HPE Community
Operating System - OpenVMS
1753767 Members
5290 Online
108799 Solutions
New Discussion юеВ

Re: Systemwide password

 
Sentosa
Frequent Advisor

тАО01-21-2008 01:56 AM

тАО01-21-2008 01:56 AM

Systemwide password

Dear All,

I used OpenVMS v8.2 with DS20E.
I issue the wrong command "mc authorize modify/system=abc12345" instead of "mc authorize modify system/password=abc12345" in the system.

What is the meaning of systemwide password?
Could anyone knows the impact?

Thanks,
Sentosa
0 Kudos
Reply
4 REPLIES 4
Hakan Zanderau ( Anders
Trusted Contributor

тАО01-21-2008 02:16 AM

тАО01-21-2008 02:16 AM

Re: Systemwide password

It is to set the password on terminals.

$ SHOW TERM

In the left column there is a parameter "No Syspassword" as default.

If you ( and you did ) set the systempassword and a terminal has Syspassword set, they have to enter the password before they can use the terminal.
Don't make it worse by guessing.........
0 Kudos
Reply
Duncan Morris
Honored Contributor

тАО01-21-2008 02:19 AM

тАО01-21-2008 02:19 AM

Re: Systemwide password

Hi Sentosa,

see the Guide to OpenVMS security

http://h71000.www7.hp.com/doc/732FINAL/aa-q2hlg-te/aa-q2hlg-te.HTMl

VMS systems can have what is called a "system password".

This is a password that must be typed BEFORE the host
prompts you for login information. So when you initially
connect to a system with a "system password", you don't
get any prompting on the screen. Once you have typed in
the password, the normal prompt message appears.

The system password will appear or not depending on the
value of the sysgen parameter TTY_DEFCHAR2. A value of
%X80000 (i.e. Hex) enables system password. This
parameter is not dynamic.

The SYSGEN parameter TTY_DEFCHAR2 (bit represented by
%X80000) enables system password by default for all
terminals (including LAT, X.25 and telnet terminals).

e.g. You can set individual terminals SET TERM/SYSPASSWORD or SET TERM/NOSYSPASSWORD

Read the manual for full details!

Regards,

Duncan
0 Kudos
Reply
Robert Gezelter
Honored Contributor

тАО01-21-2008 04:37 AM

тАО01-21-2008 04:37 AM

Re: Systemwide password

Sentosa,

It has been debated as to whether such passwords are a good idea or a bad idea.

The problem is that they are, by definition, widely known, and thus difficult to change when someone leaves the organization or the password is believed to be compromised.

Some auditing organizations have requirements as to the use of such passwords.

- Bob Gezelter, http://www.rlgsc.com
0 Kudos
Reply
Hoff
Honored Contributor

тАО01-21-2008 12:57 PM

тАО01-21-2008 12:57 PM

Re: Systemwide password

The system-wide passwords were a way to prevent the exposure of system information (eg: the system announce text) in earlier and simpler times and in simpler networks; when you could wish to keep a LAT connection or other such remote access from exposing details of the system.

Such passwords have also been used to provide an extra layer against the selection of weak passwords by users. For this use, these passwords were typically rotated on a schedule, or as part of the process of creating ex-employees. Users would often have to authenticate themselves to a password server to receive the updated system-wide password.

In practice, the concept of a system-wide has largely been replaced with distributed authentication, and with the password filter mechanism or with token-based authentication. This where you can disable access across multiple hosts, and where you can reduce the exposure to weak passwords. There are, however, cases where there are still analogous system-wide or network-wide access control mechanisms in use.

There have been a number of password- and security-related questions logged by you here in ITRC, based on the history. Questions on the password history, password file, password timeouts, resetting passwords around the history file, now the system-wide password, the management processor password, etc. What might be underway here? Curiosity? Or something else?

Stephen Hoffman
HoffmanLabs LLC
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.