ECO NUMBER: ALPLOGI07_071 ----------- PRODUCT: OpenVMS Alpha Operating System -------- UPDATED PRODUCT: OpenVMS Alpha Operating System 7.1 ---------------- APPRX BLCK SIZE: 1296 ---------------- COVER LETTER 1 KIT NAME: ALPLOGI07_071 2 KITS SUPERSEDED BY THIS KIT: ALPLOGI06_071 3 KIT DEPENDENCIES: 3.1 The following remedial kit(s) must be installed BEFORE installation of this, or any required kit: None. 3.2 In order to receive all the corrections listed in this kit, the following remedial kits should also be installed: None. 4 KIT DESCRIPTION: 4.1 Version(s) of OpenVMS to which this kit may be applied: OpenVMS Alpha V7.1, V7.1-1H1, V7.1-1H2 4.2 Files patched or replaced: o [SYSEXE]LOGINOUT.EXE (new image) 5 PROBLEMS ADDRESSED IN ALPLOGI07_071 KIT o The ALPLOGI06_071 documentation correctly stated that the kit did not require a re-boot. However, during installation, the user was told that a re-boot was required. Aside from this installation message correction, there are no new code corrections in this kit. If you have installed the ALPLOGI06_071 remedial kit you do not need to install this kit. -- COVER LETTER -- Page 2 12 August 1998 6 PROBLEMS ADDRESSED IN ALPLOGI06_071 KIT o Blanks must be stripped from a password prior to OpenVMS password validation, which requires a conditioned password string, i.e. one that has blanks and control characters removed and alphabetic characters uppercased. The blank-stripping feature was broken in OpenVMS V7.1. The problem occurred for interactive login (character cell and DECwindows), OpenVMS and external authentication logins, and network logins. 7 PROBLEMS ADDRESSED IN ALPLOGI05_071 KIT o The network login path invokes $CREPRC to run LOGINOUT.EXE and, by convention, uses the SYS$OUTPUT and SYS$ERROR logical name parameters of $CREPRC to pass network related information to LOGINOUT. Care must be taken in LOGINOUT to protect these logical names from being used for normal output operations (such as $PUTMSG, printf, etc.) until these logical names have been redefined appropriately. Undesirable behavior may result if code attempts to assign channels to either of these logical names in their pre-conditioned state. External authentication invokes code paths that attempt to access these logical names, therefore the logical names will be redefined for the duration of external authentication call-outs so that channels cannot be assigned to them. 8 PROBLEMS ADDRESSED IN ALPLOGI04_071 KIT o Previous to this change, when external authentication was enabled and the external authentication service was unavailable, logins at the console (OPA0) would succeed using any combination of username and password, regardless of the state of the UAF flag EXTAUTH, just as if the SYSUAF.DAT file was unavailable or corrupt. With this change, if external authentication is enabled and the external authentication service is unavailable, logins at the console will fall-back to SYSUAF-based authentication. In this situation, logins will be allowed to any valid VMS account whether or not tagged EXTAUTH. (Allowing local emergency logins to EXTAUTH accounts satisfies those sites who may have tagged the SYSTEM or operator's account EXTAUTH.) -- COVER LETTER -- Page 3 12 August 1998 9 PROBLEMS ADDRESSED IN ALPLOGI03_071 KIT o Unless explicitly permitted by the system manager, a user who is flagged for "external authentication" should not be able to perform a network login when the external authentication returns SS$_INVUSER. o Uppercasing the username and password breaks DCE integrated login. External authentication allows username and password fields to to be case-sensitive. In the case of LAN Manager, usernames are case-insensitive, passwords are case-sensitive. These fields must have their case preserved throughout LOGINOUT except when being used to lookup records in the SYSUAF file for standard OpenVMS username/password validation. 10 PROBLEMS ADDRESSED IN ALPLOGI02_071 KIT o Incorrect User Authorization failures when trying to log on to a system. 11 PROBLEMS ADDRESSED IN ALPLOGI01_071 KIT o User accounts gets DISUSER flag set when no intrusions are present. 12 KIT INSTALLATION RATING: The following kit installation rating, based upon current CLD information, is provided to serve as a guide to which customers should apply this remedial kit. (Reference attached Disclaimer of Warranty and Limitation of Liability Statement) INSTALLATION RATING: 1 : To be installed by all customers (that have not installed the ALPLOGI06_071 remedial kit). 13 INSTALLATION INSTRUCTIONS: Install this kit with the VMSINSTAL utility by logging into the SYSTEM account, and typing the following at the DCL prompt: @SYS$UPDATE:VMSINSTAL ALPLOGI07_071 [location of the saveset] The saveset location may be a tape drive, or a disk directory that -- COVER LETTER -- Page 4 12 August 1998 contains the kit saveset. No reboot is necessary after successful installation of the kit. Copyright (c) Compaq Computer Corporation, 1998 All Rights Reserved. Unpublished rights reserved under the copyright laws of the United States. The software contained on this media is proprietary to and embodies the confidential technology of Compaq Computer Corporation. Possession, use, or dissemination of the software and media is authorized only pursuant to a valid written license from Compaq Computer Corporation. DISCLAIMER OF WARRANTY AND LIMITATION OF LIABILITY THIS PATCH IS PROVIDED AS IS, WITHOUT WARRANTY OF ANY KIND. ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR PARTICULAR PURPOSE, OR NON-INFRINGEMENT, ARE HEREBY EXCLUDED TO THE EXTENT PERMITTED BY APPLICABLE LAW. IN NO EVENT WILL COMPAQ BE LIABLE FOR ANY LOST REVENUE OR PROFIT, OR FOR SPECIAL, INDIRECT, CONSEQUENTIAL, INCIDENTAL OR PUNITIVE DAMAGES, HOWEVER CAUSED AND REGARDLESS OF THE THEORY OF LIABILITY, WITH RESPECT TO ANY PATCH MADE AVAILABLE HERE OR TO THE USE OF SUCH PATCH.