFORCE_PWD_CHANGE

Once you disable the forced password feature, you can reenableit by clearing the login flag, as shown in the following:/FLAGS=NODISFORCE_PWD_CHANGE

Users who log in and are prompted to change expired passwordscan cancel the login by pressing Ctrl/Y.

If secondary passwords are in effect and both primaryand secondary passwords have expired, the user is forced to changeboth passwords. If the user changes the primary password and pressesCtrl/Y before changing the secondary password, the user is loggedout, and no password change is recorded.

Requiringa Minimum Password Length

With the AUTHORIZE qualifier/PWDMINIMUM, you can direct that all password choices, both primary andsecondary, must contain a minimum number of characters. (Users canstill specify passwords up to the maximum length of 32 characters.)

A user's minimum password length is either the default of6 characters or another value established by the /PWDMINIMUM qualifier(provided the number is 10 or less).

On Alpha systems, the password generator creates passwordsof the exact length specified but limited to 10 characters.

On VAX systems, the password generator creates passwords thatrange in length between n and n+2,where the minimum length n is a value rangingfrom 1 to 10. So the length of a generated password (/GENERATE_PASSWORDor SET PASSWORD/GENERATE) can conflict with the value provided withthe /PWDMINIMUM qualifier.

When there is a conflict between n andthe value set by the /PWDMINIMUM qualifier, the operating system usesthe lesser value, but never more than 10. For example, if you specifya length of 25 with the /PWDMINIMUM qualifier, the operating systemgenerates passwords of 10 to 12 characters. The system does notnotify you of the difference in values.

The length of a generated password produced by the AUTHORIZEqualifier /GENERATE_PASSWORD comes from the Pwdminimum field ofthe source UAF record: the DEFAULT record or the UAF record copied.The Pwdminimum field is updated with the value set by /PWDMINIMUM,so passwords created with SET PASSWORD/GENERATE use the new value.

The system password is not subject to a minimum length. Guidelinesthat apply to user passwords are equally applicable to system passwords.Choose system passwords that are 1 to 32 characters long.

Generated Passwords

The /FLAGS=GENPWD qualifier in AUTHORIZE lets you force useof the automatic password generator when a user changes a password.At some sites, all accounts are created with this qualifier. Atother sites, the security administrator may be more selective.

If users will have access to sensitive data that must notbe compromised by an intrusion, require them to use the passwordgenerator.

If your policy is to request voluntary use of the passwordgenerator and users are not cooperating, you can force users touse the password generator by adding the /FLAGS=GENPWD qualifierto pertinent user accounts. You can also add the AUTHORIZE qualifier/FLAGS=LOCKPWD to user accounts to prevent users from changing passwords.Only you will be authorized to change passwords.

Site Password Algorithms

The operating system protects passwords from disclosure throughencryption. OpenVMS algorithms transform passwords from plaintextstrings into ciphertext, which is then stored in the system user authorizationfile (SYSUAF.DAT). Whenever a password check is done, the checkis based on the encrypted password, not the plaintext password.The system password is always encrypted with an algorithm knownto the operating system.

The /ALGORITHM qualifier in AUTHORIZE allows you to definewhich algorithm the operating system should use to encrypt a user'spassword. Your choices are the current OpenVMS algorithm or a site-specific algorithm.You can specify the encryption algorithm independently for eachaccount's primary and secondary passwords. The syntax is as follows: /ALGORITHM=keyword=type [=value]

To assign the OpenVMS password encryption algorithm for auser, you would enter a command like the following:

UAF>  MODIFY HOBBIT/ALGORITHM=PRIMARY=VMS

If a site-specific algorithm is selected, you must give avalue to identify the algorithm, for example:

UAF>  MODIFY HOBBIT/ALGORITHM=CURRENT=CUSTOMER=128

The HP OpenVMS Programming Concepts Manual providesdirections for using a customer algorithm. You must create a site-specificsystem service in which you write code that recognizes the algorithmnumber you choose and encrypts the password appropriately. Thisnumber has to correspond with the number used in the AUTHORIZE commandMODIFY/ALGORITHM.

Whenever a user is assigned a site-specific algorithm, AUTHORIZEreports this information in the display provided by the SHOW command.

Screening New Passwords

The system generally compares new passwords against a systemdictionary stored in SYS$LIBRARY to ensure that a password is nota native language word. It also maintains a history list of a user'spasswords and compares each new password against this list to guaranteethat an old password is not reused. You can screen passwords furtherby developing and installing an image that filters passwords forwords that are particularly sensitive to a site.

System Dictionary

The DCL command SET PASSWORD takes a user's proposed password,converts it to lowercase (if necessary), and compares it to entriesin a system dictionary to ensure that a password is not a native languageword. If a proposed password is found in the dictionary, it is rejectedas a valid user password, and the user has to provide another.

You may want to modify the system password dictionary to includewords of significance to your site. The following procedure letsyou add words to the system dictionary. The procedure also letsyou retain a file of the passwords that you consider unacceptable.

Create a filecontaining passwords you would like to add to the dictionary. Eachpassword should be on a separate line and in lowercase, as follows:
```
$ CREATE LOCAL_PASSWORD_DICTIONARY.DATAsomefamouslocalheroesCtrl/Z 
```

Enable SYSPRV and merge your local additions:

$ SET PROCESS/PRIVILEGE=SYSPRV$ CONVERT/MERGE/PAD LOCAL_PASSWORD_DICTIONARY.DATA -_$ SYS$LIBRARY:VMS$PASSWORD_DICTIONARY.DATA

You can disable the dictionary search by using AUTHORIZE withthe DISPWDDIC option to the /FLAGS qualifier.

History Lists

The operating system maintains a list of a user's passwordsfrom the last 365 days and compares each proposed password againstthis list to ensure that passwords are not reused.

Once a user successfully creates a new password, the systementers the old password on the history list and updates the file.The password history list can hold a large number of words, butit is limited to 60 by default. If this number is exceeded, theuser has to use generated passwords. A password remainson the password history list for 365 days (or the default set bySYS$PASSWORD_HISTORY_LIFETIME). Whenever a user account is deleted,the system removes all password records belonging to that account.

Using the DCL command DEFINE, you can change the defaultsfor the capacity and lifetime of the password history list to anyof the values indicated in Defaults for Password History List.

Table 4 Defaults for Password History List
System Logical Name Default Min Max Units

SYS$PASSWORD_HISTORY_LIFETIME
365
1
28000
Days

SYS$PASSWORD_HISTORY_LIMIT
60
1
2000
Absolute count

**Table 4** **Defaults for Password History List**
System Logical Name	Default	Min	Max	Units
SYS$PASSWORD_HISTORY_LIFETIME	365	1	28000	Days
SYS$PASSWORD_HISTORY_LIMIT	60	1	2000	Absolute count

For example, to increase the capacity of the history listfrom 60 passwords to 100, add the following line to the commandprocedure SYLOGICALS.COM, which is located in SYS$MANAGER:

$ DEFINE/SYSTEM/EXEC SYS$PASSWORD_HISTORY_LIMIT 100

There is a correspondence between the lifetime of a passwordhistory list and the number of passwords allowed on the list. Forexample, if you increase the password history lifetime to 4 yearsand your passwords expire every 2 weeks, you would need to increasethe password history limit to at least 104 (4 years times 26 passwordsa year). The password history lifetime and limit can be changeddynamically, but they should be consistent across all nodes on thecluster.

Sites using secondary passwords may need to double the passwordlimit to account for the secondary password storage.

The password history list is located in SYS$SYSTEM. You canmove the list off the system disk by using the logical name VMS$PASSWORD_HISTORY.Define this logical name as /SYSTEM/EXEC, and place it in SYS$MANAGER:SYLOGICALS.COM.

You disable the history search with the DISPWDHIS option tothe /FLAGS qualifier in AUTHORIZE.

Site-Specific Filters

Besides screening passwords against a system dictionary anda history list, you can develop a site-specific password filterto ensure that passwords are properly constructed and are not wordsreadily associated with your site. A filter can check for passwordlength, the use of special characters or combinations of characters, andthe use of product names or personnel names.

To create a list of site-specific words, you write the sourcecode, create a shareable image, install the image, and, finally,enable the policy by setting a system parameter. See the HPOpenVMS Programming Concepts Manual for instructions.

Installing and enabling a site-specific password filter requiresboth SYSPRV and CMKRNL privileges. Multiple security alarms aregenerated when the password filter image is installed if INSTALLand SYSPRV file-access auditing are enabled and the required changeto the system parameter is noted on the operator console.

The shareable image contains two global routines that arecalled by the Set Password utility (SET PASSWORD) whenever a userchanges a password.

The two global routines let you obtain both the proposedplaintext password and its equivalent quadword hash value. All securityadministrators should be aware of this feature because its subversionby a malicious privileged user will compromise the system's security.

HP recommends that you place security Alarm ACEs on the passwordfilter image and its parent directory. See the OpenVMS Programming Concepts for instructions.

Password Protection Checklist

In additionto all the recommendations included in Guidelines for Protecting Your Password"Guidelines for Protecting YourPassword" on page 53, observe the following guidelinesto protect passwords:

Make certain the passwords on thestandard accounts like SYSTEM are secure and changed regularly. Youcan disable accounts (for example, FIELD and SYSTEST) with the AUTHORIZEqualifier /FLAGS=DISUSER when they are not in use.

Do not permit an outside or in-house service organizationto dictate the password for an account they use to service yoursystem. Such service groups tend to use the same password on allsystems, and their accounts are usually privileged.

On seldom-used accounts, set the AUTHORIZE qualifier/FLAGS=DISUSER, and enable the account only when it is needed. Changethe password immediately after each use, and notify the servicegroup of the new password when they need it next.

Delete accounts no longer in use.

Do not leave listings of user names where they canbe read or stolen because they can be used as a basis for systemattack. (If you do need listing files, use ACLs to limit accessonly to selected individuals.)

Maintain adequate protection of authorization files.Note that the system user authorization file (SYSUAF.DAT), the networkproxy authorization file (NETPROXY.DAT), and the rights list (RIGHTSLIST.DAT)are owned by the system account ([SYSTEM]). Do not create any otheruser accounts in this group. Normally the default UIC-based fileprotection for these authorization files is adequate. The systemaccount also owns the file NET$PROXY.DAT.

Make certain that all users have unique UICs.

The following actions reduce the potential of password detectionor limit the extent of the damage if passwords are discovered orbypassed:

Avoid giving multiple users accessto the same account.

Protect telephone numbers for dialup lines connectedto your system, and consider setting a system password (SET TERMINAL/SYSPASSWORD)on dialup lines.

If your system has accounts available to outsideusers, such as guest accounts or accounts for direct customer inquiry,make these accounts captive (limited-access) accounts containedby captive command procedures. (See Captive Accounts for information about setting up captive accounts.)

Make captive all accounts that do not require apassword.

Extend privileges to users carefully.

Protect your own files using all the techniquesrecommended in Suggestions for Optimizing File Security"Suggestions for Optimizing File Security" onpage 101.

Ensure that the files containing components of theoperating system are adequately protected (see Protecting System Files).

Use the AUTHORIZE qualifiers /NOINTERACTIVE and/NOBATCH when setting up proxy login accounts to permit only fileaccess from other nodes. Interactive and batch logins are disabledfor the account.

Assigning Appropriate Accounts to Users

Enabling External Authentication