Operating System - OpenVMS
1748246 Members
3586 Online
108760 Solutions
New Discussion юеВ

VMS Login prompt disconnects after 20 seconds?

 
johnslayton1
Advisor

VMS Login prompt disconnects after 20 seconds?

Hi,

What security benefit does OpenVMS systems have when the login prompt dissapears after idle after 20 seconds??

IS this because to avoid sessions that tend to be hogging most CPU time?? Or, is this an advanced security feature?

Thanks.
14 REPLIES 14
Robert Gezelter
Honored Contributor

Re: VMS Login prompt disconnects after 20 seconds?

John,

It is not a question of CPU time. LOGINOUT is hardly a CPU intensive process.

The "benefit" of terminating an otherwise idle "Login:" prompt is the LOGINOUT process that is running on that terminal and the network connection if it is a network login of some sort.

I have not timed the default recently, so I will admit that I do not remember offhand what the default value is.

Before we go further, perhaps you could be so kind as to identify the OpenVMS version?

- Bob Gezelter, http://www.rlgsc.com
Hein van den Heuvel
Honored Contributor

Re: VMS Login prompt disconnects after 20 seconds?

>> What security benefit does OpenVMS systems have when the login prompt dissapears after idle after 20 seconds??

None.
It's 99% there to annoy folks.
It's 1% there to avoid wasting memory resources.

That 1% surely is the original reason of this 'feature'. Actually, the feature is fine, the 20 seconds annoys me immensly as you can tell. It's too short! Make it 10 minutes and I'm cool with it.

>> IS this because to avoid sessions that tend to be hogging most CPU time??

What CPU time? It is just sitting there for a terminal/network QIO to complete. ZERO cpu.

The cost of the wait is a process slot, and a QIO, and maybe (in days gone by) a line from a modem pool.

Way back when, folks tuned systems with limited memory to have just enough process slots. I have not seen a system with restricted process slots in the last 20 years.

The price for this timeout to fire pre-maturely is 100 times larger than for it not happening (IMHO!). I don't connect to a system 'accidently' and if I do I'll control-Z out. So if the timeout fires on me, then dollars to donuts I will re-start the login, costing a wind-down + accounting record for the old process, a new prcoess create, and a slightly ticked-off customer.

>> Or, is this an advanced security feature?

No, just a poorly chosen, or dated, default.

Thanks!
Hein.

[0 points for this reply please.
Oh, you don't do points anyway do you?]
johnslayton1
Advisor

Re: VMS Login prompt disconnects after 20 seconds?

Its an DEC/Alpha server running OpenVMS 7.1-2

So what type of security benefit does this have as its really kind of annoying??
Robert Gezelter
Honored Contributor

Re: VMS Login prompt disconnects after 20 seconds?

John,

I admittedly do not have time to check, but on one of my systems the default value is 30 seconds. If I am correct, the parameter is LGI_PWD_TMO and is documented, among other places, in the HELP text for SYSGEN.

- Bob Gezelter, http://www.rlgsc.com
Hoff
Honored Contributor

Re: VMS Login prompt disconnects after 20 seconds?

Your immediate and chief concern here is that you can't successfully log into an OpenVMS system within the window of approximately thirty seconds, and are encountering the prompt timeout, correct?

That this isn't a question of security, prompts, or system performance, or such.

As for your wish to avoid the prompt timeout, consider the use of ssh and certificates, or enable and use single sign-on, or enable and use the ALF (automatic login facility), and avoid the password prompt. And the timeout.

Or consider disabling passwords entirely, either on your username, or on all usernames.

Any of which will avoid the login-related timeout.

These suggestions can or do introduce various degrees of insecurity. But they do avoid the timeout.
Volker Halle
Honored Contributor

Re: VMS Login prompt disconnects after 20 seconds?

John,

this timeout value seems to be controlled by the LGI_RETRY_TMO system parameter.

Just increase LGI_RETRY_TMO (it's a dynamic parameter) and your Username: prompt will stay around much longer (tested on V7.3-1).

If the timeout would have been infinite, you could be wasting some resources (network connections, process slots, some memory and pool). So you could effectively consume lots of resources without even having logged in to the system. The implementation of the timeout value prevents this.

Volker.
David Jones_21
Trusted Contributor

Re: VMS Login prompt disconnects after 20 seconds?

The SYSGEN help desciption for LGI_RETRY_TMO implies that the motivation was to ensure that dialup connections would be resolved in a timely manner (carrier is dropped after LGI_RETRY_LIM failures). Phone lines are still a scarce resource, but few people connect that way anymore.
I'm looking for marbles all day long.
John Gillings
Honored Contributor

Re: VMS Login prompt disconnects after 20 seconds?

>It is not a question of CPU time. LOGINOUT is hardly a CPU intensive process

Don't be so sure! Some history for your amusement...

Back around 1990 I had a call from a customer complaining that he'd found a LOGINFAILURE in accounting that had consumed 2 days of CPU time. He couldn't understand why.

Later he called back to say he'd worked out that an operator had knocked over a TK50 cartridge onto the ENTER key of a terminal. This had resulted in the "Username:" prompt rolling over for the whole weekend.

We experimented with the most powerful system we had at the time, an 8200, and discovered that with only FOUR terminals and TK50 cartridges ;-), we could bring the system to it's knees, saturating the CPU with Username prompting. This was escalated as a potential denial of service attack.

Possibly as a result (or maybe it was already on the drawing board), the LGI parameters give more control over how logins and failures are handled. You no longer get a continuous stream of prompts. The process fails after LGI_RETRY_LIM attempts, which is enough to prevent CPU saturation, and certainly prevents LOGINFAILURE processes with prodigious CPU consumption.
A crucible of informative mistakes
Robert Gezelter
Honored Contributor

Re: VMS Login prompt disconnects after 20 seconds?

John (Gillings),

Mea Culpa! Indeed, lOGINOUT (and its equivalent functions on other systems) can indeed bring the system to its knees if confronted with a stream of never ending input.

While I did not do this with a TK50 cartridge, it was easily accomplished using the loopback switch on modems in a modem bank, and the first broadcast to all terminals could bring the system down.

- Bob Gezelter, http://www.rlgsc.com