Account Management


Account management is important. I've see UNIX administrators simply use an editor to copy/paste an entry into the passwd file and create a new account. There is no similar concept in OpenVMS. To create a user account, the manager must perform the following:

  • Create the account with appropriate privileges using AUTHORIZE.

  • Create a root directory on the device specified by the account using CREATE/DIR.

  • Possibly (depending on user sophistication) create an account subdirectory for mail messages, also using CREATE/DIR.

  • If quotas are active on the user's disk, allocate disk quota for the account using SYSMAN DISKQUOTA.

SYS$SYSTEM:SYSUAF.DAT (UAF means user authorization file) contains the authorization profile for all users. This file is similar in function, but not in form, to UNIX's passwd file. The format of the SYSUAF was partially illustrated in the ANALYZE/RMS example in Chapter 2. There are several parts to the OpenVMS profile; some are obvious and others are peculiar to OpenVMS. This is a complete list:

  • User identification data: real name, user name, initial password, user identification code (UIC) (a security artifact), and account name (for accounting)

  • Account default data: login directory, login command file name (normally called LOGIN.COM)

  • Login attribute data: login time for network and batch, mail attributes, login message action, password characteristics (e.g., length, lifetime), account enabled or disabled

  • Quotas limit data described as follows.

  • Privilege data, described in Chapter 8, defines which system utilities the user may access.

  • Identifier data, described in Chapter 8, defines the user's security groups. This feature is similar to the UNIX group.

The SYSUAF.DAT is not a public file and is available only to SYSTEM. It is accessed via installed images only (see Chapter 8). Hence, a UNIX-like "crack" function cannot be performed on OpenVMS by a user with nominal privileges. There are rumors that such a function exists on OpenVMS, but because the account file is not public, a cracker cannot be used. If the hacker has SYSTEM privileges, there is no need for a cracker. Naturally, the user password (or passwords; OpenVMS supports a two-password login option) is encrypted before it is stored in the SYSUAF.DAT, and it is stored in binary and cannot be displayed. There is no known decryption algorithm, so even the system manager cannot discover a user's password.

A typical dialog the system manager could use to perform the aforementioned steps would look like this:

     $ RUN SYS$SYSTEM:AUTHORIZE     UAF> ADD JONES/PASSWORD=LPB57WM/UIC=[014,1] -      _UAF> /DEVICE=DISK$USER/DIRECTORY=[JONES] -      _UAF> /LGICMD=DISK$USER:[JONES]LOGIN -      _UAF> /OWNER="ROBERT JONES"/ACCOUNT=DOC     UAF> EXIT     $ CREATE/DIRECTORY DISK$USER:[JONES] /OWNER_UIC=[014,1]     $ CREATE/DIRECTORY DISK$USER:[JONES.MAIL] /OWNER_UIC=[014,1]     $ RUN SYS$SYSTEM:SYSMAN      SYSMAN> DISKQUOTA ADD  -      _SYSMAN> [JONES]/DEVICE=DISK$USER/PERMQUOTA=2000 -      _SYSMAN> /OVERDRAFT=500      SYSMAN> EXIT 

Clearly, such a complex series of commands is laborious and prone to typos. Hence, it should be mechanized via a script. Usually, the system manager creates a command file similar to SYS$EXAMPLES:ADDUSER.COM (supplied in the OpenVMS delivery) to perform the previous steps interactively. This way the manager avoids mistakes and speeds up the process of creating new accounts. The new system manager would probably copy SYS$EXAMPLES:ADDUSER.COM to the SYS$SYSTEM directory and modify it to enforce local site policies. For instance, the command file may be coded to use the user's name to initialize the password. To appreciate the complexity of the SYSUAF.DAT, here is a display of all information for a single user. Notice that AUTHORIZE changes the prompt to UAF>:

     $ mcr authorize     UAF> show dmiller/full     Username: DMILLER                          Owner:  DAVID MILLER     Account:                                   UIC:    [20,4] ([DMILLER])     CLI:      DCL                              Tables: DCLTABLES     Default:  FACULTY:[DMILLER]     LGICMD:   FACULTY:[DMILLER]LOGIN.COM     Flags:  DisCtlY     Primary days:   Mon Tue Wed Thu Fri     Secondary days:                     Sat Sun     No access restrictions     Expiration:            (none)    Pwdminimum:  6 Login Fails:       0     Pwdlifetime:         90 00:00    Pwdchange:  22-MAY-2002 09:19     Last Login:  1-AUG-2002 21:15 (interactive), 20-AUG-2001 17:20 (non-interactive)     Maxjobs:         10  Fillm:         100  Bytlm:        50000     Maxacctjobs:      0  Shrfillm:        0  Pbytlm:           0     Maxdetach:        0  BIOlm:         100  JTquota:       4096     Prclm:            5  DIOlm:         100  WSdef:          500     Prio:             4  ASTlm:         200  WSquo:         5000     Queprio:          0  TQElm:          10  WSextent:     10000     CPU:         (none)  Enqlm:        4000  Pgflquo:      50000     Authorized Privileges:       NETMBX    TMPMBX     Default Privileges:       NETMBX    TMPMBX     Identifier                         Value           Attributes 

This book will not describe each of the previous fields in any detail. I merely want to impress on the reader that the system manager has a great deal of latitude when defining what a user may be permitted to do; however, this is a good time to point out another OpenVMS deviation from UNIX. By default, OpenVMS passwords are aged (see PWLIFETIME and PWDCHANGE in the previous display).

Data that is not supplied in the ADD command is copied from an account called DEFAULT, which has a UIC of [200,200]. This account is not meant to be used in the traditional sense (no one can log into DEFAULT), but merely to supply default values for newly created accounts. The manager may find it necessary to adjust quotas in DEFAULT to more closely match the requirements of the site (e.g., if all users will be using Motif, several quotas must be increased). These quotas are listed in the installation guide.

Accounts can also be created and managed from a Windows NT workstation with OpenVMS Management Station, as documented in OpenVMS Management Station Overview and Release Notes. There is little published user documentation on this program, because the application's HELP files substitute for documents.

There is a freeware GUI Motif interface to replace AUTHORIZE as well. It is called DWprofile and is found at www.multimania.com/pmoreau/decw/xutils.html. Although published in 1992, it works fine on today's systems as well. In fact, OpenVMS is well known for its backward compatibility support of software.

Once a user's account has been established, the system manager will probably not have to access it again; however, the most common reason for revisiting AUTHORIZE is to reset the password, because the user cannot remember it. This is done with the following command:

     $ AUTHORIZE     UAF> MODIFY/PASSWORD=FORGETMENOT username 

Then the user logs in under this new password. After successful login, the user will be immediately forced to change the password because, by default, any password change made by the manager is immediately expired.

If the user wants to change his or her password, the command is SET PASSWORD. This command works like the UNIX passwd command by interrogating the user for the old password and the new password. Likewise, when the user's password expires, a new password dialog takes place at login time.




Getting Started with OpenVMS System Management
Getting Started with OpenVMS System Management (HP Technologies)
ISBN: 1555582818
EAN: 2147483647
Year: 2004
Pages: 130
Authors: David Miller

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net