topic Re: Systemwide password in Operating System - OpenVMS

Systemwide password

Sentosa — Mon, 21 Jan 2008 09:56:54 GMT

Dear All,

I used OpenVMS v8.2 with DS20E.
I issue the wrong command "mc authorize modify/system=abc12345" instead of "mc authorize modify system/password=abc12345" in the system.

What is the meaning of systemwide password?
Could anyone knows the impact?

Thanks,
Sentosa

Re: Systemwide password

Hakan Zanderau ( Anders — Mon, 21 Jan 2008 10:16:56 GMT

It is to set the password on terminals.

$ SHOW TERM

In the left column there is a parameter "No Syspassword" as default.

If you ( and you did ) set the systempassword and a terminal has Syspassword set, they have to enter the password before they can use the terminal.

Re: Systemwide password

Duncan Morris — Mon, 21 Jan 2008 10:19:06 GMT

Hi Sentosa,

see the Guide to OpenVMS security

http://h71000.www7.hp.com/doc/732FINAL/aa-q2hlg-te/aa-q2hlg-te.HTMl

VMS systems can have what is called a "system password".

This is a password that must be typed BEFORE the host
prompts you for login information. So when you initially
connect to a system with a "system password", you don't
get any prompting on the screen. Once you have typed in
the password, the normal prompt message appears.

The system password will appear or not depending on the
value of the sysgen parameter TTY_DEFCHAR2. A value of
%X80000 (i.e. Hex) enables system password. This
parameter is not dynamic.

The SYSGEN parameter TTY_DEFCHAR2 (bit represented by
%X80000) enables system password by default for all
terminals (including LAT, X.25 and telnet terminals).

e.g. You can set individual terminals SET TERM/SYSPASSWORD or SET TERM/NOSYSPASSWORD

Read the manual for full details!

Regards,

Duncan

Re: Systemwide password

Robert Gezelter — Mon, 21 Jan 2008 12:37:31 GMT

Sentosa,

It has been debated as to whether such passwords are a good idea or a bad idea.

The problem is that they are, by definition, widely known, and thus difficult to change when someone leaves the organization or the password is believed to be compromised.

Some auditing organizations have requirements as to the use of such passwords.

- Bob Gezelter, http://www.rlgsc.com

Re: Systemwide password

Hoff — Mon, 21 Jan 2008 20:57:00 GMT

The system-wide passwords were a way to prevent the exposure of system information (eg: the system announce text) in earlier and simpler times and in simpler networks; when you could wish to keep a LAT connection or other such remote access from exposing details of the system.

Such passwords have also been used to provide an extra layer against the selection of weak passwords by users. For this use, these passwords were typically rotated on a schedule, or as part of the process of creating ex-employees. Users would often have to authenticate themselves to a password server to receive the updated system-wide password.

In practice, the concept of a system-wide has largely been replaced with distributed authentication, and with the password filter mechanism or with token-based authentication. This where you can disable access across multiple hosts, and where you can reduce the exposure to weak passwords. There are, however, cases where there are still analogous system-wide or network-wide access control mechanisms in use.

There have been a number of password- and security-related questions logged by you here in ITRC, based on the history. Questions on the password history, password file, password timeouts, resetting passwords around the history file, now the system-wide password, the management processor password, etc. What might be underway here? Curiosity? Or something else?

Stephen Hoffman
HoffmanLabs LLC