Completely locked out of OpenVMS 8.4 system

[cyb2600]

Hi,

I fired up my Itanium box after about a year of it collecting dust and unfortunately I had forgotten the system password. I tried every password I usually use and after about 35 tries I gave up and decided to just reset the password. I followed the instructions I found online and successfully reset the password but I still can't log in. I tried creating a new account with adduser.com and I can't log in with that account either.

Is this because I used the wrong password so many times? Did I enable some sort of break-in defense that needs to be disabled?

This is what I did to reset the password
fs0:\efi\vms\vms_loader.efi -flags 0,1
SET/STARTUP OPA0:
SET WINDOW_SYSTEM 0
SET WRITESYSPARAMS 0
CONTINUE
spawn @SYS$SYSTEM:STARTUP
SET DEFAULT SYS$SYSTEM:
RUN SYS$SYSTEM:AUTHORIZE
MODIFY SYSTEM /PASSWORD=newsystempassword
quit

[volkerhalle]

Try $ SHOW INTRUSION

and if there is an intrusion record, you could probably remove it with

$ DELETE/INTRUSION ...

Volker.

[sms]

Code: Select all

> [...] I had forgotten the system password. [...]

   3M sells a product which, used properly, can help with that:

      https://www.post-it.com/

> [...] I still can't log in. [...]

   A detailed description of what you did, and what happened when you
did it, is usually more helpful than a vague description of what you
"can't" do.

   Are you doing all this stuff at some kind of serial console terminal,
or what, exactly?

> MODIFY SYSTEM /PASSWORD=newsystempassword

   Possibly helpful: Add /NOPWDEXPIRED to that command.  As the
AUTHORIZE HELP says:

     When you modify a password, the new password expires
     automatically; it is valid only once (unless you specify
     /NOPWDEXPIRED). On login, the user is forced to change the
     password (unless you specify /FLAGS=DISFORCE_PWD_CHANGE).


> Try $ SHOW INTRUSION [...]

   Sounds good to me.

[cyb2600]

Welcome to VMS Software, Inc. OpenVMS (TM) IA64 Operating System, V8.4-2L3

Username: system
Password:
User authorization failure

Added in 4 minutes 16 seconds:

Try $ SHOW INTRUSION

and if there is an intrusion record, you could probably remove it with

$ DELETE/INTRUSION ...

Volker.

Doesn't look like there are any...

$ SHOW INTRUSION
%SHOW-F-NOINTRUDERS, no intrusion records match specification

[sms]

Code: Select all

> Doesn't look like there are any...

   And the right/new password still fails?  For all users?

   Hmmm.  I may be out of clever ideas, but...

> spawn @SYS$SYSTEM:STARTUP

   I believe that that was supposed to be two commands.  The idea behind
the SPAWN was that if you then made some fatal error, you'd be kicked
out of the (newly created) subprocess, not the whole job.

   The only other thing I've thought of was that you might be working
with the wrong SYSUAF.DAT.  I wouldn't expect this, but if you normally
define the logical name SYSUAF to point to someplace other than the
default location (SYS$SYSTEM:SYSUAF.DAT), then your interactive
AUTHORIZE would be modifying the wrong one.

> fs0:\efi\vms\vms_loader.efi -flags 0,1

   You have only one disk, and/or fs0: is the right one?

   Check the date+times of SYSUAF.DAT?  (DIRE /FULL whatever)

   Try the whole procedure one more time?

[volkerhalle]

How - exactly - do you connect to the console ?

If using some kind of terminal emulator, check whether it might be set to send <CR><LF> when typing <RETURN>

This has caused similar problems for some people during installations of VSI OpenVMS x86-64, when trying to set the system password during installation.

Volker.

[cyb2600]

I'm using Teraterm, I think when I installed the system I used Putty. Maybe that's my issue...

[martinv]

The only other thing I've thought of was that you might be working
with the wrong SYSUAF.DAT. I wouldn't expect this, but if you normally
define the logical name SYSUAF to point to someplace other than the
default location (SYS$SYSTEM:SYSUAF.DAT), then your interactive
AUTHORIZE would be modifying the wrong one.

A command sequence that will always work: instead of "SET DEFAULT SYS$SYSTEM:" use

Code: Select all

$ DEFINE/USER SYSUAF 'F$PARSE("SYSUAF", "SYS$SYSTEM:.DAT")

immediately preceeding the "RUN SYS$SYSTEM:AUTHORIZE".

HTH,
Martin

[cyb2600]

I confirmed I'm booting from the right disk and I tried $ DEFINE/USER SYSUAF 'F$PARSE("SYSUAF", "SYS$SYSTEM:.DAT"), I still can't log in.

UAF> show system

Username: SYSTEM Owner: SYSTEM MANAGER
Account: SYSTEM UIC: [1,4] ([SYSTEM])
CLI: DCL Tables: DCLTABLES
Default: SYS$SYSROOT:[SYSMGR]
LGICMD:
Flags:
Primary days: Mon Tue Wed Thu Fri
Secondary days: Sat Sun
No access restrictions
Expiration: (none) Pwdminimum: 15 Login Fails: 55
Pwdlifetime: 30 00:00 Pwdchange: (pre-expired)
Last Login: 3-FEB-2023 06:54 (interactive), 16-SEP-2022 09:19 (non-interactive)

Maxjobs: 0 Fillm: 200 Bytlm: 256000
Maxacctjobs: 0 Shrfillm: 0 Pbytlm: 0
Maxdetach: 0 BIOlm: 150 JTquota: 4096
Prclm: 10 DIOlm: 150 WSdef: 4096
Prio: 4 ASTlm: 300 WSquo: 8192
Queprio: 0 TQElm: 100 WSextent: 16384
CPU: (none) Enqlm: 4000 Pgflquo: 700000
Authorized Privileges:
ACNT ALLSPOOL ALTPRI AUDIT BUGCHK BYPASS
CMEXEC CMKRNL DIAGNOSE DOWNGRADE EXQUOTA GROUP
GRPNAM GRPPRV IMPERSONATE IMPORT LOG_IO MOUNT
NETMBX OPER PFNMAP PHY_IO PRMCEB PRMGBL
PRMMBX PSWAPM READALL SECURITY SETPRV SHARE
SHMEM SYSGBL SYSLCK SYSNAM SYSPRV TMPMBX
UPGRADE VOLPRO WORLD
Default Privileges:
ACNT ALLSPOOL ALTPRI AUDIT BUGCHK BYPASS
CMEXEC CMKRNL DIAGNOSE DOWNGRADE EXQUOTA GROUP
GRPNAM GRPPRV IMPERSONATE IMPORT LOG_IO MOUNT
NETMBX OPER PFNMAP PHY_IO PRMCEB PRMGBL
PRMMBX PSWAPM READALL SECURITY SETPRV SHARE
SHMEM SYSGBL SYSLCK SYSNAM SYSPRV TMPMBX
UPGRADE VOLPRO WORLD
Identifier Value Attributes
NET$MANAGE %X91F50002

[sms]

Code: Select all

> A command sequence that will always work: [...]

   For some values of "always"?


> [...] Pwdminimum: 15 [...]

   Just for the convenience of less typing, I'd set that lower, at least
until the real problem is solved.

> [...]  Pwdchange: (pre-expired)

   I've already suggested changing that when setting the new password.

> I'm using Teraterm, I think when I installed the system I used Putty.
> Maybe that's my issue...

   Did you run that experiment?

>    Are you doing all this stuff at some kind of serial console terminal,
> or what, exactly?

   Still wondering.