Multics Technical Bulletin MTB-680
Operator Login
To: Distribution
From: Benson I. Margulies
Date: 11/12/84
Subject: Identification and Authentication of Operators
1 ABSTRACT
The B2 criteria require us to identify and authenticate
system operators. This MTB describes changes to system
control and the message coordinator to provide this
feature. Readers should be familiar with MTB694, since
this design presupposes that one.
Comments should be sent to the author:
via Multics Mail:
Margulies at either System-M, MIT, or CISL-SERVICE.
via Forum:
>udd>m>mtgs>B2 on System-M
via telephone:
(HVN) 261-9333, or
(617) 492-9333
_________________________________________________________________
Multics project internal working documentation. Not to be
reproduced or distributed outside the Multics project without the
consent of the author or the author's management.
MTB-680 Multics Technical Bulletin
Operator Login
2 INTRODUCTION
This MTB discusses the handling of commands entered by operators:
"system control" commands. As explained in MTB694, these
commands are processed by the system control subsystem, which
receives them from communications channels (usually terminals)
under control of the message coordinator, the (bootload) system
console, and the send_admin_command interface.
The B2 criteria require that all persons who are connected to the
system be identified and authenticated by user name and password.
It is especially important to identify and authenticate
operators, since they have access to privileged functions.
send_admin_command commands are sent by users who have been
identified and authenticated by the normal Answering Service
mechanisms. System control, on the other hand, does not require
any authentication of persons entering commands via the bootload
console or message coordinator terminals. This MTB describes
identification and authentication of persons entering commands
via these devices.
3 IMPORTANT LIMITATIONS
Given the basic initialization architecture of Multics, it is not
practical to guarantee that the system demand identification and
authentication at all times.
Multics will demand identification and authentication
of operators from the successful completion of
Answering Service initialization (the "multics"
command) until shutdown. Multics will NOT demand
authentication in the Bootload Command environment, in
the ring 1 initializer environment, or in the
pre-Answering Service ring 4 initializer environment.
This restriction has a limited impact on system assurance. In
the environments where identifications and authentication is not
required, all commands must be entered via the single bootload
console, physically located in the machine room, where physical
security can be used.
The restriction might be removed, in part, by storing some kind
of minimal authentication database in the hardcore, read in from
the bootload tape. This mechanism would be difficult to secure
and maintain, and is therefore not included at this time.
Multics Technical Bulletin MTB-680
Operator Login
4 NAMES AND TERMS
The identification and authentication of persons entering
commands on message coortinator terminals and the bootload
console is referred to as "operator login." Since the commands
"login" and logout" are already in use in the initializer
environment for daemon login and logout, the terms "sign_on" and
"sign_off" are used in the command names and documentation.
5 DESIGN OVERVIEW
Operator identification and authentication ("operator login" from
here on) will be enabled by a switch in installation parameters.
If the switch is off, then operators are not required to sign in.
Operators will login via the initializer command "sign_on," and
log out via the initializer command "sign_off."
Operators will give a Multics personid and password. The
standard system PNT will be used to validate the personid and
password.
A new PNT attribute, "operator", will be required for a person to
login as an operator.
If an operator enters a command before entering the sign_on
command, the sign_on command will be run for them, prompting for
name and password.
An installation parameter will specify an optional inactivity
timeout for operators. If no command is entered within the
timeout period, the next command will demand a new
authentication.
The system control ready message will be changed from a simple
"R" to
"(Operator_Name) Ready".
6 IMPLEMENTATION DETAILS
As noted in MTB694, the program sc_execute_command_line_ will
enforce operator login. First, it checks to see if login is
required. Prior to Answering Service initialization, or after a
cripple command, sc_stat_$no_operator_login will be "1"b,
disabling operator login.
MTB-680 Multics Technical Bulletin
Operator Login
Once that test passes, the next question is whether the site is
requiring operator login. If
installation_parms.operator_login_required is "0"b, then they are
not.
Next, the command may have come from a source that requires no
authentication. In that case (send_admin_command),
sc_subsystem_info.no_real_tty will be "1"b.
If all these tests have passed, then operator login is required.
If mc_ate.signed_on is "0"b, then noone is logged in. If
mc_ate.signed_on is "1"b, then the last_command_time in the
mc_ate is checked against
installation_parms.operator_inactivity_limit. If the inactivity
limit has passed, then the signed_on bit is cleared.
If noone is signed on, then ssu_$execute_line is called with the
command line "sign_on". The operator may sign_on by answering
the questions. If the operator fails to sign on, then execution
of the original command is aborted.
If the sign_on succeeded, or the operator was signed on to begin
with, then command execution proceeds, and the last_command_time
is updated.
7 COMMAND DESCRIPTIONS
Multics Technical Bulletin MTB-680
Operator Login
-------------- --------------
sign_on sign_on
-------------- --------------
Names: sign_on, signon
Syntax As A Command
sign_on {User Name}
Use this command to sign on as the operator responsable for the
terminal on which you enter it. This tells the system that you
are responsable for all the commands entered until you type enter
or someone else enters sign_on.
Arguments:
User Name
is the operators Multics user name. If you don't give this,
you are prompted for it.
Notes:
The sign_on command prompts for the Multics password. If you
decide that you don't want to sign_on, enter "quit" for a
password.
The sign_on command prints the following message:
sign_on: USER_NAME signed on as operator on channel
CHANNEL_NAME.
If someone else is signed on when the sign_on command is give,
the messages are:
sign_on: OLD_USER_NAME signed off.
sign_on: USER_NAME signed on as operator on channel
CHANNEL_NAME.
MTB-680 Multics Technical Bulletin
Operator Login
---------------- ----------------
sign_off sign_off
---------------- ----------------
Names: sign_off, signoff
Syntax As A Command
sign_off
Use this command to sign off as the operator responsable for the
terminal on which you entry it. If your site requires signing on
and off, you or someone else will have to use the sign_on command
to sign on as responsable operator for the terminal before
entering any other commands.