The system manager may control (using AUTHORIZE) several parameters that govern the login process. These parameters are specified in the SYSUAF and are listed as follows. The specific AUTHORIZE qualifier is indicated in parentheses. Notice that these qualifiers are defined for every account, and many of them are shown in the previous SHOW DMILLER/FULL example. The parameters are as follows:
Whether two passwords are required to log in (/PASSWORD=)
The minimum length of a password (/PWDMINIMUM=)
The lifetime of a password (i.e., how often the password must be changed) (/PWDLIFETIME=)
Whether the user is permitted to change his or her password (FLAG=LOCKPWD)
Whether the user must use system-generated passwords (/GENERATE=)
What time of day and day of week the user may log in (/ACCESS=)
In addition, certain systemwide policy settings may be controlled (via SYSMAN PARAMETER) by the manager. These settings are stored in xVMSSYS.PAR, as discussed in both Chapters 2 and 7. The following is a partial list of these SYSMAN-pertinent parameters (the specific parameter is listed in parentheses):
Maximum number of login failures before the user is disconnected (LGI_RETRY_LIM)
Maximum amount of time the user has to respond to the login prompt before being disconnected (LGI_RETRY_TMO)
Maximum number of login failures from the same location or to the same account permitted before a break-in event is declared (LGI_BRK_LIM)
How long to disable further login attempts from that location or to that account (LGI_BRK_TMO)
When a break-in is detected, the user's account may be disabled (LGI_BRK_DISUSER).
SYSMAN is used to display and change current settings. The following example shows how to list them all. Only the rightmost column requires an explanation. Some parameters take place immediately, which are termed dynamic. Other parameters require a system boot before they are effective; these are termed nondynamic. The dynamic position of the display is blank for these parameters.
$ MCR SYSMAN SYSMAN> parameter show /lgi Node BEAVER: Parameters in use: ACTIVE Parameter Name Current Default Minimum Maximum Unit Dynamic -------------- ------- ------- ------- ------- ---- ------- LGI_BRK_TERM 1 1 0 1 Boolean D LGI_BRK_DISUSER 0 0 0 1 Boolean D LGI_PWD_TMO 30 30 0 255 Seconds D LGI_RETRY_LIM 3 3 0 255 Tries D LGI_RETRY_TMO 20 20 0 255 Seconds D LGI_BRK_LIM 5 5 1 255 Failures D LGI_BRK_TMO 300 300 0 5184000 Seconds D LGI_HID_TIM 300 300 0 1261440000 Seconds D
SYSMAN also includes HELP for all parameters. The following display illustrates this feature. Unfortunately, the command appears a bit baroque, but the information is valuable. It would appear that this value is set incorrectly on my system, because I use LAT.
SYSMAN> help parameter parameter lgi_brk_term PARAMETERS Parameters LGI_BRK_TERM LGI_BRK_TERM causes the terminal name to be part of the association string for the terminal mode of break-in detection. When off (0), association is done on user name only. LGI_BRK_ TERM is set by default (1). It should be cleared if physical terminal names are created dynamically (that is, if LAT is installed) and effective break-in detection is desired. LGI_BRK_TERM is a DYNAMIC parameter.
The change requires several commands, because all changes are made in a workspace and then moved to memory to become active. The changes are also moved to file to make them permanent. These steps are as follows:
SYSMAN> parameter use active ! initialize workspace SYSMAN> parameter set lgi_brk_term 0 ! make the change SYSMAN> parameter write active ! write workspace to memory SYSMAN> parameter write current ! write workspace to file SYSMAN> parameter sho lgi_brk_term ! display change Node BEAVER: Parameters in use: ACTIVE Parameter Name Current Default Minimum Maximum Unit Dynamic -------------- ------- ------- ------- ------- ---- ------- LGI_BRK_TERM 0 1 0 1 Boolean D