Google
 

Trailing-Edge - PDP-10 Archives - bb-l014w-bm_tops20_v7_0_atpch_23 - autopatch/security-enhancements.mem
There are no other files named security-enhancements.mem in the archive.

















                     Security Enhancements for TOPS-20

                             Michael Raspuzzi
                             Gregory A. Scott
                         LSBU Software Engineering

                         Creation date: 13-Feb-89
                         Last Revision: 16 Feb 89




     COPYRIGHT (c) DIGITAL EQUIPMENT CORPORATION 1989.
     ALL RIGHTS RESERVED.

     THIS SOFTWARE IS FURNISHED UNDER A LICENSE AND MAY BE USED AND  COPIED
     ONLY  IN  ACCORDANCE  WITH  THE  TERMS  OF  SUCH  LICENSE AND WITH THE
     INCLUSION OF THE ABOVE COPYRIGHT NOTICE.  THIS SOFTWARE OR  ANY  OTHER
     COPIES  THEREOF MAY NOT BE PROVIDED OR OTHERWISE MADE AVAILABLE TO ANY
     OTHER PERSON.  NO TITLE TO AND OWNERSHIP OF  THE  SOFTWARE  IS  HEREBY
     TRANSFERRED.

     THE INFORMATION IN THIS SOFTWARE IS SUBJECT TO CHANGE  WITHOUT  NOTICE
     AND  SHOULD  NOT  BE  CONSTRUED  AS  A COMMITMENT BY DIGITAL EQUIPMENT
     CORPORATION.

     DIGITAL ASSUMES NO RESPONSIBILITY FOR THE USE OR  RELIABILITY  OF  ITS
     SOFTWARE ON EQUIPMENT THAT IS NOT SUPPLIED BY DIGITAL.
Security Enhancements for TOPS-20                                    Page 2


                             TABLE OF CONTENTS


        1.0     Summary of Functional Change . . . . . . . . . . . . 3
        1.1       Problem Discussion and History . . . . . . . . . . 3
        1.2       Description and Goals  . . . . . . . . . . . . . . 3
        1.3       Limitations and Restrictions . . . . . . . . . . . 5
        2.0     Terminology  . . . . . . . . . . . . . . . . . . . . 6
        3.0     Functional Description . . . . . . . . . . . . . . . 7
        3.1       System ACJ . . . . . . . . . . . . . . . . . . . . 7
        3.2       Password Expiration  . . . . . . . . . . . . . . . 8
        3.3       Password Dictionary  . . . . . . . . . . . . . .  14
        3.4       System Wide Password Penalty Lock  . . . . . . .  16
        3.5       More GETOK Functions . . . . . . . . . . . . . .  16
        3.6       Secure Files . . . . . . . . . . . . . . . . . .  18
        3.7       Enhance GETOK Function for CRDIR%  . . . . . . .  20
        3.8       CTERM Access . . . . . . . . . . . . . . . . . .  21
        3.9       Connect Time . . . . . . . . . . . . . . . . . .  22
        3.10      Hangup on DETACH . . . . . . . . . . . . . . . .  23
        3.11      Default to REFUSE LINKS  . . . . . . . . . . . .  24
        3.12      New ACJ Program  . . . . . . . . . . . . . . . .  24
        4.0     Performance Expectations . . . . . . . . . . . . .  25
        5.0     Error Handling . . . . . . . . . . . . . . . . . .  26
Security Enhancements for TOPS-20                               Page 3


     1.0  Summary of Functional Change

     1.1  Problem Discussion and History

          It has been recognized  that  there  are  certain  areas  of  the
     TOPS-20  environment  that  need  stronger security measures.  It will
     never be possible to  make  TOPS-20  (or  any  operating  system)  one
     hundred  percent  secure from outside break-ins, trojan horses, worms,
     viruses, and so on.

          This document describes changes in  TOPS-20  that  were  made  to
     tighten  security.   These changes are in areas of password management
     and in new functions that help monitor security and  track  privileged
     operations.



     1.2  Description and Goals

          The goal of this project is to enhance known weak points  in  the
     TOPS-20  monitor  that can be penetrated by a skillful malicious user.
     A summary of the changes:

      o  System ACJ:  The ACJ fork can be run in system context in  such  a
         manner  so  that the ^ESPEAK command in the EXEC cannot be used to
         stop it.

      o  Password expiration:  Password expiration was started in  6.1  and
         never  completed.  A number of changes in the monitor and EXEC now
         track  the  date-time  of  both  interactive  and  non-interactive
         logins;   interactive  and  non-interactive  login  failures;  and
         password expiration.

      o  Password dictionary:  Any word in the password dictionary file  is
         not allowed as a username password.

      o  Password penalty lock:  Allow one fork at a time (per  system)  to
         execute  the password penalty code.  This slows down any malicious
         user guessing passwords by using multiple forks or jobs.

      o  More GETOK functions:  GETOK calls need to be  added  to  the  the
         following monitor calls:

          -  TTMSG% (used to send messages to terminals)

          -  SMON% (set monitor features)

          -  HSYS% (shutdown system)

          -  TLINK% (ADVISE and TALK commands)

          -  GETAB% (Get system information)

          -  SYSGT% (Get system information)
Security Enhancements for TOPS-20                               Page 4


          -  CRLNM% (system wide logical names)

          -  DTACH% (detach job)


      o  Secure Files:  A file  with  a  new  file  mode  bit  (FB%SEC)  is
         considered secure.  Attempts to access this file result in a GETOK
         function call for the ACJ.  Four new GETOK functions are added:

          -  OPENF% (secure file only)

          -  RNAMF% (secure file only)

          -  DELF%/DELNF% (secure file only)

          -  CHFDB% (only when changing FB%SEC bit)


      o  Enhance GETOK for CRDIR%:  The monitor currently asks the ACJ  for
         permission  to  perform a CRDIR% monitor call but there is no easy
         way for the ACJ to determine what directory parameters  are  being
         modified  by the user.  The monitor now returns the directory name
         and user argument block.

      o  CTERM access:  There is no way to tell  where  an  incoming  CTERM
         connection  is coming from.  When a CTERM connection is requested,
         the CTERM fork asks the ACJ for permission to accept or  deny  the
         connection.   The CTERM fork passes NODE::USER to the ACJ.  NTINF%
         now returns "NODE::USER" rather than just "NODE".

      o  Connect time:  GETJI% now returns a job's  connect  time  and  the
         EXEC displays the connect time.

      o  Hangup on DETACH:  When enabled this causes the monitor to drop  a
         terminal  line  when  a  job  is  detached  instead  of  remaining
         connected.

      o  Default to REFUSE LINKS:  REFUSE LINKS is now the  system  default
         for job startup.

      o  New ACJ Program:  An updated and supported ACJ is now  distributed
         that  implements  all GETOK functions and is constructed so that a
         local site  can  easily  modify  it.   (See  ACJFUN.MEM  for  more
         information.)


          Two other more general goals of this project are:

     1.  Each piece of this project has the ability to be controlled by the
         system manager.

     2.  Each piece of this project is turned off by  default  (except  the
         REFUSE LINKS part).  This is to maintain consistency for customers
         who do not wish to use the new features.
Security Enhancements for TOPS-20                               Page 5


     1.3  Limitations and Restrictions

          This project is attempting to increase a system manager's control
     over  certain  items  on  his  system  and  it  is  also attempting to
     strengthen weak areas in the monitor.   It  is  not  a  goal  of  this
     project  to  make  TOPS-20  a  secure  operating  system  such  that a
     government  rating  of   "B1"   could   be   issued.    However,   the
     implementation  of the above suggestions is a step towards meeting the
     standards required for a "B1" rating from the government.
Security Enhancements for TOPS-20                               Page 6


     2.0  Terminology

          It is assumed that the reader has  a  basic  knowledge  of  terms
     relating to TOPS-20's monitor calls and EXEC commands.

      o  ACJ - Access Control Job.  TOPS-20 allows a site to tailor  access
         to  various objects through the ACJ.  This allows a system manager
         to write special code to make a decision of whether or not a  user
         can perform certain tasks that ask permission from the ACJ first.

      o  CTERM  -  Corporate  protocol  that  implements  network  terminal
         support using DECnet.

      o  Directory page  0  -  The  first  page  of  a  directory  contains
         information  about  the  directory  itself rather than information
         about the files in the directory.

      o  FDB - File Descriptor Block.  Used in this document  to  refer  to
         the  block  used to describe the contents and characteristics of a
         file.

      o  GETOK - Action performed (usually by the monitor through the GTOKM
         macro)  to  ask  the  ACJ  for  permission  to  perform  a certain
         function.  The ACJ may allow or deny the request.

      o  GETOK function - A unique function code is assigned to each  GETOK
         that the monitor may perform.

      o  SYSTEM:  - When a file name is preceded by  the  SYSTEM:   logical
         name throughout this document, it is assumed that the logical name
         translation of SYSTEM:  is done for the system-wide definition not
         for the user's job wide definition.

      o  Trojan Horse - Software is modified so that when users run it  the
         malicious user gains access or information.

      o  Worm - Software that attempts to  gain  access  multiple  computer
         systems using network software to replicate itself.

      o  Virus - Software that attempts to infect and hide until some event
         occurs at which time it causes an unusual operation.
Security Enhancements for TOPS-20                               Page 7


     3.0  Functional Description

     3.1  System ACJ

          Currently, job 0 has a number of forks that are started  and  run
     during  the life of a system.  The ACJ fork is not one of them.  It is
     started apart  from  the  monitor.   It  is  usually  started  in  the
     x-SYSJOB.RUN command file.

     +-----------------------------------------------------------------------+
     |                           Job 0                                       |
     +-----------------------------------------------------------------------+
            |        |       |        |        |          |       |    
       +-------+ +------+ +------+ +------+ +--------+ +----+ +-------+
       | DDMP  | | CHKR | | ENQ  | |CLUDGR| |Internet| | CI | | SYSERR|
       | fork  | | fork | |forks | | fork | |  fork  | |fork| |  fork |
       +-------+ +------+ +------+ +------+ +--------+ +----+ +-------+

          The above diagram shows various forks that  are  started  by  the
     system during initialization.  Other forks may be started under SYSJOB
     after the system has booted.  This is done with a ^ESPEAK  command  at
     EXEC  level.  This is an example of how a system manager may choose to
     start his ACJ fork in the current TOPS-20 environment:

     @ENABLE
     $^ESPEAK
      [Please type SYSJOB commands - end with ^Z]
     RUN SYSTEM:ACJ.EXE
     ^Z
     $

          The above example produces  a  SYSJOB.COMMANDS  file  on  SYSTEM:
     which  gets  read in by SYSJOB and processed.  The effect of the above
     example is to start another fork under job 0 (mainly, the  ACJ  fork).
     However, the ACJ fork can then be killed by:

     @ENABLE
     $^ESPEAK
      [Please type SYSJOB commands - end with ^Z]
     KILL ACJ
     ^Z

          The ACJ may now be run under job 0.  The SMON% monitor  call  now
     has a new function (.SFACJ).

     Code         Symbol         Meaning
     102          .SFACJ         This function only takes a valid argument of
                                 0 in AC 2. This will start up an ACJ process
                                 in the monitor if one is not already running.
                                 The monitor will get the program to run from
                                 DEFAULT-ACJ:. If the DEFAULT-ACJ: logical name 
                                 does not exist, the system will try to get the
                                 file from SYSTEM:ACJ.EXE.

     New error code for SMON%:
Security Enhancements for TOPS-20                               Page 8


     SMONX5:   ACJ fork already running
     SMONX6:   Invalid request

          Also, the .SFACJ function is a part of the TMON% monitor call:

     Code         Symbol         Meaning
     102          .SFACJ         WHEEL or OPERATOR capability required to read
                                 the setting of this function.
                                 Returns:
                                   AC 2:  0 - ACJ is running, in monitor context
                                   AC 2:  1 - ACJ is running, not in monitor 
                                              context
                                   AC 2: -1 - ACJ is not running

          A new supporting command from the EXEC is:

     ^ESET SYSTEM-ACCESS-CONTROL-JOB

          This command attempts to start the ACJ fork from monitor  context
     if one is not already running somewhere.  There is be no corresponding
     ^ESET NO command because it is not desired to be able to kill the  ACJ
     fork easily.

          Similarly, there is a new SETSPD command that can be put into the
     x-CONFIG.CMD  file.   This  command acts like the EXEC's ^ESET command
     and looks like this:

     ENABLE SYSTEM-ACCESS-CONTROL-JOB



     3.2  Password Expiration

          During 6.0/6.1 development, it was felt that  TOPS-20  needed  to
     have a password expiration of some sort.  The work done in 6.0/6.1 was
     not completed.  Password expiration is a valuable security feature and
     now has been fully implemented.

          The following changes were performed to make password  expiration
     work:

     1.  The LOGIN% and  CRJOB%  monitor  calls  now  know  the  difference
         between  "interactive"  and "non-interactive" logins.  The current
         last login date-time word in directory page 0 and the JSB  is  now
         the  last  interactive login date-time.  New words have been added
         to directory page 0 and the JSB to store the last  non-interactive
         login date-time.

     2.  The EXEC now tells the user the last "interactive" login  and  the
         last  "non-interactive" login.  This information is be returned by
         the LOGIN% monitor call, and is available from GETJI%  for  logged
         in jobs.

     3.  The LOGIN% and CRJOB% monitor calls  have  been  changed  to  keep
         track   of   failed   login   attempts   (both   interactive   and
         non-interactive).  The  number  of  failures  are  in  a  word  in
Security Enhancements for TOPS-20                               Page 9


         directory  page  0  (half  of a word for the number of interactive
         slogin failures and  the  other  half  for  non-interactive  login
         failures).   The  LOGIN%  monitor  call  returns  the failures and
         clears them after each successful interactive login.

     4.  The number of interactive and non-interactive  login  failures  is
         displayed by the EXEC on each login.

     5.  The monitor allows the  user  login  interactive  once  after  the
         password has expired.  The EXEC then forces the user to change his
         password.

     6.  The EXEC gives a warning message  when  logging  in  interactively
         that  a  password  will  expire if the expiration time is within a
         week of the current time.

     7.  It is hoped that passwords are going to have to  be  changed  more
         often  because  of  these  changes.   Currently  the SET DIRECTORY
         PASSWORD PS:<user-name> is used to change the password.   As  this
         is  very  awkward, a new SET PASSWORD command has been implemented
         in the EXEC to make it easier for  users  to  change  their  login
         passwords.   Of  course,  this new command is identical to the old
         command except  the  PS:<user-name>  is  be  implied  in  the  SET
         PASSWORD command.

     8.  A new SMON% function has been added  to  set  password  expiration
         time.   If  the  system manager wants passwords to expire every 30
         days, then each time a password is changed, its expiration date is
         changes   by   the   number   of   days   specified.   The  ENABLE
         PASSWORD-EXPIRATION N command has been added to SETSPD, and  ^ESET
         PASSWORD-EXPIRATION command has been added to the EXEC.


          In order to support password expiration, the LOGIN% monitor  call
     must  be  changed.   Even though this dramatically changes the way the
     LOGIN% monitor call returns information to its caller, it is felt that
     this  cannot  cause  user  programs  in  the  field to break.  The two
     supported programs that use the LOGIN% monitor call are the  EXEC  and
     RMSFAL.   These  changes do not effect the RMSFAL program and the EXEC
     is changed to take  advantage  of  the  new  information  returned  by
     LOGIN%.

          The LOGIN% monitor call now returns information as follows:

     RETURNS:      +1:  Failure, error code in AC1
                   +2:  Success with:
                        AC1:  Date and time of last interactive login
                        AC2:  Date and time of last non-interactive login
                        AC3:  Password expiration date (0 if none, -1 of this
                              is the last time a user can login - i.e. the
                              password has expired)
                        AC4:  Number of interactive login failures,,number
                              of non-interactive login failures

     The LOGIN% monitor call will allow one and only one login after the user's
     password has expired (or the expiration date is set to zero).  It is the user's
Security Enhancements for TOPS-20                              Page 10


     responsibility to then change the password.

          The EXEC has code  to  change  the  user's  password  if  it  has
     expired.

          The CRDIR% monitor call now has its argument block enhanced:

     Code       Symbol        Meaning
     0          .CDLEN        <flag bits>,,<length of argblk>
                              B8(CD%SNI)  Set last non-interactive login date
                                          and time from argument block
                              B9(CD%SFC)  Set number of failed logins 
                                          (interactive and non-interactive)
                                          from argument block

     12         .CDLLD        Date and time of last interactive login
                              (Changed from date and time of last login)

     30         .CDNLD        Date and time of last non-interactive login

     31         .CDFPA        Count of failed interactive logins for this user
                              in the left half,,count of failed non-interactive
                              logins in the right half

     New error codes for CRDIR%:

     CRDI31:   Password expiration date is too far in the future
     CRDI32:   Password expiration is not enabled on this system

          The above error (CRDI31) occurs if the user attempts to  set  the
     password  expiration  date  past  a  certain  date.   That date is the
     current time plus the number of days the  system  password  expiration
     count has been set.

          Note that the above changes  for  the  CRDIR%  monitor  call  are
     reflected  in  the  GTDIR%  monitor  call  since  GTDIR% uses the same
     argument block that CRDIR% uses.

          The EXEC was changed to use the new information returned  by  the
     LOGIN% monitor call.  The EXEC currently displays the following when a
     user logs in:
Security Enhancements for TOPS-20                              Page 11



              Unauthorized Access is Prohibited

      Cloyd, no longer taking a dirt nap, TOPS-20 Monitor 7(21233)
     @LOG RASPUZZI (PASSWORD) 
      Job 202 on TTY241 31-Aug-88 14:33:41, Last Login 30-Aug-88 11:42:37
     @

          For this portion of the project, the EXEC has  been  modified  to
     display the following:

              Unauthorized Access is Prohibited

      Cloyd, no longer taking a dirt nap, TOPS-20 Monitor 7(21233)
     @LOG RASPUZZI (PASSWORD) 
      Job 214 on TTY243 GIDNEY::RASPUZZI(CTM) 31-Aug-88 14:36:47
       Last interactive login 31-Aug-88 14:36:38
       Last non-interactive login 31-Aug-88 14:36:38
     % 2 interactive login failures since last successful login     ***
     % 1 non-interactive login failure since last successful login  ***

       Warning: Your password expires on 31-Aug-88 22:33:33         ***

     ?Your password has expired.  Please change your password now.  ***

     Old password:                                                  ***
     New password:                                                  ***
     Retype new password:                                           ***

          The lines marked with *** in the above  example  are  items  that
     would not be displayed all the time.  For example, the number of login
     failures (either interactive or non-interactive) since the user's last
     successful  login would only appear if either count is 1 or more.  The
     warning about password expiration would be  displayed  at  login  time
     only  if  the  user's  password expires in seven days or less.  If the
     user's password had expired, and this is the first login attempt since
     the  password  expired,  then  the  EXEC forces the user to change his
     password.

          A new command is introduced in the EXEC to expedite changing  the
     user's password for his login directory.

     @SET PASSWORD (OF LOGIN DIRECTORY)
     Old password:
     New password:
     Retype new password:

          The above is an example  of  how  this  new  command  looks.   It
     defaults the directory being changed to PS:<username>.

          There is a new BUILD subcommand so  that  a  system  manager  may
     explicitly set the password expiration date.

     $BUILD PS:<BADUSER>
     $$EXPIRATION-OF-PASSWORD date-time
           or
Security Enhancements for TOPS-20                              Page 12


     $$[NO] EXPIRATION-OF-PASSWORD
           or
     $$EXPIRE (USER PASSWORD)
     $$

          Setting EXPIRATION-OF-PASSWORD "date-time" is  used  to  set  the
     expiration  of  the password to either the date and time or the number
     of  days  in  the  future  to  expire  the   password.    Setting   NO
     EXPIRATION-OF-PASSWORD  sets  the word to 0, which means that the user
     will only be able to login once and should set a new password at  that
     time.

          The EXPIRE subcommand sets the password expiration  date  to  -1.
     This  means that the user cannot to login to the account interactively
     because the account has been expired.

          If an existing system turns on password expiration  on  the  fly,
     all  users  will  have  a  password  expiration  date of 0.  This will
     immediately force all users to change their passwords  the  next  time
     they login.

          DLUSER has been modified to know  about  the  new  words  in  the
     directory (CRDIR% arguments) but there is no functional change to this
     program.  However, this leads to an incompatibility  between  the  new
     DLUSER  and  the  old  one.   The  new  DLUSER  will not work with old
     monitors.  The old DLUSER will still work with the  new  monitor  that
     will  contain  the changes for this project.  The new DLUSER will also
     be able to read old DLUSER output files.

          There are no visible effects of this project on CHECKD.  However,
     when  the  new directory words are defined in PROLOG, CHECKD has to be
     reassembled with the new PROLOG.UNV.

          The INFORMATION DIRECTORY command is enhanced  to  show  password
     expiration, last non-interactive login, and failure counts:

     $INFORMATION (ABOUT) DIRECTORY (DIRECTORY NAME) PS:<RASPUZZI>
      Name PUBLIC:<RASPUZZI>
      Working disk storage page limit 500
      Permanent disk storage page limit 500
      WHEEL
      IPCF
      ARPANET-WIZARD
      ABSOLUTE-ARPANET-SOCKETS
      ARPANET-ACCESS
      Number of directory 75
      Account default for LOGIN GARK
      Protection of directory 770000
      Maximum subdirectories allowed 5
     *Last interactive login 13-Sep-88 20:57:07
     *Last non-interactive login 12-Sep-88 15:22:48
     *Password expires on 18-Oct-88 07:01:00
     *Number of interactive login failures 1
     *Number of non-interactive login failures 2
      TOPS10 project-programmer number - none set
     $
Security Enhancements for TOPS-20                              Page 13


          The lines marked with  a  '*'  are  added  or  changed  for  this
     project.  This is the convention throughout the rest of the document.

          The INFORMATION SYSTEM command has a new line:

     $INFORMATION (ABOUT) SYSTEM-STATUS 
      Operator is in attendance
      Remote logins allowed
      Local logins allowed
      Pseudo-terminal logins allowed
      ARPANET terminal logins are not allowed
      DECnet terminal logins allowed
      LAT terminal logins allowed
      Console terminal login allowed
      Accounting is being done
      Account validation is enabled
      Working set preloading is disabled
      Sending of system level zero messages is enabled
      Sending of system level one messages is enabled
      Job zero CTY output is enabled
      Tape-drive allocation is enabled
      Automatic file-retrieval-waits allowed
      Maximum offline-expiration is 90 days
      Scheduler bias-control setting is 11
      Class scheduling is disabled, batch jobs being run on dregs queue
      Offline structures timeout interval is 0 minutes and 5 seconds
      Cluster information is enabled
      Cluster sendalls are enabled
      Minimum password length is 8 characters
     *Password expiration is 45 days
     $

          The SMON% monitor call has a new  function  added  to  enable  or
     disable  password  expiration  (a  corresponding  TMON% call reads the
     password expiration setting):

     Code      Symbol        Meaning
     103       .SFPEX        Controls password expiration
                                 AC2:    0 - Disable password expiration
                                     1-366 - Number of days a password 
                                             remains valid.

     New SMON% error code:

     SMONX6:  Password expiration day count must be between 1 and 366

          The .SFPEX function sets a system wide parameter that is used  to
     determine  the  expiration  date  and  time  when  a  user changes his
     password.  For example, if a password was set on May 6, 1988 at  14:03
     and  the  system had password expiration enabled for 10 days, then the
     password that was just set would expire on May 16, 1988 at 14:03.

          Two new commands for the x-CONFIG.CMD file for SETSPD are:

     ENABLE PASSWORD-EXPIRATION xxx
     DISABLE PASSWORD-EXPIRATION
Security Enhancements for TOPS-20                              Page 14


          Where xxx  is  the  number  of  days  to  be  used  for  password
     expiration and xxx must be between 1 and 366 (the default is 30).

          The EXEC has a similar command to control password expiration:

     ^ESET [NO] PASSWORD-EXPIRATION (TO) xxx

          Where xxx  is  the  number  of  days  to  be  used  for  password
     expiration and xxx must be between 1 and 366 (the default is 30).



     3.3  Password Dictionary

          TOPS-20 had no way to regulate the words utilized  by  users  for
     passwords.  A user can do a CRDIR% monitor call to change his password
     but the monitor simply changes the password after checking its  length
     but without checking to see if this password is reasonable.

          The  file  SYSTEM:PASSWORD.DICTIONARY  contains  all   words   in
     alphabetical  order that are to be disallowed as passwords.  The first
     time a user attempts to set a password, the monitor builds an index to
     this  file.   This  index  is  used  as  long  as  the  write  date of
     SYSTEM:PASSWORD.DICTIONARY does not change, and contains the point  at
     which  the  first letter in the dictionary word changes.  This is used
     to greatly speed up dictionary searches.

          With   this   feature   enabled,    the    monitor    looks    in
     SYSTEM:PASSWORD.DICTIONARY  each  time a password is changed to see if
     the password that  the  user  supplied  is  in  the  dictionary.   The
     password  dictionary  contains words that the system manager deems too
     easy to guess and therefore, any word in the PASSWORD.DICTIONARY  file
     is  not  useable  as  a  legal  password  on the system.  The supplied
     PASSWORD.DICTIONARY file is an actual dictionary of  several  thousand
     words.

          The   password   dictionary   is   turned   on   by   the   ^ESET
     PASSWORD-DICTIONARY EXEC command and ENABLE PASSWORD-DICTIONARY SETSPD
     command.  The SMON% monitor call has have a new  function  to  support
     the turning on and off of the password dictionary feature.  There is a
     corresponding TMON% function to  read  the  current  system's  setting
     (whether or not the password dictionary is enabled).  The new function
     is shown below:

     Code       Symbol       Meaning
     104        .SFPWD       Used to enable or disable the password
                             dictionary feature. If enabled, words listed
                             in SYSTEM:PASSWORD.DICTIONARY are not allowed
                             as valid passwords.
                                   AC2:  0 - Disable password dictionary
                                         1 - Enable password dictionary

          A new error code for the CRDIR% monitor call is also  introduced.
     it is:

     CRDI33:   Password found in system password dictionary
Security Enhancements for TOPS-20                              Page 15


          A new EXEC command is introduced to turn this feature on or off:

     ^ESET [NO] PASSWORD-DICTIONARY

          And supporting SETSPD commands are:

     ENABLE PASSWORD-DICTIONARY
     DISABLE PASSWORD-DICTIONARY

          The INFORMATION SYSTEM command has its display modified  slightly
     to show whether or not the password dictionary is enabled:

     @INFORMATION (ABOUT) SYSTEM-STATUS 
      Operator is in attendance
      Remote logins allowed
      Local logins allowed
      Pseudo-terminal logins allowed
      ARPANET terminal logins are not allowed
      DECnet terminal logins allowed
      LAT terminal logins allowed
      Console terminal login allowed
      Accounting is being done
      Account validation is enabled
      Working set preloading is disabled
      Sending of system level zero messages is enabled
      Sending of system level one messages is enabled
      Job zero CTY output is enabled
      Tape-drive allocation is enabled
      Automatic file-retrieval-waits allowed
      Maximum offline-expiration is 90 days
      Scheduler bias-control setting is 11
      Class scheduling is disabled, batch jobs being run on dregs queue
      Offline structures timeout interval is 0 minutes and 5 seconds
      Cluster information is enabled
      Cluster sendalls are enabled
      Minimum password length is 8 characters
      Password expiration is 45 days
     *Password dictionary is enabled

          The following examples are shown to help illustrate the format of
     the  password dictionary file.  The file is similar to the one used by
     the SPELL program.

     ABORT, S, ED, ING
     ABUSE, S, D, \ING
     ACQUIT, S, "ED, "ING
     ADMIRAL, S, 'S

          Each line in the above  example  demonstrates  something  special
     about the entries in the password dictionary file.

          The first line shows the word ABORT.  The entries  in  this  line
     separated  by  commas  indicates  suffixes  that  are  added to ABORT.
     Therefore, the first line contains the following words that cannot  be
     used as passwords:  ABORT, ABORTS, ABORTED, or ABORTING.
Security Enhancements for TOPS-20                              Page 16


          In the second example, the "\" character is seen in  one  of  the
     entries.   This character means that you take the base word and remove
     the last character and add the suffix.  The base word is ABUSE.  After
     removing  the  final "e" and adding ING the word ABUSING is formed and
     cannot be used as a password.

          The  third  line  shows  the  quote  character.   This  character
     indicates  that  you must duplicate the last letter of the word before
     adding the suffix;  ACQUIT becomes ACQUITTED and ACQUITTING.

          The final line shows the apostrophe.  This character is taken  as
     is.  Therefore, the base word ADMIRAL becomes ADMIRAL'S.



     3.4  System Wide Password Penalty Lock

          TOPS-20 has a password penalty lock which prevents more than  one
     attempt  at  a  bad  password each three seconds.  However a malicious
     user can write  a  program  that  attempts  to  guess  someone  else's
     password  by  using  the CFORK% JSYS to make many copies of a password
     guessing program.  Each guess would still get the  3  second  password
     penalty,  but  if  multiple forks are running, then each fork gets the
     penalty in parallel with the other forks.   Therefore,  the  malicious
     user's effectiveness in guessing passwords has increased by the number
     of forks he has running.

          The solution to this  problem  is  simple.   Since  the  password
     penalty is served in one routine in the monitor, this routine has been
     modified to get a system-wide lock before  serving  the  three  second
     password  penalty.   That way, only 1 fork per system is allowed to go
     through the password penalty code at a time.  This significantly slows
     down any attempts to guess a password in multiple forks or jobs, since
     only one password guess could happen each three seconds no matter  how
     many forks or jobs were trying to guess a password.



     3.5  More GETOK Functions

          The monitor already asks for ACJ's  permission  on  a  number  of
     monitor  calls.   There are a number of "dangerous" monitor calls that
     do not have ACJ controls.  The following new GETOK functions have been
     added, and are supported in the new ACJ program.

     Code      Symbol      Meaning

     27        .GOTTM      Allow use of TTMSG% monitor call

                           Argument block (user-specified):

                           Word    Symbol    Contents
                           0       .GEERB    Error block address
                           1       .GEDTY    AC1 as given to the TTMSG% JSYS

     30        .GOSMN      Allow system parameters to be set with SMON%
Security Enhancements for TOPS-20                              Page 17



                           Argument block (user-specified):

                           Word    Symbol    Contents
                           0       .GEERB    Error block address
                           1       .GESMF    SMON% function number
                           2       .GESMV    New value for function

     31        .GOHSY      Allow use of the HSYS% monitor call

                           Argument block (user-specified):

                           Word    Symbol    Contents
                           0       .GEERB    Error block address
                           1       .GESDT    Shutdown time (internal format)
                           2       .GERES    System resume time (internal
                                             format)

     32        .GOSGT      Allow access of information via SYSGT%

                           Argument block (user-specified):

                           Word    Symbol    Contents
                           0       .GEERB    Error block address
                           1       .GETBN    SIXBIT table name

     33        .GOGTB      Allow access of information via GETAB%

                           Argument block (user-specified):

                           Word    Symbol    Contents
                           0       .GEERB    Error block address
                           1       .GETBN    Index into table,,table number

     37        .GOTLK      Allow use of the TLINK% monitor call

                           Argument block (user-specified):

                           Word    Symbol    Contents
                           0       .GEERB    Error block address
                           1       .GETTB    TLINK% flags,,object designator
                           2       .GERMT    Remote designator

     40        .GOCRL      Allow use of the .CLNS1, .CLNSA or .CLNSY
                           functions of the CRLNM% monitor call

                           Argument block (user-specified):

                           Word    Symbol    Contents
                           0       .GEERB    Error block address
                           1       .GECFN    CRLNM% function
                           2       .GELNM    Block of 16. words that contain
                                             the logical name for .CLNS1 and
                                             .CLNSY functions

     41        .GODTC      Inform access control job of DTACH%
Security Enhancements for TOPS-20                              Page 18



                           Argument block (user-specified):

                           Word    Symbol    Contents
                           0       .GEERB    Error block address





     3.6  Secure Files

          A feature that has been desired by  many  TOPS-20  customers  has
     been  the  ability  to  restrict  access to files based on the type of
     access and the user doing the accessing.  In order  to  avoid  calling
     the  ACJ  for  each  file  access, the notion of SECURE files has been
     implemented.

          The monitor only asks ACJ's permission on  marked  files.   These
     files  have  a  bit set in their FDB status word (FB%SEC) and this bit
     would be settable using the CHFDB% monitor call.   A  supporting  EXEC
     command  (SET  FILE  SECURE  filename) has been added to set the files
     [NO] SECURE.  A subcommand to the BUILD command and  a  SET  DIRECTORY
     command  has  been added to set a directory SECURE.  Any files created
     in a SECURE directory would be made SECURE by default.

          When accessing a SECURE file (at the time of the OPENF%,  RNAMF%,
     or  DELF%/DELNF%)  the monitor gets some freespace and pass that as an
     argument for the GTOKM macro.  The freespace contains the name of  the
     file  being  opened.   The type of access desired is provided with the
     GTOKM call.  When the ACJ does a RCVOK%, the monitor copies  the  name
     of  the  file  into  the ACJ's user address space out of the freespace
     indicated.

          The ACJ then does a GIVOK% JSYS to allow or deny  access  to  the
     file.   If  the  access is denied, the usual error code is returned to
     the user.  Since the policy implementation of secure files would be in
     the  ACJ,  documentation  of  the  policy  does not make sense in this
     document.

          The changes done to support SECURE  files  are  documented  here.
     There are four new GETOK functions having to do with SECURE files:

     Code      Symbol      Meaning

     34        .GOOPN      Allow opening a file that is set secure

                           Argument block (user-specified):

                           Word    Symbol    Contents
                           0       .GEERB    Error block address
                           1       .GEOAC    AC 2 of OPENF%
                           2       .GEFIL    226 (octal) words containing
                                             STR:<DIRECTORY>NAME.EXT.VER
                                             of file being opened
Security Enhancements for TOPS-20                              Page 19


     35        .GORNF      Allow renaming a file that is set secure

                           Argument block (user-specified):

                           Word    Symbol    Contents
                           0       .GEERB    Error block address
                           1       ------    Not used
                           2       .GEFIL    226 (octal) words containing
                                             STR:<DIRECTORY>NAME.EXT.VER
                                             of file being renamed

     36        .GODLF      Allow deleting a file that is set secure (either
                           through DELF% or DELNF% monitor calls)

                           Argument block (user-specified):

                           Word    Symbol    Contents
                           0       .GEERB    Error block address
                           1       .GEDAC    Bits selected in user's AC 1
                           2       .GEFIL    226 (octal) words containing
                                             STR:<DIRECTORY>NAME.EXT.VER
                                             of file being deleted

     42        .GOCFD      Allow CHFDB% to set or clear FB%SEC on a file

                           Argument block (user-specified):

                           Word    Symbol    Contents
                           0       .GEERB    Error block address
                           1       .GESFS    Contents of .FBCTL in file's FDB
                           2       .GEFIL    226 (octal) words containing
                                             STR:<DIRECTORY>NAME.EXT.VER
                                             of file being deleted


          A new command to the EXEC is needed to specify  which  files  are
     SECURE.  This command is:

     $SET FILE [NO] SECURE name.extension.version

          The SET FILE command marks the file as needing to be  checked  by
     the  ACJ the next time the file is opened.  This will also be the case
     if the file is to be renamed or deleted.

          The  SET  DIRECTORY  (or  BUILD)  command  sets  a  bit  in   the
     directory's  mode  word  (CD%SEC in .FBCTL) to indicate that any files
     created in this directory be set  SECURE  by  default.   This  bit  is
     defined  for  the  CRDIR%  monitor call so that a directory can be set
     secure.  The format of this command is:

     $SET DIRECTORY [NO] SECURE str:<directory>
                  or
     $BUILD str:<directory>
     $$[NO] SECURE
     $$
Security Enhancements for TOPS-20                              Page 20


          The INFORMATION DIRECTORY command looks like this  for  a  secure
     directory:

     $INFORMATION (ABOUT) DIRECTORY (DIRECTORY NAME) PS:<SYSTEM>
      Name PUBLIC:<SYSTEM>
      Working disk storage page limit +INF
      Permanent disk storage page limit +INF
      FILES-ONLY
     *SECURE
      Number of directory 2
      Default file protection 777752
      Account default for LOGIN - none set
      Protection of directory 777740
      Generations to keep 0
      TOPS10 project-programmer number 3,4
     $



     3.7  Enhance GETOK Function for CRDIR%

          As it stands now, when a user executes the CRDIR%  monitor  call,
     the  monitor  simply  asks  the ACJ whether or not the user can do the
     CRDIR%.  However, no additional information is passed to the  ACJ  and
     it  has  no  way  of  determining what the user wants to change in the
     directory and which directory is being changed.  The new data returned
     changes  the GETOK function from CRDIR%;  since additional information
     is being furnished, it does not disturb current configurations.  Those
     sites  that do not wish to change the way their ACJ currently works do
     not have to.

          The GETOK function block created by the CRDIR% monitor  call  now
     contains the following:

     Code     Symbol       Meaning
     11       .GOCRD       Allow directory creation

                           Argument block (user-specified):

                           Word    Symbol    Contents
                           0       .GEERB    Error block address
                           1       .GECFL    CRDIR% flags (this is the argument
                                             the user has passed into CRDIR%
                                             in AC 2)
                           2       .GEDIR    Block of 11. words containing
                                             STR:<DIRECTORY>
                           15      .GECAB    Block of 25. words containing
                                             the actual CRDIR% argument block.
                                             Note any byte pointers in the
                                             argument block are meaningless
                                             since they point to addresses in
                                             the user's own address space.
Security Enhancements for TOPS-20                              Page 21


     3.8  CTERM Access

          Previous to the  implementation  of  this  project,  the  monitor
     simply  accepts  all  incoming  CTERM  connections,  It is possible to
     prevent CTERM connections by disabling LOGINs over DECnet but this  is
     an  all or nothing case.  There is no way to check who is on the other
     end of the link.

          The solution is to make the CTERM fork perform a  GETOK  function
     when  it  is handling incoming CTERM requests.  The information passed
     to the ACJ is NODE::USER and the ACJ can choose to accept or deny  the
     connection  as well as make a log of who attempted the connection from
     the remote system.

          Note:  this solution is not one  hundred  percent  accurate.   It
     could be possible for someone to have compromised the remote system in
     such a manner that the incoming data of NODE::USER may be  inaccurate.
     However,  there  is  no way to prevent a remote system from giving the
     TOPS-20 system incorrect information.

          A new GETOK function is therefore added:

     Code        Symbol           Meaning
     26          .GOCTM           Allow incoming CTERM connection

                                  Argument block format (user-specified):

                                  Word   Symbol   Contents
                                  0      .GEERB   Error block address
                                  1      .GEWHO   13 (octal) words containing
                                                  the string NODE::USER who is
                                                  attempting the incoming CTERM
                                                  connection. If the username is
                                                  not easily determined, then the
                                                  string will simply be the node

          The NTINF% monitor call was also enhanced.  The  username  string
     from  the  remote  system  will  be  returned through NTINF%.  This is
     accomplished by changing a word in the NTINF% argument block:

                  Word      Symbol      Contents
                    3       .NWNNP      Destination designator; byte pointer
                                        to location for monitor to write the
                                        name and username if possible of the
                                        originating node in user address space.
                                        For CTERM terminals, the monitor will
                                        write NODE::USER.

          The .NWNNP word used to be a byte  pointer  for  the  monitor  to
     write the node name only.  It will be modified so that NODE::USER will
     be returned for CTERM terminals only.

          The new NTINF% feature will be taken advantage of by all programs
     using  the NTINF% JSYS.  All users of NTINF% to return the DECnet node
     name for the CTERM host will now also get the username as specified in
     the  CTERM  connection  data.   The DECnet node name will be separated
Security Enhancements for TOPS-20                              Page 22


     from the CTERM supplied user name by two colons.  Here is  an  example
     of  how the origin will be displayed for CTERM connections as shown by
     a SYSTAT command:

     @SYSTAT NO OPERATOR NO CONNECT
      Tue 13-Sep-88 13:15:28  Up 27:57:41
      7+6 Jobs   Load av (class 1)   0.25   0.17   0.25

      Job  Line Program  User              Origin
        6   DET  RMSFAL  Not logged in
        9   426  EXEC    GSCOTT            LAT1(LAT)
       10   427  EXEC    CONDOR            LAT394(LAT)
       11*  340  SYSTAT  RASPUZZI          TOPS20.DEC.COM(TCP)
       13   DET  RMSFAL  Not logged in
       16   314  EMACS   JROSSELL          THEP::JROSSELL(CTM)

          Note how the last line has NODE::USER(CTM) in the origin  column.
     If  the  remote  username  is  not  known by the local system, then no
     username  will  be  displayed.   The  old  display  simply   contained
     NODE(CTM) in the origin field.



     3.9  Connect Time

          There is no way for a system manager to easily obtain how long  a
     specific  user  has  been  connected to the system.  Adding a new word
     that is returned by the GETJI% monitor call will solve this problem.

          The connect time is stored in the job's JSB for system accounting
     purposes,  so  code  was added to retrieve this word and pass it on to
     the calling user.  The GETJI% monitor  call  was  modified  such  that
     another word will be returned in the argument block:

     Word     Symbol      Meaning
     34       .JICT       Job's connect time
     35       .JINLD      Job's last non-interactive login

          The new .JICT word returned by  GETJI%  implies  that  the  INFO%
     monitor  call  will  have  a  new word returned in the .INSYS argument
     block:

     Word     Symbol      Meaning
     15       .SYJCT      Job's connect time

          The SYSTAT  command  has  been  modified  to  take  advantage  of
     displaying  a user's connect time.  A new column appears in the SYSTAT
     display:

     @SYSTAT,
     @@CONNECT-TIME
     @@NO OPERATOR
     @@
      Tue 13-Sep-88 13:05:54  Up 303:54:45
      10+7 Jobs   Load av   0.08   0.10   0.09
Security Enhancements for TOPS-20                              Page 23


      Job  Line Program Connected  User              Origin
      199   436  EXEC     0:10:14  JBREWER           LAT73(LAT)
      200*  434  SYSTAT   0:11:12  RASPUZZI          GIDNEY::RASPUZZI(CTM)
      206   435  EXEC    20:00:51  GSCOTT            TOPS20.DEC.COM(TCP)
      207     3  EXEC     0:00:22  DUSSEAULT
      209   440  RONCO    1:15:26  JROSSELL          LAT71(LAT)
      210   441  SED      0:30:32  LOMARTIRE         LAT393(LAT)
      211   445  EXEC     1:21:45  MCCOLLUM          LAT32(LAT)
      212   443  OPR    113:23:44  WONG              LAT394(LAT)
      214   442  EXEC     0:00:02  WADDINGTON        LAT394(LAT)



     3.10  Hangup on DETACH

          When a user detaches from a DECSYSTEM-20, the  terminal  line  is
     not  hung  up.  This leaves a terminal line attached and in use by the
     physical  terminal  connected  to   the   DECSYSTEM-20   (or   virtual
     terminals).   This  is  a  small security problem and an annoyance for
     people who use DECSERVERs because you must then break  and  disconnect
     your session.

          The LGOUT% monitor  call  already  handles  a  hangup  on  logout
     through  a command implemented in SETSPD.  The DTACH% monitor call has
     been to hangup depending on a variable.  A new SETSPD command  (ENABLE
     HANGUP-ON-DETACH) is used to set this system-wide parameter.

          This feature is enabled or disabled  with  the  following  SETSPD
     commands:

     ENABLE HANGUP-ON-DETACH
     DISABLE HANGUP-ON-DETACH

          In turn, the SETSPD program uses a new SMON% function to set this
     feature.   The  TMON%  monitor  call uses the same function to allow a
     user to read the state of hangup  on  DETACH.   The  new  function  is
     defined below:

     Code      Symbol       Meaning
     105       .SFHDT       Used to enable or disable hanging up when a
                            user DETACHes a job.
                                 AC 2:  0 - Enable hangups on DETACH
                                        1 - Disable hangups on DETACH

          Note that the monitor defaults this function as disabled so  that
     it  is consistent with older versions of TOPS-20.  If a system manager
     wishes to use this feature, he must do something extra  to  enable  it
     (adding the SETSPD command to the x-CONFIG.CMD file).

          When a job  becomes  detached  because  carrier  has  dropped  or
     because of a network interruption, a 5 minute timer is started.  There
     is no easy way to change this 5 minute  limit.   In  particular,  five
     minutes  may not be enough for some sites.  Previously the monitor had
     to be patched to change this value.
Security Enhancements for TOPS-20                              Page 24


          Two new SETSPD commands and SMON%/TMON% functions  are  added  to
     control this interval.  The SETSPD commands are:

     DISABLE DETACH-CARRIER-OFF
     ENABLE DETACH-CARRIER-OFF xxx

          Where xxx is a number of minutes.  The DISABLE command  sets  the
     minutes  to  0 and this causes jobs to get logged out immediately upon
     carrier loss or network interruption.



     3.11  Default to REFUSE LINKS

          When a potential user connects to a TOPS-20 system, his  terminal
     is  set  to  RECEIVE LINKS by default.  Since there are naive users in
     the world it is possible for them  to  be  harassed  because  of  this
     feature.   One  would  hope that privileged users would want to REFUSE
     LINKS themselves but why leave it up to chance?

          All that needs to be changed is the state of  the  RECEIVE/REFUSE
     LINKS bit setting during job creation.  This is a simple change in the
     monitor.

          This change is  visible  to  the  user  because  when  a  job  is
     activated  on  a  terminal,  it  is be set to REFUSE LINKS rather than
     RECEIVE LINKS as in previous monitors.  All changes to  initiate  this
     are  internal  to  the  monitor  and  require  no monitor call or EXEC
     modifications.

          Like all pieces of this project, this feature  has  some  way  of
     turning this off.  If a system manager would rather have jobs with the
     RECEIVE LINKS as the default, the EXEC command RECEIVE  LINKS  can  be
     inserted  in  the  SYSTEM:LOGIN.CMD  file.   This file is always taken
     during job login.  Of course, this does not  make  this  part  of  the
     project one hundred percent turned off (not logged in jobs have REFUSE
     LINKS by default until they LOGIN, but RECEIVE LINKS  command  can  be
     entered at a not-logged-in job if desired).



     3.12  New ACJ Program

          Currently, customers are supplied with a template  to  show  them
     how an access control job might look.  This is a macro program that is
     distributed as ACJ.MEM.  However, this file has not been updated since
     release 5.0 was under development, so it is extremely outdated.

          A new ACJ is being distributed with the other software.  This new
     ACJ supports all of the new GETOK functions documented here as well as
     implementation of reasonable policy for each function.   This  support
     includes  controlled access to SECURE files.  Documentation is shipped
     with the ACJ as ACJFUN.MEM.
Security Enhancements for TOPS-20                              Page 25


     4.0  Performance Expectations

          It is expected that there are  certain  performance  degradations
     for some of the parts of this project.  There is not a big performance
     impact although there may be some noticeable delay in the  areas  that
     are affected by the changes introduced by this project.

      o  The ACJ fork should be slightly more responsive running under  job
         0  if  the  ^ESET  SYSTEM-ACCESS-CONTROL-JOB  is used.  Since most
         sites run the ACJ under SYSJOB, there will be  no  overall  system
         performance impact.

      o  There may be a noticeable delay when  changing  a  password  on  a
         directory  if  the system has the password dictionary enabled.  In
         particular it takes up to 10 CPU seconds the first time  that  the
         PASSWORD.DICTIONARY  file  is  read  to build the index entries to
         this file.  Successive password  checks  happen  in  less  than  2
         seconds   after   the  indexes  are  built.   Since  the  password
         dictionary file is not changed  often,  and  since  the  delay  in
         searching  the  password  dictionary  is  small,  there  is little
         impact.

      o  Opening, renaming, or deleting a SECURE file  may  take  a  little
         more  time  than  a  regular  open,  rename, or delete.  This only
         affects the files that have been set SECURE and  does  not  affect
         all file accesses.

      o  There is a severe performance decrease in programs that are run in
         multiple  forks  to  attempt to guess passwords.  However, this is
         the intended effect.
Security Enhancements for TOPS-20                              Page 26


     5.0  Error Handling

          All pieces of this project report any errors via the error return
     for the appropriate monitor call.

          If a system manager has decided to run his ACJ as a system  fork,
     and there happens to be a fatal error in the ACJ, the system gives its
     usual GIVTMR and RCVTMR BUGCHKs, and issues a ACJDIE BUGCHK.  This new
     BUGCHK is reported by CHKR when it notices that something has happened
     to the ACJ fork.  CHKR notices this when the software interrupt system
     issues  an  inferior  fork  termination  interrupt.   The  ACJ  is not
     restarted.  The system manager has to restart the ACJ by  hand  (^ESET
     SYSTEM-ACCESS-CONTROL-JOB).

          There is also the possibility that the  system  manager  has  not
     defined  DEFAULT-ACJ:  and the file SYSTEM:ACJ.EXE does not exist.  In
     this case, the system issues a NOACJF BUGCHK when attempting to  start
     the ACJ in monitor context and does nothing.

          There is also special consideration for the password  dictionary.
     If  the  system  manager  enables  this  feature  project  and  has no
     SYSTEM:PASSWORD.DICTIONARY file,  then  the  system  issues  a  NOPWDF
     BUGCHK.   This  occurs  any time the system attempts to do a GTJFN% on
     the password  dictionary  file  and  the  GTJFN%  fails.   The  CRDIR%
     proceeds and the password is not checked.
     [End of SECURITY-ENHANCEMENTS.MEM]