LEICHTER@VENUS.YCC.YALE.EDU ("Jerry Leichter ", LEICHTER-JERRY@CS.YALE.EDU) (01/28/88)
Recent notes on these lists have reported a "bug" in VMS, in which a failed login attempt can cause the username being logged into to be reported at the system console. Since it's a common error for a typist to get "out of sync" with the prompts and enter his password for his username, this can reveal a password. The "bug", however, is in a faulty - and foolish - setting of a VMS parameter at the site involved. VMS will log the actual username typed in EXACTLY one case: When it has decided that an attempted breakin may be in progress at the terminal. It so decides when it sees more than L failed login attempts from the same source with T seconds. L is normally 5, and T is normally 300. "The same source" specifies a physical source - a terminal line or a specific remote network node - and, optionally, a particular username. The site at issue here had set L to either 1 or 2 - the message was ambiguous, since it said "2" but then described a scenario in which the second attempt to log in caused a message with the username to be logged, which would imply that L was actually 1. In any case, both 1 and 2 are absurd choices; they are presuming a breakin attempt as the result of ONE typo! Apparently the system manager at this site doesn't understand the various elements of the VMS login security system. For example, if his goal was simply to get a security alarm on a failed login, he could have done that directly (SET AUDIT/ENABLE:LOGFAIL). Those alarm messages do not contain the username. To answer two obvious questions: - Why include the username information at all, ever? It's needed sometimes. If you came in on Monday and found a record of several hundred failed attempts to log in, wouldn't you think it important to know which accounts had been the targets? Obviously, there are risks in recording this information; but there are also risks in NOT recording it. VMS tries to balance them by only logging this information in situations that are very unlikely to arise accidentally. You can change the balance any way you like. This site had unwittingly changed the balance to "record very often". - Why log the information to the console, "where everyone can see it", rather than only to a log file? A log file can be altered; it's much harder to alter a paper record. If you really don't want security messages to appear on the console, you can disable them (REPLY/DISABLE:SECURITY). In any case, a site seriously concerned with security must provide physical security for its console terminal! I've seen more harm done by security managers who didn't understand basic security issues than by almost any other single group. If you manage security on a VMS system, read the "Guide to VAX/VMS System Security", CAREFULLY, before you start screwing around with the VMS security systems. Then read it AGAIN, and really understand what you are trying to accomplish and what the side-effects will be, before you start changing defaults that are not haphazard but the result of some thought, design, and review. -- Jerry -------