LOGCTL command: Modifying user ID entries in the password table

From m204wiki
Revision as of 18:32, 19 April 2017 by JDamon (talk | contribs) (Provided a complete example of LOGCTL A USER1)
Jump to navigation Jump to search

Summary

Privileges
System manager
Function
Adds, deletes, or changes login user ID entries in the password table

Syntax

LOGCTL {{NP | P} CMS} {A | D |C} userid NOEXPIRE}

Where:

  • NP CMS specifies that Model 204 bypass password prompts for z/VM users. P CMS reinstitutes password prompts for z/VM users. Refer to Bypassing password prompts for information on the automatic login facility under z/VM.
  • A, D, or C specifies to add, delete, or change, respectively, a login userid.
  • userid is the name, one to ten characters long, of the login user ID to be added, deleted, or changed.
  • NOEXPIRE allows the specified userid a password that does not expire, regardless of the settings of the security parameters, PWDEXP and PWDWARN.

    Note: If a user issues a LOGCTL C command and does not change the password, the expiration status is unchanged. If the password is changed, then it will expire unless NOEXPIRE is specified. The NOEXPIRE option is an attribute associated with a specific password.

Usage notes

The system manager can change any of the following specifications in a login user ID entry:

  • Password

  • User privileges

  • Priority

  • Terminal list

When a login user ID entry is being changed, all responses are optional.

Changing a user ID entry

The LOGCTL command adds, deletes, or changes login user ID entries in the password table. If add (A) or change (C) is specified, Model 204 prompts for information as shown in the following dialog:

LOGCTL A USER1 *** M204.0374: ENTER PASSWORD,PRIVILEGES,PRIORITY password,X'pp',priority *** M204.2633: RE-ENTER NEW PASSWORD password *** M204.0379: ENTER TERMINAL LIST, ALL, NONE, ADD, DEL OR RETURN ALL USER1 X'FF' HIGH ALL *** M204.0376: PARAMETERS ACCEPTED *** M204.0345: CCASTAT UPDATED

Additional syntax

(in response to the M204.0379 message)

{terminal [,terminal...] | ALL | NONE | ADD terminal [,terminal...] | DEL terminal [,terminal...]}

Note:

If the system manager omits an entry (comma denotes an omitted entry), the system does not supply the default but preserves the corresponding entry in the password table. For example:

LOGCTL C USER1 newpw,,HIGH

If the privilege byte is X'01' in the password table for USER1, and if a privilege byte is not specified in the command (comma denotes the absence of the privilege byte), Model 204 preserves the privilege byte of X'01' and does not replace it with the default of X'00'. This is true also for password and priority

Where:

password

The user's password may contain:

  • One to eight characters (Model 204 version 7.6 or earlier)
  • One to 127 characters (Model 204 version 7.7 or later)
  • May not contain commas. However, commas are allowed when the password is changed with the LOGONCP or the $Sir_Login function.

If the Password Expiration feature has been installed, the user's password must:

  • Not be the same as the USERID, the current password, or the previous password.
  • Be six, seven, or eight characters long (Model 204 version 7.6 or earlier), or
    be at least six characters long and up to a maximum of 127 characters (Model 204 version 7.7 or later).
  • Begin with an alphabetic character.
  • Include at least one numeric character.

If the Password Expiration feature has been installed at your site, the following message is issued to confirm your password:

M204.2633: RE-ENTER NEW PASSWORD

pp A one-byte representation of the user's privileges. The default privileges are X'00'. The privilege byte can be any combination of the settings (in hexadecimal) shown in the following table.

Setting

User is allowed to...

X'80'

Create a file with the CREATE command (Superuser privileges).

X'40'

Issue certain privileged commands (System administrator privileges). Such commands include LOGWHO, MONITOR, PRIORITY, WARN, and so on.

X'20'

Change the file password when it is used to open a file.

X'10'

Change the login password when logging into the system.

X'08'

Issue certain privileged commands such as LOGCTL, DUMPG, and IFAMDRAIN (System manager privileges).

X'04'

Override record security.

priority One of the following:
  • NONE (the default)
  • LOW
  • STANDARD
  • HIGH
terminal The number of a terminal from which a user can issue a LOGIN command for this user ID.
  • If the system manager presses <Return> in response to the TERMINAL LIST prompt, Model 204 assumes a default of ALL terminals.

  • If an installation does not use terminal security features, the system manager must enter ALL or allow Model 204 to supply the default terminal setting.

Usage notes

Mixed-case passwords

Mixed-case passwords improve login security. They are supported for:

  • logins via the RACF, ACF2 and TOP SECRET interfaces, and

  • logins using CCASTAT passwords.

To enable mixed-case login password support, set the CUSTOM parameter in CCAIN. For more information, see CUSTOM: Using customized parameters.

To store a mixed-case-login password in CCASTAT, specify the *LOWER command before any LOGCTL command that adds or changes a login password.

CCASTAT passwords can never be displayed, so if a user's password is rejected, use the LOGCTL command to change that user's password and try again.

Note: Mixed-case passwords are not supported for files. Lowercase passwords stored in CCASTAT for files can never be used to open a file or file group.

Example of lowercase login and password

To use passwords containing lowercase characters, the Online environment must have a CUSTOM parameter setting that includes '11' in the CCAIN parameter stream:

//CCAIN DD * LOGADD=200,CUSTOM=11

Note: With this setting in place, automatic translation of password strings into uppercase is disabled. Any existing passwords that were saved in uppercase would need to be entered in uppercase.

To add a login id and a password with lowercase characters, issue the following:

LOGIN SYSADMIN MYLPSWD ********************************************************* * Deactivate automatic translation of lowercase characters * to uppercase characters ********************************************************* *LOWER ********************************************************* *** Add new login id and password with lowercase characters ********************************************************* LOGCTL A NEWLID *** M204.0374: ENTER PASSWORD,PRIVILEGES,PRIORITY MiXCaSe,X'10',STANDARD *** M204.0379: ENTER TERMINAL LIST, ALL, NONE, ADD, DEL, OR RETURN ALL ********************************************************* * Activate automatic translation of lowercase characters * to uppercase characters ********************************************************* *UPPER ********************************************************* * Login with new Login ID ********************************************************* LOGIN NEWLID MiXCaSe

Using the NOEXPIRE parameter

If after running the ZCTLTAB utility you want to maintain some user IDs with passwords that do not expire, you must include the NOEXPIRE parameter in every LOGCTL command that makes any other change to that user ID. Otherwise, the user ID and password become subject to expiring like all other accounts.

The corollary action is also true: if you want to reset a user ID so that the password is subject to expiring, simply execute a LOGCTL command for that user ID omitting the NOEXPIRE parameter.

Understanding the password creation date

The password creation date is the basis for calculating the warning, expiration, and purge periods. If you issue a LOGCTL C command against a user ID and do not change the password, the password creation date is not changed.

The exception to this rule is when the NOEXPIRE keyword is specified, then the date calculations are irrelevant.

Handling expired passwords

When a user ID is suspended because the password expired or too many successive incorrect passwords were entered, the system manager may reactivate the user ID by issuing the LOGCTL command to change the password for the user ID.

A password is required when changing a login entry that has been revoked or has expired. If the system manager attempts to change another login user ID option without entering a password, the following message is issued and the command is rejected:

M204.2641: A NEW PASSWORD MUST BE ENTERED: THE CURRENT ONE {HAS EXPIRED | WAS REVOKED}