An adventure in hacking, sort of...
Mar. 23rd, 2008 05:38 pm![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
altivoThe VMS operating system was designed for secure corporate environments with many users and network connections to a central machine. I acknowledge this. Unfortunately, it was later promoted and distributed as a workstation environment to run on MicroVAX and later Alpha hardware. I have two Alpha machines, one at home and one at work, that now operate as workstations. The one at home runs OpenVMS.
The default security policies of VMS are draconian. Users are forced to change passwords every 30 days. Passwords may not be dictionary words. Worse, passwords cannot be the same as one previously used, and by default the system remembers the last 60 passwords you have had. That one is nasty for a casual user. As it happens, my VMS system runs without a login for weeks on end. So nearly every time I log in, it makes me change the password to a new nonsense word, and tries to dictate what passwords I can use by offering me a choice of six or so. If I don't like those, it will offer six more, and so on, until I accept one from the list.
This stuff can be disabled, and I thought I had finally disabled it. Nope. Today it made me change my password to a new nonsense word. "No problem," I thought, "I'll just log in as the system admin account and change it back." Under UNIX or Linux that works, because the admin account can assign any password without reference to all those rules.
Wrong again. First of all, when I tried to log in as "SYSTEM" it made me change that password too. Oh good, now I have two meaningless passwords. Determined to fix both, I used admin privileges to override and set the passwords back to my preferred words for both accounts. "Aha," I thought, "I'll just lock these so the user can't change them. That will foil the system from making me change them." Boy, was that wrong.
Log out. Can't log back in on either account. It seems that when I set the passwords, the system automatically set them to "expired" status to force the users to pick new, secure passwords. Only now the users aren't allowed to choose their own passwords. Catch-22. Any attempt to login fails. Now what?
Well, there's usually a way to recover if you lose the master password, right? And that's also the case with VMS, though it involves standing on your head while booting the system, tugging at your right earlobe at just the right moment, and then inserting your left toe someplace unmentionable all in the right sequence. Do it right, and you end up logged into a command prompt on the system console, with admin privileges, and with all other terminals and logins disabled. What we call a "standalone" boot in UNIX or Linux. I had never had to do this, ever, but I eventually found the right sequence of incantations, and made it to the $ prompt. What they don't tell you is that if you make any novice errors at that prompt, you get logged out and have to start all over again. It took me four or five tries before I managed to reset those passwords and really disable the security features (I hope) so that this won't happen again. Not allowing dictionary words as passwords is OK, but I swear that dictionary must be huge because it was disallowing words in Russian, Greek, and Anglo-Saxon as well as English. It didn't like "leetified" words either (changing O to zero and I to one, for instance.)
So a simple task, reboot the Alpha, ended up taking me 90 minutes. The VMS manuals I have are old, and didn't have all the current details I needed. It was fortunate that I had another machine with access to the web, or might still be puzzling over this. Or worse, formatting a hard disk and reinstalling OpenVMS.
On another but similar topic, could someone please explain to me why FA thinks it has to somehow translate PDF or DOC files into HTML in order to "display" them, and since it doesn't know how, it makes you "download" them instead? Every other website in the world just sends a PDF or DOC or RTF file to the user when clicked, after affixing the proper mime type to it. Most browsers know how to use a plug in or internal interpreter to display PDF or RTF right in the browser window. But on FA, they say "Sorry, we aren't able to display that file" and then make you download it to disk and start up a separate application to view it.
I happened to mention this in a forum discussion there. Bad move. Now I've got one of their coders insisting that they are doing it right and I'm wrong. Only I'm not wrong. My browser will display DOC, RTF, and PDF files right in the browser window as long as the correct mime type is passed with the file. Works everywhere else, guys.
The default security policies of VMS are draconian. Users are forced to change passwords every 30 days. Passwords may not be dictionary words. Worse, passwords cannot be the same as one previously used, and by default the system remembers the last 60 passwords you have had. That one is nasty for a casual user. As it happens, my VMS system runs without a login for weeks on end. So nearly every time I log in, it makes me change the password to a new nonsense word, and tries to dictate what passwords I can use by offering me a choice of six or so. If I don't like those, it will offer six more, and so on, until I accept one from the list.
This stuff can be disabled, and I thought I had finally disabled it. Nope. Today it made me change my password to a new nonsense word. "No problem," I thought, "I'll just log in as the system admin account and change it back." Under UNIX or Linux that works, because the admin account can assign any password without reference to all those rules.
Wrong again. First of all, when I tried to log in as "SYSTEM" it made me change that password too. Oh good, now I have two meaningless passwords. Determined to fix both, I used admin privileges to override and set the passwords back to my preferred words for both accounts. "Aha," I thought, "I'll just lock these so the user can't change them. That will foil the system from making me change them." Boy, was that wrong.
Log out. Can't log back in on either account. It seems that when I set the passwords, the system automatically set them to "expired" status to force the users to pick new, secure passwords. Only now the users aren't allowed to choose their own passwords. Catch-22. Any attempt to login fails. Now what?
Well, there's usually a way to recover if you lose the master password, right? And that's also the case with VMS, though it involves standing on your head while booting the system, tugging at your right earlobe at just the right moment, and then inserting your left toe someplace unmentionable all in the right sequence. Do it right, and you end up logged into a command prompt on the system console, with admin privileges, and with all other terminals and logins disabled. What we call a "standalone" boot in UNIX or Linux. I had never had to do this, ever, but I eventually found the right sequence of incantations, and made it to the $ prompt. What they don't tell you is that if you make any novice errors at that prompt, you get logged out and have to start all over again. It took me four or five tries before I managed to reset those passwords and really disable the security features (I hope) so that this won't happen again. Not allowing dictionary words as passwords is OK, but I swear that dictionary must be huge because it was disallowing words in Russian, Greek, and Anglo-Saxon as well as English. It didn't like "leetified" words either (changing O to zero and I to one, for instance.)
So a simple task, reboot the Alpha, ended up taking me 90 minutes. The VMS manuals I have are old, and didn't have all the current details I needed. It was fortunate that I had another machine with access to the web, or might still be puzzling over this. Or worse, formatting a hard disk and reinstalling OpenVMS.
On another but similar topic, could someone please explain to me why FA thinks it has to somehow translate PDF or DOC files into HTML in order to "display" them, and since it doesn't know how, it makes you "download" them instead? Every other website in the world just sends a PDF or DOC or RTF file to the user when clicked, after affixing the proper mime type to it. Most browsers know how to use a plug in or internal interpreter to display PDF or RTF right in the browser window. But on FA, they say "Sorry, we aren't able to display that file" and then make you download it to disk and start up a separate application to view it.
I happened to mention this in a forum discussion there. Bad move. Now I've got one of their coders insisting that they are doing it right and I'm wrong. Only I'm not wrong. My browser will display DOC, RTF, and PDF files right in the browser window as long as the correct mime type is passed with the file. Works everywhere else, guys.
![[identity profile]](https://www.dreamwidth.org/img/silk/identity/openid.png){kind=small}
no subject
Date: 2008-03-24 11:24 am (UTC)The Alphas run Linux too, and very well. Debian and Gentoo both have Alpha distributions. The one I have here at home is set up for dual boot. OpenVMS is better at number crunching, though. It's optimized to take advantage of the Alpha's capabilities, while Linux still seems to do things the lowest common denominator way.
As far as I know, the native Tru64 UNIX is no longer available by any legitimate means unless you already had a license. Too bad, that.
no subject
Date: 2008-03-25 08:38 am (UTC)I haven't seen Tru64 since my school days. My early school days, at that! Of course, back then I had no idea what it was nor what it was used for. Ahh, ignorance was bliss. :P
no subject
Date: 2008-03-25 10:51 am (UTC)