- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - OpenVMS
- >
- Re: Account Lockout Settings for Open VMS 7.3.2
Operating System - OpenVMS
1752717
Members
6024
Online
108789
Solutions
Forums
Categories
Company
Local Language
юдл
back
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
юдл
back
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Blogs
Information
Community
Resources
Community Language
Language
Forums
Blogs
Topic Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО02-19-2008 05:45 PM
тАО02-19-2008 05:45 PM
Account Lockout Settings for Open VMS 7.3.2
Dear all,
Would like to know if it is possible to set the account lockout duration for Open VMS 7.3.2 user account to '0' (or until System Administrator unlocks the account?) For further elaboration, please refer below:
The "HP Advanced Server for OpenVMS
Server Administrator's Guide" provided the following guideline for setting the Account Lockout Duration:
"Whether a user account is locked out after a specified number of failed attempts to logon --- use the SET ACCOUNT POLICY/LOCKOUT=keyword command. To enable account lockout, you must specify the following three keywords and their values with the /LOCKOUT qualifier:
* ATTEMPTS=n, where n specifies the number of failed attempts to allow before locking the user account.
* DURATION=n, where n specifies the number of minutes before a locked account is automatically unlocked. The value of this parameter must be greater than, or equal to, the value set for the WINDOW parameter.
* WINDOW=n, where n specifies the number of minutes to wait after a user account has been locked out, before resetting the logon count."
The big question is, is it possible to set the "WINDOW=n" value to infinity/indefinite until the administrator unlocks the account?
Thanks in advance!
Would like to know if it is possible to set the account lockout duration for Open VMS 7.3.2 user account to '0' (or until System Administrator unlocks the account?) For further elaboration, please refer below:
The "HP Advanced Server for OpenVMS
Server Administrator's Guide" provided the following guideline for setting the Account Lockout Duration:
"Whether a user account is locked out after a specified number of failed attempts to logon --- use the SET ACCOUNT POLICY/LOCKOUT=keyword command. To enable account lockout, you must specify the following three keywords and their values with the /LOCKOUT qualifier:
* ATTEMPTS=n, where n specifies the number of failed attempts to allow before locking the user account.
* DURATION=n, where n specifies the number of minutes before a locked account is automatically unlocked. The value of this parameter must be greater than, or equal to, the value set for the WINDOW parameter.
* WINDOW=n, where n specifies the number of minutes to wait after a user account has been locked out, before resetting the logon count."
The big question is, is it possible to set the "WINDOW=n" value to infinity/indefinite until the administrator unlocks the account?
Thanks in advance!
4 REPLIES 4
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО02-19-2008 06:38 PM
тАО02-19-2008 06:38 PM
Re: Account Lockout Settings for Open VMS 7.3.2
Calene,
Are you asking above OpenVMS the operating system, or the HP Advanced Server (software to serve VMS disks to Windows PC's)? The document you reference sounds like the later.
The short answer is yes, you can have VMS lock user accounts when someone uses the incorrect password too many times (and you get to define "too many").
These are defined by the sysgen parameters that start with lgi
$ mcr sysgen sho lgi
Parameter Name Current Default Min. Max. Unit Dynamic
-------------- ------- ------- ------- ------- ---- -------
LGI_CALLOUTS 0 0 0 255 Count D
LGI_BRK_TERM 1 1 0 1 Boolean D
LGI_BRK_DISUSER 0 0 0 1 Boolean D
LGI_PWD_TMO 30 30 0 255 Seconds D
LGI_RETRY_LIM 3 3 0 255 Tries D
LGI_RETRY_TMO 20 20 2 255 Seconds D
LGI_BRK_LIM 5 5 1 255 Failures D
LGI_BRK_TMO 300 300 0 5184000 Seconds D
LGI_HID_TIM 300 300 0 1261440000 Seconds D
$
But I would strongly discourage you from doing that, as it replaces an extremely small likely hood event (guessing the password) with a highly likely Denial of Service.
If you are worried about password guessing, then you should be more worried about people sniffing passwords from telnet and/or ftp sessions.
See this article for a discussion of the parameters.
http://www.openvms.org/stories.php?story=06/07/14/4624233
Jon
Are you asking above OpenVMS the operating system, or the HP Advanced Server (software to serve VMS disks to Windows PC's)? The document you reference sounds like the later.
The short answer is yes, you can have VMS lock user accounts when someone uses the incorrect password too many times (and you get to define "too many").
These are defined by the sysgen parameters that start with lgi
$ mcr sysgen sho lgi
Parameter Name Current Default Min. Max. Unit Dynamic
-------------- ------- ------- ------- ------- ---- -------
LGI_CALLOUTS 0 0 0 255 Count D
LGI_BRK_TERM 1 1 0 1 Boolean D
LGI_BRK_DISUSER 0 0 0 1 Boolean D
LGI_PWD_TMO 30 30 0 255 Seconds D
LGI_RETRY_LIM 3 3 0 255 Tries D
LGI_RETRY_TMO 20 20 2 255 Seconds D
LGI_BRK_LIM 5 5 1 255 Failures D
LGI_BRK_TMO 300 300 0 5184000 Seconds D
LGI_HID_TIM 300 300 0 1261440000 Seconds D
$
But I would strongly discourage you from doing that, as it replaces an extremely small likely hood event (guessing the password) with a highly likely Denial of Service.
If you are worried about password guessing, then you should be more worried about people sniffing passwords from telnet and/or ftp sessions.
See this article for a discussion of the parameters.
http://www.openvms.org/stories.php?story=06/07/14/4624233
Jon
it depends
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО02-19-2008 06:41 PM
тАО02-19-2008 06:41 PM
Re: Account Lockout Settings for Open VMS 7.3.2
Hi Jon,
Sorry, to rephrase my question, I'm trying to find out if it is possible to set the "DURATION=n" value to infinity. For e.g.,in the Windows environment, it is possible to set the "account lockout duration" value to 0. This means the user account will be lockout indefinitely until the Security Administrator unlocks it.Hence, would like to know if it is possible to do the same for Open VMS 7.3.2 operating system.
Sorry, to rephrase my question, I'm trying to find out if it is possible to set the "DURATION=n" value to infinity. For e.g.,in the Windows environment, it is possible to set the "account lockout duration" value to 0. This means the user account will be lockout indefinitely until the Security Administrator unlocks it.Hence, would like to know if it is possible to do the same for Open VMS 7.3.2 operating system.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО02-19-2008 07:35 PM
тАО02-19-2008 07:35 PM
Re: Account Lockout Settings for Open VMS 7.3.2
If this is about OpenVMS and not about Windows nor about the Advanced Server package, then the system parameter used to lock out access to usernames that have been the target for a login failure is LGI_BRK_DISUSER.
Set this via SYS$SYSTEM:MODPARAMS.DAT, and invoke AUTOGEN.
If you are asking this question here as you are, I would counsel against this.
This because a simple series of login failures -- a very trivial remote login attack, and one that a botnet might well trigger -- would prevent you from successfully rebooting OpenVMS and from restarting your network.
Attacks against SYSTEM as well as the server usernames -- all widely known -- will result in an inability to access your OpenVMS box, and difficulty in rebooting due to the need to access the boot-time environment using the console and the conversational bootstrap:
http://64.223.189.234/node/204
For a much more sustainable approach, use the existing and default break-in evasion mechanism, and (for those paths into OpenVMS not covered by evasion, reportedly including the SMTP access paths) also consider implementing a password filter:
http://64.223.189.234/node/219
Details on MODPARAMS and AUTOGEN are available in the OpenVMS system management manuals, and documentation on LGI_BRK_DISUSER is likely in the security manual.
http://www.hp.com/go/openvms/doc/
Also consider a security review, either locally, with the assistance of an outside organization or consultant, and/or using documentation such as the following:
http://64.223.189.234/node/43
Here's some other reading material on this LGI_BRK_DISUSER parameter and on break-in evasion as a whole:
http://www.eight-cubed.com/blog/archives/000260.html
http://64.223.189.234/node/689
Stephen Hoffman
HoffmanLabs LLC
Set this via SYS$SYSTEM:MODPARAMS.DAT, and invoke AUTOGEN.
If you are asking this question here as you are, I would counsel against this.
This because a simple series of login failures -- a very trivial remote login attack, and one that a botnet might well trigger -- would prevent you from successfully rebooting OpenVMS and from restarting your network.
Attacks against SYSTEM as well as the server usernames -- all widely known -- will result in an inability to access your OpenVMS box, and difficulty in rebooting due to the need to access the boot-time environment using the console and the conversational bootstrap:
http://64.223.189.234/node/204
For a much more sustainable approach, use the existing and default break-in evasion mechanism, and (for those paths into OpenVMS not covered by evasion, reportedly including the SMTP access paths) also consider implementing a password filter:
http://64.223.189.234/node/219
Details on MODPARAMS and AUTOGEN are available in the OpenVMS system management manuals, and documentation on LGI_BRK_DISUSER is likely in the security manual.
http://www.hp.com/go/openvms/doc/
Also consider a security review, either locally, with the assistance of an outside organization or consultant, and/or using documentation such as the following:
http://64.223.189.234/node/43
Here's some other reading material on this LGI_BRK_DISUSER parameter and on break-in evasion as a whole:
http://www.eight-cubed.com/blog/archives/000260.html
http://64.223.189.234/node/689
Stephen Hoffman
HoffmanLabs LLC
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО02-20-2008 03:49 PM
тАО02-20-2008 03:49 PM
Re: Account Lockout Settings for Open VMS 7.3.2
Calene,
There's some confusion here about which "lockout". The one you're talking about appears to be inside Advanced Server.
Although I'm not familiar with how this lockout works, from a purely user interface perspective, it looks like the DURATION and WINDOW are expressed in minutes, and is presumably an INTEGER, perhaps constrained to signed 32 bits.
So, if you set the duration to 2147483647 (maximum positive signed 32 bit value) you have a timeout of about 4085 years. Is that close enough to infinity/indefinite?
If the command won't accept a number that high, use a binary search to find the highest acceptable number.
For reference, 1000000 minutes is about 700 days (call it 2 years).
There's some confusion here about which "lockout". The one you're talking about appears to be inside Advanced Server.
Although I'm not familiar with how this lockout works, from a purely user interface perspective, it looks like the DURATION and WINDOW are expressed in minutes, and is presumably an INTEGER, perhaps constrained to signed 32 bits.
So, if you set the duration to 2147483647 (maximum positive signed 32 bit value) you have a timeout of about 4085 years. Is that close enough to infinity/indefinite?
If the command won't accept a number that high, use a binary search to find the highest acceptable number.
For reference, 1000000 minutes is about 700 days (call it 2 years).
A crucible of informative mistakes
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.
News and Events
Support
© Copyright 2024 Hewlett Packard Enterprise Development LP