OpenVMS VAXLOAD02_061 VAX V6.1 LOGINOUT/Security Server ECO Summary

 
NOTE:  An OpenVMS saveset or PCSI installation file is stored
       on the Internet in a self-expanding compressed file.
       The name of the compressed file will be kit_name-dcx_vaxexe
       for OpenVMS VAX or kit_name-dcx_axpexe for OpenVMS Alpha.
 
       Once the file is copied to your system, it can be expanded
       by typing RUN compressed_file.  The resultant file will
       be the OpenVMS saveset or PCSI installation file which
       can be used to install the ECO.
 
Copyright (c) Digital Equipment Corporation 1996, 1997.  All rights reserved.

PRODUCT:    OpenVMS VAX

COMPONENT:  Security 
              CIA.EXE
              LOGINOUT.EXE
              SECURESHR.EXE
              SECURESHRP.EXE
              SECURITY_SERVER.EXE

SOURCE:     Digital Equipment Corporation

ECO INFORMATION:

     ECO Kit Name:  VAXLOAD02_061
     ECO Kits Superseded by This ECO Kit:  VAXLOAD02_070 (for OpenVMS VAX
                                                         V6.1 *ONLY*)
                                           VAXLOAD01_070
                                           VAXLOAD01_061
                                           VAXLOGI02_070
                                           VAXLOGI01_070                      
                                           VAXLOGI04_061                      
                                           VAXLOGI03_061                      
                                           VAXLOGI02_061 (CSCPAT_1157)        
                                           VAXLOGI01_061

     ECO Kit Approximate Size:  1260 Blocks
     Kit Applies To:  OpenVMS VAX V6.1
     System/Cluster Reboot Necessary:  No

     Installation Rating:   3 - To be installed on all systems running
                                the listed versions of OpenVMS which
                                are experiencing the problems described.


     NOTE:  In order to receive the full fixes listed in this kit,
            the following remedial kits also need to be installed:

                 None.  


ECO KIT SUMMARY:

An ECO kit exists for various security components on OpenVMS VAX 
V6.1. 

Problems Addressed in the VAXLOAD02_061 ECO Kit:

  o  The DISUSER flag gets set on a user account when no intrusions           
     are present.                                                             


Problems Addressed in the VAXLOAD01_070 ECO Kit:

  o  Proxy behavior is unpredictable.  Sometimes they are
     inoperative and at other times access is given to an 
     incorrect place.

  o  Users without WORLD privileges generate many "No WORLD priv"
     audits when logging in.

  o  Records in the old intrusion database can not be deleted
     because they are ill-formed (i.e., they contain control
     characters, nulls, spaces, etc.).

  o  Some logins are not correctly audited.


Problems Addressed in the VAXLOGI01_070 ECO kit:

  o  Problem with LGI callouts.

  o  Intrusion records and audits from DECnet/OSI network
     connections have a username padded with  characters.  

  o  If a user who types meaningless characters, whitespace or
     the "/" in response to the USERNAME prompt receives a CLI 
     error and then successfully logs in, the user will have an 
     intrusion record and an incorrect audit will be generated.

  
Problems Addressed in the VAXLOGI01_070 ECO kit:

  o  Five seconds after a password is entered, the login attempt
     is rejected.

     This problem is corrected in OpenVMS VAX V7.0.

  o  A login attempt will be rejected after it hangs for 30 seconds.  

     This problem is corrected in OpenVMS VAX V7.0.


Problems Addressed in the VAXLOGI04_061 ECO Kit:

  o  If a user is prompted for and successfully enters a new password
     at login time, no audit records are written or displayed.


Problems Addressed in the VAXLOGI03_061 ECO Kit:

  o  LOGINOUT does not set bits properly.  The consequence of this
     is that a DCL 'SHOW INTRUSION' or 'SHOW INTRUSION/OLD' command 
     will display erroneous intrusion records.


Problems Addressed in the VAXLOGI02_061 ECO Kit:

  o  OpenVMS V6.1 does not have a logical name for a remote node's
     fullname on a network login.  This fix has LOGINOUT define
     SYS$REM_NODE_FULLNAME to be the contents of the remote node's
     fullname (ctl$gq_remote_fullname) if the process is a network
     login.


Problems Addressed in the VAXLOGI01_061 ECO Kit:

  o  LOGINOUT hangs in an endless retry loop while prompting for
     a new password if the terminal device goes offline.  A 
     constant flow of failed login audits is generated.


Problems Addressed in the VAXLOAD01_061 ECO Kit:

  o  Performing a 'SHOW INTRUSION' operation with the SECURITY
     privilege set as documented returns the following error:

       %SYSTEM-F-NOSYSPRV, operation requires SYSPRV privilege

  o  Occasionally, the SECURITY_SERVER dumps and leaves a
     footprint in the file SYS$MANAGER:SECURITY_SERVER_ERROR.LOG
     that describes a range error.  The error will be similar to
     the following:  

       %SYSTEM-F-RANGEERR,  range  error,  PC=0008CD08,   PS=0000001B
       %ADA-I-TASTERUNH,  Task  with  ID %TASK 13 of type Process_CIA
        has terminated

  o  Under DECnet/OSI (Phase V) and OpenVMS VAX V6.1 and later,
     if there are proxies on YRNODE of the form:

       VMS:.ZKO.MYNODE::*
           * (D)              OTHERACCT

     and an access attempt is made in the form of:

       $ DIR YRNODE"OTHERACCT"::

     it will be rejected as a failed password.

  o  A request for proxy or intrusion information might hang the
     current process which is usually AUTHORIZE.

  o  The present implementation of proxy allows an ADD command to
     move a local user within a proxy record to the default user,
     but does not allow the default user to be made into a local
     user.

  o  If SHOW/PROXY runs into a proxy record which contains a
     field with a zero length, the SECURITY_SERVER will take
     an exception.  This results in the stoppage of the
     SECURITY_SERVER process and then AUTHORIZE will hang
     waiting for the SECURITY_SERVER.

  o  All SECSRV messages send the largest string to OPCOM that 
     it can handle.   Most of the message is trailing spaces 
     after the real text.

  o  A 'SHOW/PROXY *' within AUTHORIZE only shows the default
     proxy records.  It only displays this:

       UAF> show/proxy *

            Default proxies are flagged with (D)

            *::USER1
                 USER1 (D)

            *::USER2
               USER1 (D)

     It should be displaying this:

       UAF> show /proxy *

            Default proxies are flagged with (D)

            NODE::SYSTEM
                     SYSTEM

            *::USER1
               USER1 (D)

            *::USER2
               USER1 (D)

  o  A terminal name of exactly 64 characters passed to 
     $SCAN_INTRUSION will cause the server to fail with a
     constraint error.

  o  A process making a request of the SECURITY_SERVER may go 
     into an RWMBX due to a QIOW write to a mailbox that does
     not have a read.

  o  Various tasks within the SECURITY_SERVER die.  If the
     server attempts to keep running, the system will usually
     hang.


INSTALLATION NOTES:

The system does not need to be rebooted after this kit is installed.
However, if you have other nodes in your OpenVMS VMScluster, they 
should be rebooted or you should install this kit on each system
in order to make use of the new image(s).

Colorado Site
Georgia Site

vaxload02_061.README
vaxload02_061.CHKSUM
vaxload02_061.CVRLET_TXT
vaxload02_061.a-dcx_vaxexe