Updated: 24-SEP-2003 (Use your browsers' Reload button to ensure you're viewing the most recent version)
VAXLOAD02_061 VAX V6.1 LOGINOUT/Security Server ECO Summary
Copyright (c) Digital Equipment Corporation 1996, 1997. All rights reserved.
PRODUCT: OpenVMS VAX
COMPONENT: Security
CIA.EXE
LOGINOUT.EXE
SECURESHR.EXE
SECURESHRP.EXE
SECURITY_SERVER.EXE
SOURCE: Digital Equipment Corporation
ECO INFORMATION:
ECO Kit Name: VAXLOAD02_061
ECO Kits Superseded by This ECO Kit: VAXLOAD02_070 (for OpenVMS VAX
V6.1 *ONLY*)
VAXLOAD01_070
VAXLOAD01_061
VAXLOGI02_070
VAXLOGI01_070
VAXLOGI04_061
VAXLOGI03_061
VAXLOGI02_061 (CSCPAT_1157)
VAXLOGI01_061
ECO Kit Approximate Size: 1260 Blocks
Kit Applies To: OpenVMS VAX V6.1
System/Cluster Reboot Necessary: No
Installation Rating: 3 - To be installed on all systems running
the listed versions of OpenVMS which
are experiencing the problems described.
NOTE: In order to receive the full fixes listed in this kit,
the following remedial kits also need to be installed:
None.
ECO KIT SUMMARY:
An ECO kit exists for various security components on OpenVMS VAX
V6.1.
Problems Addressed in the VAXLOAD02_061 ECO Kit:
o The DISUSER flag gets set on a user account when no intrusions
are present.
Problems Addressed in the VAXLOAD01_070 ECO Kit:
o Proxy behavior is unpredictable. Sometimes they are
inoperative and at other times access is given to an
incorrect place.
o Users without WORLD privileges generate many "No WORLD priv"
audits when logging in.
o Records in the old intrusion database can not be deleted
because they are ill-formed (i.e., they contain control
characters, nulls, spaces, etc.).
o Some logins are not correctly audited.
Problems Addressed in the VAXLOGI01_070 ECO kit:
o Problem with LGI callouts.
o Intrusion records and audits from DECnet/OSI network
connections have a username padded with <NUL> characters.
o If a user who types meaningless characters, whitespace or
the "/" in response to the USERNAME prompt receives a CLI
error and then successfully logs in, the user will have an
intrusion record and an incorrect audit will be generated.
Problems Addressed in the VAXLOGI01_070 ECO kit:
o Five seconds after a password is entered, the login attempt
is rejected.
This problem is corrected in OpenVMS VAX V7.0.
o A login attempt will be rejected after it hangs for 30 seconds.
This problem is corrected in OpenVMS VAX V7.0.
Problems Addressed in the VAXLOGI04_061 ECO Kit:
o If a user is prompted for and successfully enters a new password
at login time, no audit records are written or displayed.
Problems Addressed in the VAXLOGI03_061 ECO Kit:
o LOGINOUT does not set bits properly. The consequence of this
is that a DCL 'SHOW INTRUSION' or 'SHOW INTRUSION/OLD' command
will display erroneous intrusion records.
Problems Addressed in the VAXLOGI02_061 ECO Kit:
o OpenVMS V6.1 does not have a logical name for a remote node's
fullname on a network login. This fix has LOGINOUT define
SYS$REM_NODE_FULLNAME to be the contents of the remote node's
fullname (ctl$gq_remote_fullname) if the process is a network
login.
Problems Addressed in the VAXLOGI01_061 ECO Kit:
o LOGINOUT hangs in an endless retry loop while prompting for
a new password if the terminal device goes offline. A
constant flow of failed login audits is generated.
Problems Addressed in the VAXLOAD01_061 ECO Kit:
o Performing a 'SHOW INTRUSION' operation with the SECURITY
privilege set as documented returns the following error:
%SYSTEM-F-NOSYSPRV, operation requires SYSPRV privilege
o Occasionally, the SECURITY_SERVER dumps and leaves a
footprint in the file SYS$MANAGER:SECURITY_SERVER_ERROR.LOG
that describes a range error. The error will be similar to
the following:
%SYSTEM-F-RANGEERR, range error, PC=0008CD08, PS=0000001B
%ADA-I-TASTERUNH, Task with ID %TASK 13 of type Process_CIA
has terminated
o Under DECnet/OSI (Phase V) and OpenVMS VAX V6.1 and later,
if there are proxies on YRNODE of the form:
VMS:.ZKO.MYNODE::*
* (D) OTHERACCT
and an access attempt is made in the form of:
$ DIR YRNODE"OTHERACCT"::
it will be rejected as a failed password.
o A request for proxy or intrusion information might hang the
current process which is usually AUTHORIZE.
o The present implementation of proxy allows an ADD command to
move a local user within a proxy record to the default user,
but does not allow the default user to be made into a local
user.
o If SHOW/PROXY runs into a proxy record which contains a
field with a zero length, the SECURITY_SERVER will take
an exception. This results in the stoppage of the
SECURITY_SERVER process and then AUTHORIZE will hang
waiting for the SECURITY_SERVER.
o All SECSRV messages send the largest string to OPCOM that
it can handle. Most of the message is trailing spaces
after the real text.
o A 'SHOW/PROXY *' within AUTHORIZE only shows the default
proxy records. It only displays this:
UAF> show/proxy *
Default proxies are flagged with (D)
*::USER1
USER1 (D)
*::USER2
USER1 (D)
It should be displaying this:
UAF> show /proxy *
Default proxies are flagged with (D)
NODE::SYSTEM
SYSTEM
*::USER1
USER1 (D)
*::USER2
USER1 (D)
o A terminal name of exactly 64 characters passed to
$SCAN_INTRUSION will cause the server to fail with a
constraint error.
o A process making a request of the SECURITY_SERVER may go
into an RWMBX due to a QIOW write to a mailbox that does
not have a read.
o Various tasks within the SECURITY_SERVER die. If the
server attempts to keep running, the system will usually
hang.
RELATED ARTICLES:
Detailed articles describing the problems listed above may exist in
the OPENVMS database. To view these articles, open the appropriate
product database and perform a query using either of the following
search strings: 'VAXLOAD02_061' or 'VAXLOAD'.
ECO KIT ORDERING INSTRUCTIONS:
If after an evaluation you wish to obtain this kit, request it
electronically using the appropriate Advanced Electronic Services
(AES) Service Tool. If you are not familiar with how to request
kits electronically, open the DIA, WIS or DSNLINK database and
review the article entitled:
[AES] How To Electronically Request ECO Kits Using Service Tools
INSTALLATION NOTES:
The system does not need to be rebooted after this kit is installed.
However, if you have other nodes in your OpenVMS VMScluster, they
should be rebooted or you should install this kit on each system
in order to make use of the new image(s).
==========================================================================
| Table of Kit Image Information |
+----------------------------+----------+-----------------+--------------+
| | Overall | Image File | Image Link |
| Image Name | Checksum | Identification | Date/Time |
+----------------------------+----------+-----------------+--------------+
| CIA.EXE |%X8DDA961D| X-8A1 | 3-SEP-1996 |
| | | 13:56:51.79 |
+----------------------------+----------+-----------------+--------------+
| LOGINOUT.EXE |%XA02889A8| X-28A2 | 10-JUN-1997 |
| | | 01:55:09.76 |
+----------------------------+----------+-----------------+--------------+
| SECURESHR.EXE |%XCE022E73| X-5A1 | 27-JUL-1996 |
| | | 08:34:45.91 |
+----------------------------+----------+-----------------+--------------+
| SECURESHRP.EXE |%X308264F6| X-5A1 | 27-JUL-1996 |
| | | 08:34:14.88 |
+----------------------------+----------+-----------------+--------------+
| SECURITY_SERVER.EXE |%X3CDA9E96| 01 | 13-MAR-1995 |
| | | 11:04:26.07 |
+----------------------------+----------+-----------------+--------------+
|
