LOGCTL command: Modifying user ID entries in the password table
Summary
- Privileges
- System manager
- Function
- Adds, deletes, or changes login user ID entries in the password table
Syntax
LOGCTL {{NP | P} CMS} {A | D |C} userid NOEXPIRE}
Where:
NP CMS
specifies that Model 204 bypass password prompts for z/VM users.P CMS
reinstitutes password prompts for z/VM users. Refer to Bypassing password prompts for information on the automatic login facility under z/VM.- A, D, or C specifies to add, delete, or change, respectively, a login userid.
- userid is the name, one to ten characters long, of the login user ID to be added, deleted, or changed.
- NOEXPIRE allows the specified userid a password that does not expire, regardless of the settings of the security parameters, PWDEXP and PWDWARN.
Note: If a user issues a
LOGCTL C
command and does not change the password, the expiration status is unchanged. If the password is changed, then it will expire unless NOEXPIRE is specified. The NOEXPIRE option is an attribute associated with a specific password.
Usage notes
The system manager can change any of the following specifications in a login user ID entry:
Password
User privileges
Priority
Terminal list
When a login user ID entry is being changed, all responses are optional.
Changing a user ID entry
The LOGCTL command adds, deletes, or changes login user ID entries in the password table. If add (A) or change (C) is specified, Model 204 prompts for information as shown in the following dialog:
*** M204.0374: ENTER PASSWORD, PRIVILEGES, PRIORITY password, X'pp', priority *** M204.2633: RE-ENTER NEW PASSWORD password *** M204.0379: ENTER TERMINAL LIST, ALL, NONE, ADD, DEL OR RETURN
Additional syntax
{terminal [,terminal...] | ALL | NONE | ADD terminal [,terminal...] | DEL terminal [,terminal...]} userid X'pp' priority terminal *** M204.0376: PARAMETERS ACCEPTED *** M204.0345: CCASTAT UPDATED
Where:
password |
The user's password may contain:
If the Password Expiration feature has been installed, the user's password must:
If the Password Expiration feature has been installed at your site, the following message is issued to confirm your password: M204.2633: RE-ENTER NEW PASSWORD | ||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
pp | A one-byte representation of the user's privileges. The default privileges are X'00'. The privilege byte can be any combination of the settings (in hexadecimal) shown in the following table.
| ||||||||||||||
priority | One of the following:
| ||||||||||||||
terminal | The number of a terminal from which a user can issue a LOGIN command for this user ID.
|
Usage notes
Mixed-case passwords
Mixed-case passwords improve login security. They are supported for:
logins via the RACF, ACF2 and TOP SECRET interfaces, and
logins using CCASTAT passwords.
To enable mixed-case login password support, set the CUSTOM parameter in CCAIN. For more information, see CUSTOM: Using customized parameters.
To store a mixed-case-login password in CCASTAT, specify the *LOWER command before any LOGCTL command that adds or changes a login password.
CCASTAT passwords can never be displayed, so if a user's password is rejected, use the LOGCTL command to change that user's password and try again.
Note: Mixed-case passwords are not supported for files. Lowercase passwords stored in CCASTAT for files can never be used to open a file or file group.
Example of lowercase login and password
To use passwords containing lowercase characters, the Online environment must have a CUSTOM parameter setting that includes '11' in the CCAIN parameter stream:
//CCAIN DD * LOGADD=200,CUSTOM=11
Note: With this setting in place, automatic translation of password strings into uppercase is disabled. Any existing passwords that were saved in uppercase would need to be entered in uppercase.
To add a login id and a password with lowercase characters, issue the following:
LOGIN SYSADMIN MYLPSWD ********************************************************* * Deactivate automatic translation of lowercase characters * to uppercase characters ********************************************************* *LOWER ********************************************************* *** Add new login id and password with lowercase characters ********************************************************* LOGCTL A NEWLID *** M204.0374: ENTER PASSWORD,PRIVILEGES,PRIORITY MiXCaSe,X'10',STANDARD *** M204.0379: ENTER TERMINAL LIST, ALL, NONE, ADD, DEL, OR RETURN ALL ********************************************************* * Activate automatic translation of lowercase characters * to uppercase characters ********************************************************* *UPPER ********************************************************* * Login with new Login ID ********************************************************* LOGIN NEWLID MiXCaSe
Using the NOEXPIRE parameter
If after running the ZCTLTAB utility you want to maintain some user IDs with passwords that do not expire, you must include the NOEXPIRE parameter in every LOGCTL command that makes any other change to that user ID. Otherwise, the user ID and password become subject to expiring like all other accounts.
The corollary action is also true: if you want to reset a user ID so that the password is subject to expiring, simply execute a LOGCTL command for that user ID omitting the NOEXPIRE parameter.
Understanding the password creation date
The password creation date is the basis for calculating the warning, expiration, and purge periods. If you issue a LOGCTL C
command against a user ID and do not change the password, the password creation date is not changed.
The exception to this rule is when the NOEXPIRE keyword is specified, then the date calculations are irrelevant.
Handling expired passwords
When a user ID is suspended because the password expired or too many successive incorrect passwords were entered, the system manager may reactivate the user ID by issuing the LOGCTL command to change the password for the user ID.
A password is required when changing a login entry that has been revoked or has expired. If the system manager attempts to change another login user ID option without entering a password, the following message is issued and the command is rejected:
M204.2641: A NEW PASSWORD MUST BE ENTERED: THE CURRENT ONE {HAS EXPIRED | WAS REVOKED}