HP OpenVMS Guide to System Security: OpenVMS Version 8.4 > Chapter 3 Using the System ResponsiblyTypes of Logins and Login ClassesLogins can be either interactive or noninteractive. When you log in interactively, you enter an OpenVMS user name and a password. In noninteractive logins, the system performs the identification and authentication for you; you are not prompted for a user name and password. (The term interactive, as used here, differs from an interactive mode process defined by the DCL lexical function F$MODE(). For a description of the F$MODE function, see the HP OpenVMS DCL Dictionary.) In addition to interactive and noninteractive logins, the OpenVMS operating system recognizes different classes of logins. How you log in to the system determines the login class to which you belong. Based on your login class, as well as the time of day or day of the week, the system manager controls your access to the system. Interactive logins include the following login classes:
If you are an externally authenticated user, you log in by entering your external user ID and password at the OpenVMS login prompts. Your external user ID may or may not be the same as your OpenVMS user name. See “Enabling External Authentication” for more information on logging in with external authentication enabled on your system. When you log in from a terminal that is directly connected to a computer, the OpenVMS system displays informational system messages. “Local Login Messages” illustrates most of these messages. Example 3-1 Local Login Messages
The preceding example illustrates the following:
A security administrator can suppress the announcement and welcome messages, which include node names and operating system identification. Because login procedures differ from system to system, it is more difficult to log in without this information. The last login success and failure messages are optional. Your security administrator can enable or disable them as a group. Sites with medium-level or high-level security needs display these messages because they can indicate break-in attempts. In addition, by showing that the system is monitoring logins, these messages can be a deterrent to potential illegal users. Each time you log in, the system resets the values for the last successful login and the number of login failures. If you access your account interactively and do not specify an incorrect password in your login attempts, you may not see the last successful noninteractive login and login failure messages. Noninteractive logins include network logins and batch logins. The system performs a network login when you start a network task on a remote node, such as displaying the contents of a directory or copying files stored in a directory on another node. Both your current system and the remote system must be nodes in the same network. In the file specification, you identify the target node and provide an access control string, which includes your user name and password for the remote node. For example, a network login occurs when user Greg, who has an account on remote node PARIS, enters the following command:
This command displays a listing of all the files in the public directory on disk WORK2. It also reveals the password 8G4FR93A. A more secure way to perform the same task would be to use a proxy account on node PARIS. For an example of a proxy login, see “Using Proxy Login Accounts to Protect Passwords”. The system performs a batch login when a batch job that you submitted runs. Authorization to build the job is determined at the time the job is submitted. When the system prepares to execute the job, the job controller creates a noninteractive process that logs in to your account. No password is required when the job logs in. |