- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - OpenVMS
- >
- Re: Strange return from Scanuaf freeware
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО05-07-2010 10:40 AM
тАО05-07-2010 10:40 AM
SCANUAF> pwdminimum<8
============
Node: XXXYYY
============
Username :
PWDMINIMUM : 0
--------------------------------
Records: 6835 Matches: 1
--------------------------------
It is almost like this is a hidden account or maybe scanuaf is confused but a manual search does not find any account with a pwdminimum of 0.
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО05-07-2010 11:06 AM
тАО05-07-2010 11:06 AM
Re: Strange return from Scanuaf freeware
>> but a manual check/dump/search of sysuaf does not reveal the record
By manually do u mean you have dumped all the contents of the SYSUAF to
a file and checked thi file for the USERNAME displayed by SCANUAF ?
Regards,
Murali
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО05-07-2010 11:17 AM
тАО05-07-2010 11:17 AM
Re: Strange return from Scanuaf freeware
$ defin/user sys$output t.t
$ mcr authorize show *
I then ran searches on this file as well as manual edits. I did things like searching for the offending setting from inside and outside the file just to be sure.
$ sea t.t "pwdminium: 8"
spacing may be off but you get the idea
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО05-07-2010 11:26 AM
тАО05-07-2010 11:26 AM
Re: Strange return from Scanuaf freeware
About PWDMINIMUM,
PWDMINIMUM specifies the minimum password length in characters.
But this rule is enforced only by DCL command SET PASSWORD.
It does not prevent you from entering a password shorter than the
minimum length when you use AUTHORIZE to create or modify an
account. By default, a password must have at least 6 characters.
>> Username :
>> PWDMINIMUM : 0
SCANUAF has given you a entry where it says that some entry has
PWDMINIMUM of 0.
>> $ sea t.t "pwdminium: 8"
You are searching for SYSUAF output in file t.t for user with PWDMINIMUM of 8.
I think the search should be
$ sea t.t "pwdminium: 0"
Regards,
Murali
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО05-07-2010 11:33 AM
тАО05-07-2010 11:33 AM
Re: Strange return from Scanuaf freeware
The correct search was for pwdminimum of 0 which is what I did and nothing came back.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО05-07-2010 11:43 AM
тАО05-07-2010 11:43 AM
SolutionThat record happens to be where the so-called system password (the system-wide login password, as differentiated from SYSTEM username and its password) is stored.
See SET TERMINAL /SYSPASSWORD and the system parameter TTY_DEFCHAR2 for related details.
Its presence within SYSUAF can be safely ignored for the purposes of a security audit or a password audit, and it is never available as an interactive login username.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО05-07-2010 02:26 PM
тАО05-07-2010 02:26 PM
Re: Strange return from Scanuaf freeware
UAF> MODIFY /SYSTEM_PASSWORD=string
$ SET PASSWORD /SYSTEM
Have a look at the VMS source listings for some of the related details with the SYSUAF storage; I don't know how much of this stuff was ever officially documented.
There are other details (such as VMS- and customer-reserved identifier ranges that exist over in the RIGHTSLIST file) that can also lurk here, too.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО05-07-2010 11:55 PM
тАО05-07-2010 11:55 PM
Re: Strange return from Scanuaf freeware
The entry displayed by SCANUAF is indeed the system password (i.e not the
password associated with the SYSTEM account in SYSUAF.DAT file)
Generally when you login to a VMS system, you are asked for username and
password. This would be based on various accounts that are created in the
SYSUAF.DAT file.
System password is the one which is used in order to gain access to a
particular terminal. Once the system password is entered, then user would be
prompted for the username/password in order to login to the system.
The system password are generally used to control access to terminals that
are publicly acessible and not tightly secured.
Example: Computer lab at universities.
Note that this system password is different from the password for SYSTEM
account in the SYSUAF.DAT file.
This is documented in the HP VMS Guide to System Security Document.
You can download it from the following link -
http://h71000.www7.hp.com/doc/732final/aa-q2hlg-te/aa-q2hlg-te.pdf
Refer
* Knowing what type of passwords to use
* Entering a system password
* Using password to control system Access
1) If you are setting the system password for the first time then you have to use
UAF>MODIFY SYSTEM_PASSWORD=PASSWORD
This will create a corresponding record in the SYSUAF.DAT file.
2) Once the record is created in SYSUAF.DAT file, subsequent change to the
system password can be done using DCL "$SET PASSWORD/SYSTEM" command.
Without a record created for system password in SYSUAF.DAT file, if you use
step 2 (i.e. DCL command) then you will get a error
%SET-F-UAFERR, error accessing authorization file
-RMS-E-RNF, record not found
To enable the use of the system password for the remote class of logins
(those accomplished through the DCL command SET HOST), set the
appropriate bit in the default terminal characteristics parameter by using
AUTOGEN. This is bit 19 (hexadecimal value 80000) in the parameter TTY_DEFCHAR2.
SYS_PARAMETERS
TTY_DEFCHAR2
TTY_DEFCHAR2 sets a second longword of default terminal characteristics.
The default characteristics are represented as a code that is derived by
summing the following hexadecimal values:
Characteristic Value (Hex) Function
...
SYSPWD 80000 Log in with system password only.
Check out the DCL help of SET TERM also -
SET
TERMINAL
/SYSPASSWORD
/SYSPASSWORD
/NOSYSPASSWORD (default)
Requires LOG_IO (logical I/O) privilege.
Determines whether the terminal requires that a system password
be entered before the Username: prompt.
>> It is almost like this is a hidden account or maybe scanuaf is confused but a
>> manual search does not find any account with a pwdminimum of 0.
As Hoff has suggested, looks like entry displayed by SCANUAF is the system
password as mentioned above. In which case you can safely ignore this entry
for auditing purpose.
Regards,
Murali
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО05-10-2010 08:36 AM
тАО05-10-2010 08:36 AM
Re: Strange return from Scanuaf freeware
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО05-15-2010 08:57 AM
тАО05-15-2010 08:57 AM
Re: Strange return from Scanuaf freeware
Yes, I did things like:
$ defin/user sys$output t.t
$ mcr authorize show *
"
No one pointed out, but just as an FYI ... you can just use UAF to produce a brief or full listing with:
$ MCR AUTHORIZE LIST
or
$ MCR AUTHORIZE LIST /FULL
Both variations provide a file named SYSUAF.LIS .
This listing capability can be used to provide information regarding various entities in the SYSUAF and RIGHTSLIST files with a few other LIST command switches.
UAF> help list
to see all it can do.
Cheers,
Art