System password

From VSI OpenVMS Wiki
Jump to: navigation, search

A system password is a password used to control access to terminals that might be targets for unauthorized use.

Terminals that need system passwords

  • All terminals using dialup lines or public data networks for access
  • Terminals on lines that are publicly accessible and not tightly secured, such as those in computer

laboratories at universities

  • Terminals not frequently inspected
  • Terminals intended for use only as spare devices
  • Terminals you want to reserve for security operations

Implementing system passwords

Execute the following steps to implement system passwords:

1. Establish a record in the SYSUAF database for a system password by invoking the Authorize utility and entering the following command:

UAF> MODIFY/SYSTEM_PASSWORD=password

You need to establish a record in the SYSUAF database only the first time a system password is set up on the system. However, if no record is present,the SET PASSWORD/SYSTEM command returns the following error:

%SET-F-UAFERR, error accessing authorization file
-RMS-E-RNF, record not found

2. Decide which terminals require system passwords. Then, for each terminal, enter the DCL command SET TERMINAL/SYSPWD/PERMANENT. When you are satisified that you have selected the right terminals, incorporate these commands into SYS$MANAGER:SYSTARTUP_VMS.COM so that the terminal setup work is done automatically at system startup. You can remove the restriction on a terminal at any time by invoking the DCL command SET TERMINAL/NOSYSPWD/PERMANENT for that terminal.

3. Choose a system password, and implement it with the DCL command SET PASSWORD/SYSTEM, which requires the SECURITY privilege. This command prompts you for the password and then prompts you again for verification, just as for user passwords. To request automatic password generation, include the /GENERATE qualifier.

System password for remote logins

To enable the use of the system password for the remote class of logins (those accomplished through the DCL command SET HOST), set the appropriate bit in the default terminal characteristics parameter by using AUTOGEN. This is bit 19 (hexadecimal value 80000) in the parameter TTY_DEFCHAR2. Note that if you set this bit, you must invoke the DCL command SET TERMINAL/NOSYSPWD/PERMANENT to disable system passwords for each terminal where you do not want the feature. (As before, consider placing the SET TERMINAL commands you have tested in SYS$MANAGER:SYSTARTUP_VMS.COM.) Then follow the previously defined steps to set the system password.

Viewing and changing the system password

Although the system password is not subject to expiration, change the password frequently. Always change the system password as soon as a person who knows the password leaves the group. Share the system password only with those who need to know. The system password is stored in a separate UAF record and cannot be displayed. The DCL command SET PASSWORD/SYSTEM (the normal means of setting and changing the system password) requires that you enter the old system password before changing it. Use the AUTHORIZE command MODIFY/SYSTEM_PASSWORD to change the system password without specifying the old password, as shown in the following command:

UAF> MODIFY/SYSTEM_PASSWORD=ABRACADABRA

The primary function of the system password is to form a first line of defense for publicly accessible ports and to prevent potential intruders from learning the identity of the system. However, requiring system passwords can appear confusing when authorized users are unaware that they are required on certain terminals. To avoid false reports of defective terminals or systems, inform your users which terminals allocated for their use require system passwords.

See also