LOGCTL command: Modifying user ID entries in the password table
Summary
- Privileges
- System manager
- Function
- Adds, deletes, or changes login user ID entries in the password table
Syntax
LOGCTL [{NP | P} CMS] | [{A | D |C} userid [NOEXPIRE]]
Where:
NP CMS
specifies that Model 204 bypass password prompts for z/VM users.P CMS
reinstitutes password prompts for z/VM users. Refer to Bypassing password prompts for information on the automatic login facility under z/VM.- A, D, or C specifies to add, delete, or change, respectively, a login user ID.
- userid is the name, one to ten characters long, of the login user ID to be added, deleted, or changed.
- NOEXPIRE allows the specified userid a password that does not expire, regardless of the settings of the security parameters, PWDEXP and PWDWARN.
Note: If you issue a
LOGCTL C
command and do not change the password, the expiration status is unchanged. If the password is changed, it will expire unless NOEXPIRE is specified. The NOEXPIRE option is an attribute associated with a specific password.
Usage notes
The system manager can change any of the following specifications in a login user ID entry:
- Password
- User privileges
- Priority
- Terminal list
When a login user ID entry is being changed, all responses are optional.
Changing a user ID entry
The LOGCTL command adds, deletes, or changes login user ID entries in the password table. If add (A) or change (C) is specified, Model 204 prompts for information as shown in the following dialog:
LOGCTL A USER1 *** M204.0374: ENTER PASSWORD,PRIVILEGES,PRIORITY password,X'pp',priority *** M204.2633: RE-ENTER NEW PASSWORD password *** M204.0379: ENTER TERMINAL LIST, ALL, NONE, ADD, DEL OR RETURN ALL USER1 X'FF' HIGH ALL *** M204.0376: PARAMETERS ACCEPTED *** M204.0345: CCASTAT UPDATED
Syntax for command dialog
- In response to the M204.0374 prompt (see example above):
password [,X'pp'] [,priority]
Note: If the system manager omits an entry (comma retained to denote an omitted entry), the system does not supply the default but preserves the corresponding entry in the password table. For example:
LOGCTL C USER1 newpw,,HIGH
If the privilege byte is X'01' in the password table for
USER1
, and if a privilege byte is not specified in the command (denoted by comma placement), Model 204 preserves the privilege byte of X'01' and does not replace it with the default of X'00'. This is true also for password and priority.Additional valid examples of omitted entries follow:
,X'01',HIGH newpw,X'01', newpw,X'01' ,,HIGH
- In response to the M204.0379 terminal list prompt (see example above):
{terminal [,terminal...] | ALL | NONE | ADD terminal [,terminal...] | DEL terminal [,terminal...]}
Arguments for the responses to the command prompts
password | The user's password may contain:
If the Password Expiration feature is installed, the user's password must:
If the Password Expiration feature has been installed at your site, the following message is issued to confirm your password: M204.2633: RE-ENTER NEW PASSWORD | ||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
pp | A one-byte representation of the user's privileges. The default privileges are X'00'. The privilege byte can be any combination of the settings (in hexadecimal) shown in the following table.
| ||||||||||||||
priority | One of the following:
| ||||||||||||||
terminal | The number of a terminal from which a user can issue a LOGIN command for this user ID.
|
Mixed-case passwords
Mixed-case passwords improve login security. They are supported for:
- Logins via the RACF, ACF2, and TOP SECRET interfaces
- Logins using CCASTAT passwords
To enable mixed-case login password support, set the CUSTOM parameter in CCAIN.
To store a mixed-case-login password in CCASTAT, specify the *LOWER command before any LOGCTL command that adds or changes a login password.
CCASTAT passwords can never be displayed, so if a user's password is rejected, use the LOGCTL command to change that user's password and try again.
Note: Mixed-case passwords are not supported for files. Lowercase passwords stored in CCASTAT for files can never be used to open a file or file group.
Example of adding a logon ID with lowercase password
To use passwords containing lowercase characters, the Online environment must have a CUSTOM=11
parameter setting in the CCAIN parameter stream:
//CCAIN DD * LOGADD=200,CUSTOM=11
Note: With this setting in place, automatic translation of password strings into uppercase is disabled. Any existing passwords that were saved in uppercase would need to be entered in uppercase.
To add a login ID (always translated to upper case) and a password with lowercase characters, issue the following:
LOGIN SYSADMIN password ********************************************************* * Ensure CUSTOM=11 is set and caps lock is off ********************************************************* * Add new login id and password with lowercase characters ********************************************************* LOGCTL A NEWID *** M204.0374: ENTER PASSWORD,PRIVILEGES,PRIORITY MiXCaSe,X'10',STANDARD *** M204.0379: ENTER TERMINAL LIST, ALL, NONE, ADD, DEL, OR RETURN ALL NEWID X'10' STANDARD ALL *** M204.0376: PARAMETERS ACCEPTED *** M204.0345: CCASTAT UPDATED ********************************************************* * Login with new Login ID ********************************************************* LOGIN NEWID MiXCaSe
Using the NOEXPIRE parameter
If after running the ZCTLTAB utility you want to maintain some user IDs with passwords that do not expire, you must include the NOEXPIRE parameter in every LOGCTL command that makes any other change to that user ID. Otherwise, the user ID and password become subject to expiring like all other accounts.
The corollary action is also true: if you want to reset a user ID so that the password is subject to expiring, simply execute a LOGCTL command for that user ID omitting the NOEXPIRE parameter.
Understanding the password creation date
The password creation date is the basis for calculating the warning, expiration, and purge periods. If you issue a LOGCTL C
command against a user ID and do not change the password, the password creation date is not changed.
The exception to this rule is when the NOEXPIRE keyword is specified, then the date calculations are irrelevant.
Handling expired passwords
When a user ID is suspended because the password expired or too many successive incorrect passwords were entered, the system manager may reactivate the user ID by issuing the LOGCTL command to change the password for the user ID.
A password is required when changing a login entry that has been revoked or has expired. If the system manager attempts to change another login user ID option without entering a password, the following message is issued and the command is rejected:
M204.2641: A NEW PASSWORD MUST BE ENTERED: THE CURRENT ONE {HAS EXPIRED | WAS REVOKED}