Operating System - OpenVMS

What OpenVMS docs cover the specifics of the accts created by NET$CONFIGURE.COM

 
deblaisdell
Occasional Advisor

What OpenVMS docs cover the specifics of the accts created by NET$CONFIGURE.COM

Please, what OpenVMS documentation covers the specific details of the UAF accounts created by NET$CONFIGURE.COM (FAL$SERVER, CML$SERVER, MAIL$SERVER, VPM$SERVER, MIRROR$SERVER, PHONE$SERVER, etc.)

Looking at the code it appears the accouts are given randomly generated passwords.

We have been given the task (by management) to change these account passwords.

The docs I have access to do not address this.  I do not mind digging through docs, but I need to know what are the correct docs (that I can access) to look through.

I'm tring to find out what will be the impact if thise passwords are changed?  

7 REPLIES 7
Volker Halle
Honored Contributor

Re: What OpenVMS docs cover the specifics of the accts created by NET$CONFIGURE.COM

The answer is similar to your question for the TCPIP$* service accounts...

These are service accounts, no interactive login is possible and these accounts use generated passwords, which are not used, stored or known anywhere else.

Volker.

Dave Lennon
Advisor

Re: What OpenVMS docs cover the specifics of the accts created by NET$CONFIGURE.COM

Is the system running DECnet Phase IV ??

If so, these passwords need to also be updated, using NCP, into the volatile (running system) and permanent (next boot) object database or any "anonymous"  DECnet network services will no longer work.

I don't know about DECnet-Plus.

By the way, if this exercise is to improve security, you might want to invest the effort to researching the existing usage and removing the FAL$SERVER username. That can be considered a security hole.

 

Volker Halle
Honored Contributor

Re: What OpenVMS docs cover the specifics of the accts created by NET$CONFIGURE.COM

Dave,

the reference to NET$CONFIGURE.COM indicates, that this system is running DECnet-Plus. Passwords for this DECnet implementation are NOT stored in the network object database.

Volker.

deblaisdell
Occasional Advisor

Re: What OpenVMS docs cover the specifics of the accts created by NET$CONFIGURE.COM

"By the way, if this exercise is to improve security, you might want to invest the effort to researching the existing usage and removing the FAL$SERVER username. That can be considered a security hole."

Thank you for the information.

Please, where is it formally documented that FAL$SERVER is a security hole?  Is there an IAVA or some other security report which I can access?  A major issue is that the system documentation is very poor <...a brief pause while you gasp in shock...> as it relates to what UAF accounts listed are required for the system to run properly.

 

Volker Halle
Honored Contributor

Re: What OpenVMS docs cover the specifics of the accts created by NET$CONFIGURE.COM

VSI OpenVMS Guide to System Security (vmssoftware.com)

talks a little bit about 'default DECnet accounts' - although for DECnet Phase IV.

Volker.

Dave Lennon
Advisor

Re: What OpenVMS docs cover the specifics of the accts created by NET$CONFIGURE.COM

Perhaps "security hole" was not the best terminology. You'll have to research (google) how it can be used nefariously.

If you are looking for vendor documation:

https://vmssoftware.com/docs/VSI_DECnet_IV_Gd_to_Networking.pdf#page=51

In particular:

Do you want a default account for the FAL object? [NO]

VSI advises against creating a default account for the FAL object, except for systems with very low security requirements. If you do not want this account, press RETURN. If you want it, type YES and press RETURN.

deblaisdell
Occasional Advisor

Re: What OpenVMS docs cover the specifics of the accts created by NET$CONFIGURE.COM

Thank you for the information.

Regarding "VSI advises against creating a default account for the FAL object,..."

The risk is that (due to poor documenation) the systems running on the OpenVMS platforms do not indicate if FAL$SERVER account is needed to function.  I believe it is going to be disabled and we will see what dependencies exist.