LOGCTL command: Modifying user ID entries in the password table

From m204wiki
Jump to: navigation, search

Summary

Privileges
System manager
Function
Adds, deletes, or changes login user ID entries in the password table

Syntax

LOGCTL [{NP | P} CMS] | [{A | D |C} userid [NOEXPIRE]]

Where:

  • NP CMS specifies that Model 204 bypass password prompts for z/VM users. P CMS reinstitutes password prompts for z/VM users. Refer to Bypassing password prompts for information on the automatic login facility under z/VM.
  • A, D, or C specifies to add, delete, or change, respectively, a login user ID.
  • userid is the name, one to ten characters long, of the login user ID to be added, deleted, or changed.
  • NOEXPIRE allows the specified userid a password that does not expire, regardless of the settings of the security parameters, PWDEXP and PWDWARN.

    Note: If you issue a LOGCTL C command and do not change the password, the expiration status is unchanged. If the password is changed, it will expire unless NOEXPIRE is specified. The NOEXPIRE option is an attribute associated with a specific password.

Usage notes

The system manager can change any of the following specifications in a login user ID entry:

  • Password
  • User privileges
  • Priority
  • Terminal list

When a login user ID entry is being changed, all responses are optional.

Changing a user ID entry

The LOGCTL command adds, deletes, or changes login user ID entries in the password table. If add (A) or change (C) is specified, Model 204 prompts for information as shown in the following dialog:

LOGCTL A USER1 *** M204.0374: ENTER PASSWORD,PRIVILEGES,PRIORITY password,X'pp',priority *** M204.2633: RE-ENTER NEW PASSWORD password *** M204.0379: ENTER TERMINAL LIST, ALL, NONE, ADD, DEL OR RETURN ALL USER1 X'FF' HIGH ALL *** M204.0376: PARAMETERS ACCEPTED *** M204.0345: CCASTAT UPDATED

Syntax for command dialog

  • In response to the M204.0374 prompt (see example above):

    password [,X'pp'] [,priority]

    Note: If the system manager omits an entry (comma retained to denote an omitted entry), the system does not supply the default but preserves the corresponding entry in the password table. For example:

    LOGCTL C USER1 newpw,,HIGH

    If the privilege byte is X'01' in the password table for USER1, and if a privilege byte is not specified in the command (denoted by comma placement), Model 204 preserves the privilege byte of X'01' and does not replace it with the default of X'00'. This is true also for password and priority.

    Additional valid examples of omitted entries follow:

    ,X'01',HIGH newpw,X'01', newpw,X'01' ,,HIGH

  • In response to the M204.0379 terminal list prompt (see example above):

    {terminal [,terminal...] | ALL | NONE | ADD terminal [,terminal...] | DEL terminal [,terminal...]}

Arguments for the responses to the command prompts

password The user's password may contain:
  • One to eight characters (Model 204 version 7.6 or earlier).
  • One to 127 characters (Model 204 version 7.7 or later).
  • May not contain commas. However, commas are allowed when the password is changed with the LOGONCP or the $Sir_Login function.
  • May contain blanks and special characters. However, leading and trailing blanks are stripped.

If the Password Expiration feature is installed, the user's password must:

  • Not be the same as the USERID value, the current password, or the previous password.
  • Be six, seven, or eight characters long (Model 204 version 7.6 or earlier), or be at least six characters long and up to a maximum of 127 characters (Model 204 version 7.7 or later).
  • Begin with an alphabetic character.
  • Include at least one numeric character.

If the Password Expiration feature has been installed at your site, the following message is issued to confirm your password:

M204.2633: RE-ENTER NEW PASSWORD

pp A one-byte representation of the user's privileges. The default privileges are X'00'. The privilege byte can be any combination of the settings (in hexadecimal) shown in the following table.
Setting User is allowed to...
X'80' Create a file with the CREATE command (Superuser privileges).
X'40' Issue certain privileged commands (System administrator privileges). Such commands include LOGWHO, MONITOR, PRIORITY, WARN, and so on.
X'20' Change the file password when it is used to open a file.
X'10' Change the login password when logging into the system.
X'08' Issue certain privileged commands such as LOGCTL, DUMPG, and IFAMDRAIN (System manager privileges).
X'04' Override record security.
priority One of the following:
  • NONE (the default)
  • LOW
  • STANDARD
  • HIGH
terminal The number of a terminal from which a user can issue a LOGIN command for this user ID.
  • If the system manager presses <Return> in response to the TERMINAL LIST prompt, Model 204 assumes a default of ALL terminals.
  • If an installation does not use terminal security features, the system manager must enter ALL or allow Model 204 to supply the default terminal setting.

Mixed-case passwords

Mixed-case passwords improve login security. They are supported for:

  • Logins via the RACF, ACF2, and TOP SECRET interfaces
  • Logins using CCASTAT passwords

To enable mixed-case login password support, set the CUSTOM parameter in CCAIN.

To store a mixed-case-login password in CCASTAT, specify the *LOWER command before any LOGCTL command that adds or changes a login password.

CCASTAT passwords can never be displayed, so if a user's password is rejected, use the LOGCTL command to change that user's password and try again.

Note: Mixed-case passwords are not supported for files. Lowercase passwords stored in CCASTAT for files can never be used to open a file or file group.

Example of adding a logon ID with lowercase password

To use passwords containing lowercase characters, the Online environment must have a CUSTOM=11 parameter setting in the CCAIN parameter stream:

//CCAIN DD * LOGADD=200,CUSTOM=11

Note: With this setting in place, automatic translation of password strings into uppercase is disabled. Any existing passwords that were saved in uppercase would need to be entered in uppercase.

To add a login ID (always translated to upper case) and a password with lowercase characters, issue the following:

LOGIN SYSADMIN password ********************************************************* * Ensure CUSTOM=11 is set and caps lock is off ********************************************************* * Add new login id and password with lowercase characters ********************************************************* LOGCTL A NEWID *** M204.0374: ENTER PASSWORD,PRIVILEGES,PRIORITY MiXCaSe,X'10',STANDARD *** M204.0379: ENTER TERMINAL LIST, ALL, NONE, ADD, DEL, OR RETURN ALL NEWID X'10' STANDARD ALL *** M204.0376: PARAMETERS ACCEPTED *** M204.0345: CCASTAT UPDATED ********************************************************* * Login with new Login ID ********************************************************* LOGIN NEWID MiXCaSe

Using the NOEXPIRE parameter

If after running the ZCTLTAB utility you want to maintain some user IDs with passwords that do not expire, you must include the NOEXPIRE parameter in every LOGCTL command that makes any other change to that user ID. Otherwise, the user ID and password become subject to expiring like all other accounts.

The corollary action is also true: if you want to reset a user ID so that the password is subject to expiring, simply execute a LOGCTL command for that user ID omitting the NOEXPIRE parameter.

Understanding the password creation date

The password creation date is the basis for calculating the warning, expiration, and purge periods. If you issue a LOGCTL C command against a user ID and do not change the password, the password creation date is not changed.

The exception to this rule is when the NOEXPIRE keyword is specified, then the date calculations are irrelevant.

Handling expired passwords

When a user ID is suspended because the password expired or too many successive incorrect passwords were entered, the system manager may reactivate the user ID by issuing the LOGCTL command to change the password for the user ID.

A password is required when changing a login entry that has been revoked or has expired. If the system manager attempts to change another login user ID option without entering a password, the following message is issued and the command is rejected:

M204.2641: A NEW PASSWORD MUST BE ENTERED: THE CURRENT ONE {HAS EXPIRED | WAS REVOKED}