Password Phrases

A traditional password in VM is a single word of up to eight uppercase characters. If a traditional password is entered in lowercase, the system translates it to uppercase before matching it to the stored version.
vmx32besp
A
traditional password
in VM is a single word of up to eight uppercase characters. If a traditional password is entered in lowercase, the system translates it to uppercase before matching it to the stored version.
A
password phrase
is a mixed-case string of up to 200 characters. The password phrase can contain any character, including binary data from X’00’ to X’FF’.
VM:Secure
places no limits on the character set of a password phrase. However, terminal input devices might impose such limitations. To enter a password phrase from a keyboard, the phrase must contain only characters that are available on that keyboard. Binary data can still be placed into password phrases, but only by using programming interfaces.
Because
VM:Secure
must simultaneously support both password styles, it uses the length as the differentiating characteristic. A string of eight characters or less is treated as a traditional password and must obey the syntax of that type. Such a password must not contain blanks, and is translated to uppercase before it is verified. Strings longer than eight characters are treated as password phrases, with all the flexibility of that format. The term
password
in this section refers to either
traditional passwords
or
password phrases
.
This section describes how to configure and use support for password phrases. Support for traditional eight-character passwords is compatible with previous releases of VM. Password phrase support must be explicitly configured to be enabled, so that it can be introduced in a controlled manner.
Contents
2
Entering Password Phrases
Password phrases are entered from your keyboard either:
  • As a response to a password prompt from CP or
    VM:Secure
  • On the CP LOGON command line
  • Or on a
    VM:Secure
    screen
IBM has developed certain conventions for entering this information.
  • If the password contains leading or trailing blanks, it must be enclosed in single quotes. Blanks outside of the quotes are ignored, but any within the quotes are considered part of the password.
  • If the password starts with a single quote, it must be enclosed in single quotes.
  • A password must be enclosed in quotes if it contains any embedded blanks and it is being entered as part of a CP LOGON command line.
  • When enclosing a password in single quotes, any single quotes that are part of the password must be doubled.
  • A password can be enclosed in single quotes, even when it is not necessary according to the preceding rules.
In previous
VM:Secure
releases, the LOGONBY Facility allowed a LOGON password prompt response to be a string of the form BY/
byuserid
/
password
. This form is no longer supported by
VM:Secure
. Instead, use the BY operand on the CP LOGON command, or specify the single token ‘BY’ as your response, to be prompted for the
byuserid
and
password
.
Installing Password Phrase Support
Password phrase support must be explicitly enabled. Some existing
VM:Secure
interfaces might require minor modifications.
Enabling Password Phrases
To enable the use of password phrases, add a PWPHRASE statement to the ENABLE record in the SECURITY CONFIG file. For more information, see ENABLE Record.
Updating User Exits
If you use any of the five password-related user exit routines, they must be updated to work correctly with password phrase support. These user exits are PASSWORD, PASSCHNG, CHKPASS, USERPASS, and TERMPASS. All these exits take passwords as parameters. If a password phrase is being passed to any of these exits, it must be enclosed in single quotes, according to the rules outlined earlier in this page. The sample REXX exits include sample code for extracting the parameter values when a password parameter is presented as a quoted string. The quoted password phrase is passed to assembler versions of these exits in the CMS Extended PLIST structure. Review your user exit coding for any other minor modifications that might be necessary to support password phrases.
AUTOPASS Configuration Record Is Not Supported
The AUTOPASS configuration record is not supported when password phrase support is being used. Remove this record from your configuration. To remove the record:
  • Determine the value of the AUTOPASS token from the SECURITY CONFIG file with the CONFIG Command.
  • Use the SCAN command to locate any user directory entries or profile entries which specify the AUTOPASS token as a minidisk password. For an AUTOPASS value of LOGPASS, perform these scans to look for any READ, WRITE, or MULTWRITE passwords with the value LOGPASS:
    vmsecure
    scan mdisk * * * * * * logpass
    vmsecure
    scan mdisk * * * * * * * logpass
    vmsecure
    scan mdisk * * * * * * * * logpass
  • Assign new values to these minidisk passwords.
  • Remove the AUTOPASS statement from the SECURITY CONFIG file with the CONFIG command.
Storing Password Phrases
Password phrases are stored as special comment records in a user directory entry. They are compiled into the CP object directory. Thus, password phrases can be used even if the
VM:Secure
server is down.
Password Phrase Special Comment Records
Password phrase values are stored in the user directory entry source files as special comment records of the form *PW00= hex digits. Any manual modification of these records is unsupported. Such modifications could result in the inability to log on with the modified user ID directory entry. Additional records, beginning with *PW01=, *PW02=, and so on, are used to track previously used passwords. A default of eight previous passwords is kept for each user. Alternatively, you can specify the number to be kept with the MAXOLDPW configuration file?record. Password history is made available to your PASSWORD user exit routine.
To maintain user passwords, use only the
VM:Secure
password management interfaces.
Password Phrase Storage Location
Passwords are stored in the CP object directory entries. Therefore password phrases can be used even if the
VM:Secure
server is down. A password phrase is different from the traditional password stored on the USER statement in the source directory entry. The traditional password or password phrase that is specified in the *PW00= records is the true password. Under normal circumstances, the password token on the USER statement is not checked. In an emergency, however, you might have to use the IBM DIRECTXA command to create a working object directory from a USER DIRECT file. (This file is created with the VMXBKP01 Utility. In such a case, not all password phrase information would be present in the object directory. Therefore, the USER statement password token would be used to log on as part of your system recovery procedures.
Password Phrase System Management
All
VM:Secure
interfaces for password management and verification have been extended to support password phrases. You use the same commands and screens as were used for traditional password management. These facilities now all accept password phrases in any place where traditional passwords were used in previous releases. These commands and user exits are described in Command Reference and User Exit Reference.
Using the PASSWORD Command
The PASSWORD command allows password phrases to be specified in response to prompts for passwords. The PASSWORD command prompts for entry of a new password in two situations:
  • When a question mark character (?) is specified as the new password positional parameter, the command reads the password from the program stack. If stacked lines are not present, the command reads the password from the terminal.
  • When the TERM option is specified, the command reads the new password directly from the terminal. In this case, any information in the program stack is bypassed.
If the PASSWORD command prompts for a new password, the new password text is not displayed on the
VM:Secure
server console log.
Using the MAINT PASSWORD Command
A password phrase is accepted in response to the password prompt issued by the execution of the MAINT PASSWORD command. The same response must be entered to verify a password before it is accepted.
User Exits
The PASSWORD, PASSCHNG, CHKPASS, TERMPASS, and USERPASS user exits can accept password arguments, which must be enclosed in single quotes.
For more information, see Installing Password Phrase Support.
Changing Password Phrases During LOGON
When one of the following conditions is true, you are prompted to change your password during the LOGON process:
  • You are logging on to a user ID for the first time.
  • Your password has expired.
  • You specified the CHANGE option on the CP LOGON command.
You can specify a password phrase when you are prompted to enter a new password. Enter the same information when you are prompted to verify the new password.
Verifying Your Identity When Issuing
VM:Secure
Commands
To verify that
VM:Secure
commands are not being issued from an unattended terminal,
VM:Secure
might prompt you for your LOGON password before it executes the
VM:Secure
command. Your password phrase is accepted as input to this prompt.
USER/MANAGE Screen USE00080
Screen USE00080 is displayed from the USER or MANAGE screen menus. The portion of the screen where the password is entered has been enlarged to allow the entry of a maximum-length password phrase.
Password Phrase Application Programming Interfaces
Two application programming interfaces (APIs) are available for verification and assignment of password phrases under program control.
Password Verification
Password phrases can be verified using the IBM Diagnose X’88’ with subcode X’08’. This instruction is documented in the section on IBM-supplied Diagnose codes in the
CP Programming Services
guide for your release of VM. You can use two methods to authorize a server to use Diagnose X’88’ subcode X’08’. The first method is to define a new DIAG88 system level rule.
If no DIAG88 rule is found, the system checks for an OPTION DIAG88 statement in the directory entry for the issuing user ID.
For CMS applications, the DMSPASS CSL routine is the preferred application interface for password phrase authentication. DMSPASS CSL uses Diagnose X’88’ subcode X’08’ to perform the verification. IBM-supplied TCP/IP servers such as the FTP server exploit DMSPASS verification.
The older Diagnose X’A0’ subcode X’04’ interface is still supported for verification of traditional passwords. However, you can configure password phrase support so that Diagnose X’88’ subcode 8 verifies traditional passwords.
More information:
Password Update
Password phrases can be updated under program control using a new interface -- Diagnose X’A0’ subcode X’60’. The parameter list for this instruction allows 200-character binary password phrases to be specified. This capability is authorized for use by servers with a system-level PASSCHNG rule.