An adventure in hacking, sort of...

[altivo]

The VMS operating system was designed for secure corporate environments with many users and network connections to a central machine. I acknowledge this. Unfortunately, it was later promoted and distributed as a workstation environment to run on MicroVAX and later Alpha hardware. I have two Alpha machines, one at home and one at work, that now operate as workstations. The one at home runs OpenVMS.

The default security policies of VMS are draconian. Users are forced to change passwords every 30 days. Passwords may not be dictionary words. Worse, passwords cannot be the same as one previously used, and by default the system remembers the last 60 passwords you have had. That one is nasty for a casual user. As it happens, my VMS system runs without a login for weeks on end. So nearly every time I log in, it makes me change the password to a new nonsense word, and tries to dictate what passwords I can use by offering me a choice of six or so. If I don't like those, it will offer six more, and so on, until I accept one from the list.

This stuff can be disabled, and I thought I had finally disabled it. Nope. Today it made me change my password to a new nonsense word. "No problem," I thought, "I'll just log in as the system admin account and change it back." Under UNIX or Linux that works, because the admin account can assign any password without reference to all those rules.

Wrong again. First of all, when I tried to log in as "SYSTEM" it made me change that password too. Oh good, now I have two meaningless passwords. Determined to fix both, I used admin privileges to override and set the passwords back to my preferred words for both accounts. "Aha," I thought, "I'll just lock these so the user can't change them. That will foil the system from making me change them." Boy, was that wrong.

Log out. Can't log back in on either account. It seems that when I set the passwords, the system automatically set them to "expired" status to force the users to pick new, secure passwords. Only now the users aren't allowed to choose their own passwords. Catch-22. Any attempt to login fails. Now what?

Well, there's usually a way to recover if you lose the master password, right? And that's also the case with VMS, though it involves standing on your head while booting the system, tugging at your right earlobe at just the right moment, and then inserting your left toe someplace unmentionable all in the right sequence. Do it right, and you end up logged into a command prompt on the system console, with admin privileges, and with all other terminals and logins disabled. What we call a "standalone" boot in UNIX or Linux. I had never had to do this, ever, but I eventually found the right sequence of incantations, and made it to the $ prompt. What they don't tell you is that if you make any novice errors at that prompt, you get logged out and have to start all over again. It took me four or five tries before I managed to reset those passwords and really disable the security features (I hope) so that this won't happen again. Not allowing dictionary words as passwords is OK, but I swear that dictionary must be huge because it was disallowing words in Russian, Greek, and Anglo-Saxon as well as English. It didn't like "leetified" words either (changing O to zero and I to one, for instance.)

So a simple task, reboot the Alpha, ended up taking me 90 minutes. The VMS manuals I have are old, and didn't have all the current details I needed. It was fortunate that I had another machine with access to the web, or might still be puzzling over this. Or worse, formatting a hard disk and reinstalling OpenVMS.


On another but similar topic, could someone please explain to me why FA thinks it has to somehow translate PDF or DOC files into HTML in order to "display" them, and since it doesn't know how, it makes you "download" them instead? Every other website in the world just sends a PDF or DOC or RTF file to the user when clicked, after affixing the proper mime type to it. Most browsers know how to use a plug in or internal interpreter to display PDF or RTF right in the browser window. But on FA, they say "Sorry, we aren't able to display that file" and then make you download it to disk and start up a separate application to view it.

I happened to mention this in a forum discussion there. Bad move. Now I've got one of their coders insisting that they are doing it right and I'm wrong. Only I'm not wrong. My browser will display DOC, RTF, and PDF files right in the browser window as long as the correct mime type is passed with the file. Works everywhere else, guys.

Comments

[aerofox.livejournal.com]

Wow, I wish I had your knowledge of VMS.

I do have a DEC Alpha workstation (430 i think) which needs OpenVMS installed on it.
We use OpenVMS to run the facility at work. If I knew more about the system, it might make me more valuable.

I probably talked to you about this before, but I forget....

[altivo.livejournal.com]

Oooh, something I might be able to really help you with.

Here's the trick. You need a license to run OpenVMS, but the license is free to hobbyists. Getting a license and a copy of the installation CD involves another one of those "stand on one foot and put your tongue up your nose" routines, but you can do it. You need to join Encompass US, the HP/Compaq/DEC user group, and if you join as an "associate" it's free. They don't let you vote, but who cares. Then you take your Encompass membership number and your system serial number over to the OpenVMS hobbyist web site, and you can get your free licenses to run just about all the VMS software that still exists. They'll sell you the installation CD for $30.

OpenVMS licenses run for a year at a time, so you have to get a renewal license (also free) each time you are about to expire, and import the license keys into your Alpha. Your Encompass membership stays valid as long as you keep a valid e-mail address on file with them, I think, so renewing your licenses is just a trip to the hobbyist web site and putting in your membership and serial numbers again. They e-mail the license keys to you within a day or so.

The installation and basic configuration I can help with. I can even bring my own installation CD to install from (unfortunately, I can't copy it because I don't have a CD writer on the Alpha... or can I? Maybe I can just treat it as a raw device file on Linux, have to try that...)

[aerofox.livejournal.com]

One guy at work gave me some disks which one should be an install disk. I played around with it briefly, but I wasn't able to figure out how to get it setup to install.

Maybe we can poke it with a stick when you and Casey come down?

[altivo.livejournal.com]

We can give it a try, sure. Probably what's hanging you up is the console commands, which are a language unto themselves. If you check the model number then I may be able to scare up the console reference for it.

Take a look at your installation media and see if there's a version number on it too. If it's older than 7.1 you'd do just as well to start with current stuff. The current version for Alpha is 8.3. You'll still need license keys. I'll look up the URLs where you can register for those and send you an e-mail with them tomorrow.

[bariki.livejournal.com]

Who's laughing now? Every *NIX user on the planet, that's who. At least, those with distributions made after 1994. :P

Please forgive my cruelty. Windows Server 2008 locked me out of my virgin installation this afternoon for no good reason after I reset my password to a 'strong' one (one uppercase + one numeric + at least six other chars). Of course, I just booted from a BartPE CD and replaced the SAM part of the Registry to get around it quickly. Eep. Security: what security?

Are people still actively developing OpenVMS? I thought that it had had a bullet in its head after the DEC/Compaq/HP buyout?

Yep, FA fails at plug-in detection. Perhaps because that might involve writing some code? *shock*

[altivo.livejournal.com]

Well, I'm not sure why UNIX users would laugh at OpenVMS. The OS did what it's supposed to do, I'm the one who goofed up, and even then there was in fact a way out of it. As with nearly anything, if you can physically touch the master console you can get in. The trick is far from obvious, but it's rational nonetheless. You just wouldn't think of using the tools involved in quite that way.

As for FA, I don't think they even need to detect plug-ins. Just send the file with the correct mime type, and the plug-in will activate if present. If not present, the browser will ask the user what to do, and download to disk is one of the standard options it offers. It comes down to the same thing that has always been FA's problem, I think. Inexperienced teenagers doing all the design and coding...

[altivo.livejournal.com]

Oh, I should mention the fact that one of the commands needed to pull off that takeover trick at the console is my very favorite but rarely used VMS command: "spawn" ;p

[altivo.livejournal.com]

Oh, I meant to say. OpenVMS is still chugging along. Version 8.3 (Alpha and IA64 only, no more VAX support) was released just last year. HP is still supporting it actively, though the Alpha is now an extinct platform and I've heard the IA64 isn't long for this world. Hearsay, I don't know that for a fact.

Of course there's active development still going on with MVS 3.8, too. Not at IBM, but there are two "living" branches. One is busily converting all the MVS source into CVS on Sourceforge, I think. The other is trying to achieve 32 bit addressing that will duplicate what IBM did in its systems that are still proprietary, so that object code will execute directly on either OS.

[rustitobuck.livejournal.com]

Let's see if I remember.

> BOOT/R5:1
SYSGEN> SET UAFALTERNATE 1
SYSGEN> ^Z

Username: SYSTEM
Password: MANAGER

$ MC SYSUAF
UAF> MOD SYSTEM/PASSWORD=NEWPASSWORD/NOPWDEXP

close enough?

Anybody that doesn't have hardware can get SIMH. I've run Ultrix on a simulated VAX, and Unix V6 and V7 on simulated PDP-11.

[bariki.livejournal.com]

Epic ^)^

[bariki.livejournal.com]

Hmm, just for the fact that it is OpenVMS is probably enough. It might be just me, but whenever I think of it, I'm reminded of "The VAX Cluster Bomb" - Google it and see. :P

Of course, that makes more sense.

[bariki.livejournal.com]

IA64 - the (T)Itanic processor family - has not had a bullet to the head.. yet. In 2005 the Itanium Solutions Alliance was formed - a club of big players in the Itanium sphere - and they have promised to throw $10bn at Itanium development and adoption by 2010. Last year Intel churned out the Montvale Itanium 2 processor, the second to use its 90nm fabrication process.

However, the end of this much-criticised processor may be in sight. Tukwila, the code-name for the next generation of Itanium processors, is due out later this year, and Intel has already admitted that it has socket compatibility with Xeon, Intel's premier server processors, so its not inconceivable that Intel will merge Itanium into Xeon - speculation, of course, but not too far-fetched. There's already an interface for Itanium 2 on Xeon-based kit, called Intel QuickPath Interconnect, that allows Xeon and Itanium 2 processors to share a common chipset.

So much for old dogs and new tricks. Wonder if this branch's efforts to bring 32-bit addressing will be successful? A useful thing if it works out, but will the enthusiasm be sustained?

[altivo.livejournal.com]

I think that's right for a VAX. ;D

On the AlphaStation with the current OpenVMS you'd have a problem though, because DECWindows would intrude and still try to enforce password management. At least, that's what happened here.

>>>boot -flags 0,1 dka0

SYSBOOT>set/startup opa0:
SYSBOOT>set uafalternate 1
SYSBOOT>set window_manager 0
SYSBOOT>continue

$ spawn
$ @sys$system:startup

$ set def sys$system

At this point, you use sysman to restore the normal boot parameters, then authorize to correct the password situation. Reboot and all should be well.

Or, as I mentioned, if you screw up in sysman or authorize, it logs you off and you get to start all over again after killing the power to make the system reboot. ;p

SIMH is pretty cool. I ran it here before I lucked into the Alpha hardware.

[altivo.livejournal.com]

Heh. I managed VMS and RSX systems back when you were a toddler, son. Ain't nothing wrong with the OS, just the hardware got dated. And I was an MVS system programmer before you were born. So there.

The Alphas run Linux too, and very well. Debian and Gentoo both have Alpha distributions. The one I have here at home is set up for dual boot. OpenVMS is better at number crunching, though. It's optimized to take advantage of the Alpha's capabilities, while Linux still seems to do things the lowest common denominator way.

As far as I know, the native Tru64 UNIX is no longer available by any legitimate means unless you already had a license. Too bad, that.

[altivo.livejournal.com]

I'm not sure how useful these MVS development efforts are. The internecine squabbling is likely to keep them from being productive.

To my perception, it's a folly. MVS 3.8 works just fine in its 24-bit address space. The reason it originally had to expand back in the 80s was not because the program code was getting that huge. It was to handle more volume. More tasks at once, more large I/O buffers. Now that most non-commercial MVS processing runs on multiple small processors under emulation, it's easy to just add another CPU or two.

The issue seems to be the desire of some people to run gcc generated code, which is incredibly bulky and inefficient with memory. It's MVS, folks. It isn't supposed to support a dense graphical environment or anything like that. It's supposed to crunch batch jobs or do forms-based database operations. XD

It's sorta like saying "Hey, we could add a windows-based user environment to CP/M. We just need to expand the address space to 64 Meg, add support for parallel processors, and build S-100 style video hardware." Well, yeah, you could. But why? o.O

[bariki.livejournal.com]

Mm, back in the day. Gotta admit, at least code was slimmer then, not like the bloat squatting on some machines today. I assume that there was not graphical development environment for you to use back then? >;)

I haven't seen Tru64 since my school days. My early school days, at that! Of course, back then I had no idea what it was nor what it was used for. Ahh, ignorance was bliss. :P

[bariki.livejournal.com]

But how are we supposed to get Gnome to run on it without gcc and X?

I know just about bugger all about MVS, but I do know that it wasn't intended to provide a rich user interface. What exactly is the aim of these improvements? Who's gonna use them?

[altivo.livejournal.com]

The Xerox PARC folks hadn't even dreamed of their Star system yet. No one knew what a "graphical development environment" was. We had editors, debuggers, and batch queues. Plush environments had enough memory to let you do interactive debugging. After five years on the job they gave me a color terminal that was capable of displaying graphs for statistical analysis of system activity and efficiency. That was as graphical as it got. That 3279 terminal was so big and heavy it took up half my desk and couldn't be moved without another person to help. The keyboard alone weighed five pounds.

[altivo.livejournal.com]

There's a large community of MVS users still. Most are non-commercial, hobbyists and ex-programmers. The Hercules emulator is so mature and complete it will run any IBM 370 class operating system right up to the present zOS on a typical desktop PC. It's an impressive piece of work, that. You can even hook up real IBM peripherals, hulking line printers and hundred pound terminals, and none of them can tell that it isn't real mainframe iron.

Due to various legal blunders or whatever, several IBM mainframe operating systems from the 1980s have been officially placed in the public domain by IBM itself. MVS 3.8j, the one I first used as a trainee back in 1980, is among them. It's spooky and amusing to start the thing up and have the operator's console, multiple terminals, and printer outputs each appear in their own window and all of them working exactly as they always did.

The installation I worked on had more than 700 user terminals, and a disk and tape farm that occupied two floors of a high rise building. All of it could be duplicated and actually run at full bore on a modern dual core machine with a couple of big drives. It really makes you appreciate how much bloat and waste there is in the typical "modern" desktop OS.

Yeah, some of these guys are thinking in terms of Gnome and KDE, which is kinda silly, because the Hercules emulation already has a Linux implementation if that's what they want. The Linux for IBM 390 systems runs on it just fine. In fact, people have put VM 370 on Hercules, and then run Linux under it as a guest, and then another Hercules host under the Linux, and MVS on that Hercules. This sounds absurd but back when hardware was expensive (like millions of dollars) that was the kind of testing environment we used to get.

However, others have practical goals in mind. IBM mainframes are still out there, though the current editions are about the size of a small file cabinet and ten times more capable than they were 20 years ago. Why use resources on your production box for testing if you can run multiple instances of Hercules on cheap PC hardware to duplicate the production environment for testing purposes?

[cabcat.livejournal.com]

*just stares his eyes glazed over*
Is this trouble worth it o.O

An adventure in hacking, sort of...

[squayle.livejournal.com]

You should check out the VMS FAQ at http://www.hoffmanlabs.com Has the "lost password" script in all its detail.

If you want to run VMS as a hobby, the VMS Hobbyist program can get you licenses and install media: http://www.openvmshobbyist.org

You might also enjoy the VMS watering hole: http://www.openvms.org

You can download a free Alpha emulator at http://www.personalalpha.com

And, if you have a commercial ($$) need, you can get a full-function VAX or Alpha emulator on my web page (http://www.stanq.com/charon-vax.html). [Shameless Plug Alert (tm) - I am a CHARON reseller]

Re: An adventure in hacking, sort of...

[altivo.livejournal.com]

Thanks. It was in fact Steve Hoffman's site that provided the clues I needed, and I have previously used his resources at some length so he was already bookmarked. The instructions that came from the HP documentation site were incomplete, and Hoffman's worked as given. I'm on the OpenVMS hobbyist site, and have hobbyist licenses for both the Alpha and the VAX, in fact.

No commercial needs here, fortunately. My interest in VMS is largely nostalgic, as I ran VAX systems during a previous life back in the 80s. I consider it to be an amazingly well-designed system, but not as easily adapted to today's environments as Linux or FreeBSD variants. I run Linux (Debian) on both my Alphas, exclusively on one and dual boot with OpenVMS on the other.

[altivo.livejournal.com]

For me it's just amusement. ;p Some people play games on computers, I play operating systems.