This is a text-only version of the following page on https://raymii.org:

This is a text-only version of the following page on https://raymii.org:
---
Title : Multiple passwords for one user, UIC uniqueness and the system password on OpenVMS
Author : Remy van Elst
Date : 13-05-2018
URL : https://raymii.org/s/blog/Multiple_passwords_for_one_user_UIC_uniqueness_and_the_system_password_on_OpenVMS.html
Format : Markdown/HTML
---

[![openvms][1]][2]

(You can read all my OpenVMS articles by [clicking the picture above][2])

In the book I bought about OpenVMS for [this article on filesystems][3], Getting
Started with OpenVMS by M. Duffy, I've read a few interesting things in the
chapter that introduces user accounts and system login. Namely that a user can
have multiple passwords, that user ID's are not unique and that there can be a
system password. This article goes in to those three topics.

 Recently I removed all Google Ads from this site due to their invasive tracking, as well as Google Analytics. Please, if you found this content useful, consider a small donation using any of the options below: <a href="https://leafnode.nl">I'm developing an open source monitoring app called Leaf Node Monitoring, for windows, linux & android. Go check it out!</a> <a href="https://github.com/sponsors/RaymiiOrg/">Consider sponsoring me on Github. It means the world to me if you show your appreciation and you'll help pay the server costs.</a> <a href="https://www.digitalocean.com/?refcode=7435ae6b8212">You can also sponsor me by getting a Digital Ocean VPS. With this referral link you'll get $100 credit for 60 days. </a> 

### Add a new user to experiment on

For this article I added a new test user on my OpenVMS 8.4 install. It has the
same privileges as the system user so be carefull with it. Change the root
device and directory if needed:

$ SET DEFAULT SYS$SYSTEM
$ RUN AUTHORIZE
ADD REMY /PASSWORD=TEMP /OWNER="Remy van Elst" /DEV=DKA0 /DIR=[USERS.REMY] /UIC=[200,201] /FLAG=NODISUSER /PRIV=ALL

Create the home folder for the user and set permissons:

$ CREATE /DIRECTORY DKA0:[USERS.REMY]
$ SET DIRECTORY /OWNER=REMY DKA0:[USERS.REMY]

Logout the `SYSTEM` user:

$ LOG

Login as your new user and change the password (which is `TEMP`):

Welcome to OpenVMS (TM) Alpha Operating System, Version V8.4

Your password has expired; you must set a new password to log in

New password:
Verification:

$

Try to create a file and see if you setup the folder and permissions correctly:

$ dir
%DIRECT-W-NOFILES, no files found
$ create example
hello
CTRL+Z

$ dir

Directory DKA0:[USERS.REMY]

EXAMPLE.;1

Total of 1 file.

Do note that OpenVMS passwords are case-insensitive. [Read here][5] for more
information, there is a flag you can toggle to make passwords case sensitive.

> A user password can contain up to 32 alphanumeric and special characters.
Unless your system manager has set the PWDMIX flag in your authorization account
record, the only special characters permitted are the dollar sign and
underscore. Without the PWDMIX authorization, all lowercase characters are
converted to uppercase before the password is encrypted. For example, "eagle" is
the same as "EAGLE."

Furthermore, spaces are ignored:

> Blank spaces are permissible within a password, but they are not considered
part of the password, and OpenVMS ignores them. For example, "MY PASSWORD" is an
acceptable password, but the system only records "MYPASSWORD." This means that
"MYPA SSWORD" is also a valid password for the account in question.

#### Licensing error?

After adding the user and trying to login I got a licensing error:

No license is active for this software product

It also spammed the terminal with AUDIT server logs:

%%%%%%%%%%% OPCOM 10-MAY-2018 19:52:05.87 %%%%%%%%%%%
Message from user AUDIT$SERVER on REMY1
Security alarm (SECURITY) and security audit (SECURITY) on REMY1, system id: 104
9
Auditable event: Local interactive login failure
Event time: 10-MAY-2018 19:52:05.87
PID: 0000021C
Process name: REMY
Username: REMY
Process owner: [REMY]
Terminal name: _TTA0:
Image name: REMY1$DKA0:[SYS0.SYSCOMMON.][SYSEXE]LOGINOUT.EXE
Posix UID: -2
Posix GID: -2 (%XFFFFFFFE)
Status: %LICENSE-F-NOLICENSE, no license is active for this software product

Somehow all my licenses disappeared:

$ SHOW LICENSE /USAGE

View of loaded licenses from node REMY1 10-MAY-2018 19:58:37.10
%SHOW-I-NOLICENSE, no licenses exist

After re-adding my hobbyist license it still did not work. I had to add the
hostname (`REMY1`) for the error to go away:

$ LICENSE MODIFY OPENVMS-ALPHA /INCLUDE=REMY1

After which all was well and I could login with the new user:

$ SHOW LICENSE OPENVMS-ALPHA

Active licenses on node REMY1:

------- Product ID -------- ---- Rating ----- -- Version --
Product Producer Units Avail Activ Version Release Termination
OPENVMS-ALPHA DEC 0 0 100 0.0 (none) 1-APR-2019

Unsure why this happens. Now let's get on to the exciting stuff.

### Secondary password

The first thing I want to cover is the secondary password. A user account on
OpenVMS can have more than 1 password, the main password and the secondary
password. This can be usefull in high-security environments where two people are
needed to access a user account (that could have special privileges). Read more
on UIC codes in [the documentation][6].

Chapter 4, User accounts, Overview states:

> Your system manager may create user accounts that require zero, one, or two
passwords, but accounts with one password are the norm.

From [the documentation][7]:

> Secondary password. The second of two passwords to be entered for an account
requiring both primary and secondary passwords. The secondary password provides
an additional level of security on user accounts. Typically, the primary user
does not know the secondary password; a supervisor or other key person must be
present to supply it. For certain applications, the supervisor may also decide
to remain present while the account is in use. Thus, secondary passwords
facilitate controlled logins and the actions taken after a login. Secondary
passwords can be time-consuming and inconvenient. They are justified only at
sites with maximum security requirements. An example of an account that
justifies dual passwords would be one that bypasses normal access controls to
permit emergency repair to a database.

The text above already gives an example and I can imagine a few more. Take two
users of different functions in the organization, say a programmer and a
director. If the sysadmins are not available (hit by a bus, holiday) these two
users can gain access to a special account to do maintenance. In other operating
systems you can achieve this by giving either one a part of the password. The
OpenVMS way feels more thought out since you can check which accounts require
secondary passwords and the different password attempts are logged as well.

To set up a secondary password, open the `AUTHORIZATION` program and use
`MODIFY`.

$ SET DEFAULT SYS$SYSTEM
$ RUN AUTHORIZE
MODIFY REMY /PASSWORD=("", example) /NOPWDEXPIRED

The first user password is not modified, hence the `("",`. If you want to modify
both passwords, replace the `""` with a password. If you have a user with two
passwords and want to modify only the first password, use `/PASSWORD=example`.
To modify both passwords, `/PASSWORD=(FIRST_PASS, SECONDARY_PASS)`.

The `/NOPWDEXPIRED` flag is set because otherwise the user would have to change
the secondary password at first login and in the use case of a secondary
password that is not what you want (since it involves two users).

If you logout (`LOG`) and login as the user, you will be asked for a password
twice. The first prompt is for the first password, the second for the secondary
password:

Welcome to OpenVMS (TM) Alpha Operating System, Version V8.4

Username: remy
Password:
Password:
Welcome to OpenVMS (TM) Alpha Operating System, Version V8.4
Last interactive login on Friday, 11-MAY-2018 20:20:33.58

$

To remove a secondary password, remove all passwords from a user and set a new
password:

$ SET DEFAULT SYS$SYSTEM
$ RUN AUTHORIZE
UAF> MODIFY REMY /NOPASSWORD
%UAF-I-PWDLESSMIN, new password is shorter than minimum password length
%UAF-I-MDFYMSG, user record(s) updated
UAF> MODIFY REMY /PASSWORD=TEMP
%UAF-I-MDFYMSG, user record(s) updated

When the user logs in now, it will require one password and the user has to
change that after first login.

You can read more on the `AUTHORIZE` program [here][8].

### User ID's (UIC) are not unique

The second interesting point I want to show and talk about is the `UIC`
uniqueness. Linux has the `UID` and `GID`, OpenVMS combines them into one
number. A UIC consists of: `GROUP,MEMBER` and has the form of `[200,201]`. Group
ID 200, User (member) ID 201. System users have a `UID` below 10 (by default).
UIC codes can be both numeric as in these examples as well as alphanumeric
(`[WELDING,JACK]`).

Chapter 4, User Identification Code (UIC), states:

> UICs Are Not Necessarily Unique It is important to note that a UIC does not
necessarily identify one particular user. It is possible for the system manager
to assign the same UIC to two or more user accounts. It is also possible to
reuse a UIC previously assigned to a user account that has been deleted.

File protection (not ACL's) relies on User Identification Codes, thus a system
manager can choose to create a user with the same UIC as another user. (Not the
same username though). This way one account that is not a privileged account can
access the files of another user without special permissions, since for the
system it is the same UIC.

You might use this when someone is away for a longer period, or when a user is
replaced by someone else. In Linux systems, the UID is recommended to be unique,
but it is not required. In my experience however it gives more problems than
solutions and using groups, SElinux or ACL's will fix your problem better.

I cover this because as far as I know now, in OpenVMS, the file protection bits
are exclusively looking at the UIC. I'm not sure how that is on a linux system.

Earlier in the article we created a new user with the UIC `[200,201]`. Let's
create an example file and make that not accessible for other users:

$ CREATE EXAMP.TXT
this is a test
CTRL+Z

Check the default permissions:

$ DIR /SECURITY

Directory DKA0:[USERS.REMY]

EXAMP.TXT;1 [REMY] (RWED,RWED,RE,)

Total of 1 file.

This means that:

* System: read, write, execute, delete
* Owner: read, write, execute, delete
* Group: read, execute
* World: none

Change it so that the group to which the user belongs (201) also cannot access
the file:

$ SET FILE/PROTECTION=(S:RWED,O:RWED,G,W) EXAMP.TXT;1

Now create another user with a different UIC to test the rights. Make sure it
has no system permissions otherwise it will still be able to access the file.

$ SET DEFAULT SYS$SYSTEM
$ RUN AUTHORIZE
ADD REMY2 /PASSWORD=TEMP /OWNER="Remy2" /DEV=DKA0 /DIR=[USERS.REMY2] /UIC=[300,401] /FLAG=NODISUSER
CTRL+Z ! to exit UAF>

$ CREATE /DIRECTORY DKA0:[USERS.REMY2]
$ SET DIRECTORY /OWNER=REMY2 DKA0:[USERS.REMY2]

Login as that user (`REMY2`) and check if you can access that file. It should
fail:

$ TYPE DKA0:[USERS.REMY]EXAMP.TXT;1
%TYPE-W-OPENIN, error opening DKA0:[USERS.REMY]EXAMP.TXT;1 as input
-RMS-E-PRV, insufficient privilege or file protection violation

Cool. Now, as the system user, run `AUTHORIZE` and change the UIC code of this
second user. Note, don't do this on a live system since it can have unwanted
side-effects (namely permission errors for all your users files).

UAF> MODIFY REMY2 /UIC=[200,201]

%UAF-E-RDBMDFYERR, unable to modify identifier REMY2
-SYSTEM-F-DUPIDENT, duplicate identifier
%UAF-I-MDFYMSG, user record(s) updated

Disregard the error, check with `SHOW REMY2` to see the actual change:

UAF> SHOW REMY2

Username: REMY2 Owner: Remy2
Account: UIC: [200,201] ([REMY])
CLI: DCL Tables: DCLTABLES
Default: DKA0:[USERS.REMY2]
LGICMD:
Flags:

Log back in as that user (`REMY2`). The file of the different user with the same
UIC (`REMY`) should be readable now:

$ TYPE DKA0:[USERS.REMY]EXAMP.TXT;1
this is a test

As well as the home folder of the user:

$ DIR DKA0:[USERS.REMY]

Directory DKA0:[USERS.REMY]

EXAMP.TXT;1

Total of 1 file.

However, as stated above, you won't be able to view your own files and folders
anymore, since your UIC changed:

$ SHOW DEF
DKA0:[USERS.REMY2]
$ DIR
%DIRECT-E-OPENIN, error opening DKA0:[USERS.REMY2]*.*;* as input
-RMS-E-PRV, insufficient privilege or file protection violation

### System password

The last of the interesting bits I want to discuss is the system password.

Chapter 5, logging in and out of the system, the login sequence states:

> Some OpenVMS systems have a system password enabled. This is a rarely used,
extra security feature. Such systems require you to type a password, which will
not be displayed, even before presenting you with a Username: prompt. You will
have no indication that anything at all is happening until the system password
is accepted.

From [the documentation][7]:

> The System password controls access to particular terminals and is required at
the discretion of the security administrator. System passwords are usually
necessary to control access to terminals that might be targets for unauthorized
use, such as dialup and public terminal lines.

To setup the system password, set the password and then choose the terminals
where you want to require the system password.

Start up `AUTHORIZE`:

$ SET DEFAULT SYS$SYSTEM
$ RUN AUTHORIZE

Set the password:

UAF> MODIFY/SYSTEM_PASSWORD=example
%UAF-I-SYSPWDMOD, system password modified

Then on a terminal where you want to require the system password, execute this
command:

$ SET TERMINAL/SYSPWD/PERMANENT

You can use the `SHOW TERM` command to check if the password is active. Look for
`Syspassword`.

$ SHOW TERM
Terminal: _TTA0: Device_Type: Unknown Owner: _TTA0:
Username: SYSTEM

Input: 9600 LFfill: 0 Width: 80 Parity: None
Output: 9600 CRfill: 0 Page: 24

Terminal Characteristics:
Interactive Echo Type_ahead No Escape
No Hostsync TTsync Lowercase No Tab
Wrap Scope No Remote No Eightbit
Broadcast No Readsync No Form Fulldup
No Modem No Local_echo Autobaud No Hangup
No Brdcstmbx No DMA No Altypeahd Set_speed
No Commsync Line Editing Overstrike editing No Fallback
No Dialup No Secure server No Disconnect No Pasthru
Syspassword No SIXEL Graphics No Soft Characters No Printer Port
Numeric Keypad No ANSI_CRT No Regis No Block_mode
No Advanced_video No Edit_mode No DEC_CRT No DEC_CRT2
No DEC_CRT3 No DEC_CRT4 No DEC_CRT5 No Ansi_Color
VMS Style Input <CTRL-H> Backspace

[The [documentation][9] [states that you can require this for remote logins, but
I have trouble getting [the networking part working, due to issues with Windows
10\. No way for me to [test that yet.

This is a GIF I recorded with the Windows On Screen Keyboard to show that the
system password is required before being able to do anything:

![][10]

[1]: https://raymii.org/s/inc/img/ovmsdec.png
[2]: https://raymii.org/s/tags/openvms.html
[3]: https://raymii.org/s/blog/OpenVMS_Mount_ISO_and_execute_scripts.html#%5B000000%5D,_the_Master_File_Directory
[4]: https://www.digitalocean.com/?refcode=7435ae6b8212
[5]: https://web.archive.org/web/20180513102328/http://h41379.www4.hpe.com/doc/83final/9996/9996pro_205.html
[6]: https://web.archive.org/web/20180513185120/http://h41379.www4.hpe.com/doc/84final/ba554_90015/ch04s01.html
[7]: https://web.archive.org/web/20180512180655/http://h30266.www3.hpe.com/odl/i64os/opsys/vmsos84/6489/6489pro_001.html
[8]: https://web.archive.org/web/20180513181859/https://marc.vos.net/books/vms/uaf/modify/
[9]: https://web.archive.org/web/20180512182500/http://h30266.www3.hpe.com/odl/i64os/opsys/vmsos84/BA554_90015/ch07s03.html
[10]: https://raymii.org/s/inc/img/syspwd.gif

---

License:
All the text on this website is free as in freedom unless stated otherwise.
This means you can use it in any way you want, you can copy it, change it
the way you like and republish it, as long as you release the (modified)
content under the same license to give others the same freedoms you've got
and place my name and a link to this site with the article as source.

This site uses Google Analytics for statistics and Google Adwords for
advertisements. You are tracked and Google knows everything about you.
Use an adblocker like ublock-origin if you don't want it.

All the code on this website is licensed under the GNU GPL v3 license
unless already licensed under a license which does not allows this form
of licensing or if another license is stated on that page / in that software:

This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.

This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.

You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.

Just to be clear, the information on this website is for meant for educational
purposes and you use it at your own risk. I do not take responsibility if you
screw something up. Use common sense, do not 'rm -rf /' as root for example.
If you have any questions then do not hesitate to contact me.

See https://raymii.org/s/static/About.html for details.