Multics Technical Bulletin                                MTB-680
Operator Login

To:       Distribution

From:     Benson I. Margulies

Date:     11/12/84

Subject:  Identification and Authentication of Operators


     The B2 criteria require us to identify and authenticate
     system operators.  This MTB describes changes to system
     control  and  the message  coordinator to  provide this
     feature.  Readers should be familiar with MTB694, since
     this design presupposes that one.

Comments should be sent to the author:

via Multics Mail:
   Margulies at either System-M, MIT, or CISL-SERVICE.

via Forum:
   >udd>m>mtgs>B2 on System-M

via telephone:
   (HVN) 261-9333, or
   (617) 492-9333


Multics  project  internal  working  documentation.   Not  to  be
reproduced or distributed outside the Multics project without the
consent of the author or the author's management.

MTB-680                                Multics Technical Bulletin
                                                   Operator Login


This MTB discusses the handling of commands entered by operators:
"system  control"  commands.   As   explained  in  MTB694,  these
commands  are processed  by the  system control  subsystem, which
receives  them from  communications channels  (usually terminals)
under control  of the message coordinator,  the (bootload) system
console, and the send_admin_command interface.

The B2 criteria require that all persons who are connected to the
system be identified and authenticated by user name and password.
It   is  especially   important  to   identify  and  authenticate
operators, since they have access to privileged functions.

send_admin_command  commands  are  sent  by users  who  have been
identified  and  authenticated  by the  normal  Answering Service
mechanisms.  System control, on the  other hand, does not require
any authentication of persons  entering commands via the bootload
console  or  message coordinator  terminals.  This  MTB describes
identification  and authentication  of persons  entering commands
via these devices.


Given the basic initialization architecture of Multics, it is not
practical to guarantee that  the system demand identification and
authentication at all times.

     Multics  will demand  identification and authentication
     of   operators  from   the  successful   completion  of
     Answering   Service   initialization   (the   "multics"
     command)  until  shutdown.   Multics  will  NOT  demand
     authentication in the  Bootload Command environment, in
     the   ring  1   initializer  environment,   or  in  the
     pre-Answering Service ring 4 initializer environment.

This restriction  has a limited  impact on system  assurance.  In
the environments where identifications  and authentication is not
required, all  commands must be  entered via the  single bootload
console, physically  located in the machine  room, where physical
security can be used.

The restriction might  be removed, in part, by  storing some kind
of minimal authentication database in  the hardcore, read in from
the bootload  tape.  This mechanism would  be difficult to secure
and maintain, and is therefore not included at this time.

Multics Technical Bulletin                                MTB-680
Operator Login


The  identification   and  authentication  of   persons  entering
commands  on  message  coortinator  terminals  and  the  bootload
console is  referred to as "operator  login."  Since the commands
"login"  and  logout"  are  already  in  use  in  the initializer
environment for daemon login and  logout, the terms "sign_on" and
"sign_off" are used in the command names and documentation.


Operator identification and authentication ("operator login" from
here on) will be enabled  by a switch in installation parameters.
If the switch is off, then operators are not required to sign in.

Operators will  login via the initializer  command "sign_on," and
log out via the initializer command "sign_off."

Operators  will  give  a  Multics  personid  and  password.   The
standard  system PNT  will be used  to validate  the personid and

A new PNT attribute, "operator", will be required for a person to
login as an operator.

If  an  operator enters  a  command before  entering  the sign_on
command, the sign_on command will  be run for them, prompting for
name and password.

An  installation  parameter will  specify an  optional inactivity
timeout  for  operators.  If  no  command is  entered  within the
timeout   period,   the   next   command   will   demand   a  new

The system  control ready message  will be changed  from a simple
"R" to
 "(Operator_Name) Ready".


As  noted  in MTB694,  the program  sc_execute_command_line_ will
enforce  operator login.   First, it  checks to  see if  login is
required.  Prior to Answering  Service initialization, or after a
cripple   command,   sc_stat_$no_operator_login  will   be  "1"b,
disabling operator login.

MTB-680                                Multics Technical Bulletin
                                                   Operator Login

Once that test  passes, the next question is  whether the site is
requiring             operator             login.              If
installation_parms.operator_login_required is "0"b, then they are

Next, the  command may have  come from a source  that requires no
authentication.      In    that     case    (send_admin_command),
sc_subsystem_info.no_real_tty will be "1"b.

If all these tests have  passed, then operator login is required.
If  mc_ate.signed_on  is  "0"b,  then  noone  is  logged  in.  If
mc_ate.signed_on  is  "1"b,  then  the  last_command_time  in the
mc_ate              is               checked              against
installation_parms.operator_inactivity_limit.  If  the inactivity
limit has passed, then the signed_on bit is cleared.

If noone is signed on,  then ssu_$execute_line is called with the
command  line "sign_on".   The operator may  sign_on by answering
the questions.  If the operator  fails to sign on, then execution
of the original command is aborted.

If the sign_on succeeded, or the  operator was signed on to begin
with, then command execution  proceeds, and the last_command_time
is updated.


Multics Technical Bulletin                                MTB-680
Operator Login

--------------                                    --------------
sign_on                                           sign_on
--------------                                    --------------

Names:  sign_on, signon

Syntax As A Command

   sign_on {User Name}

Use this command  to sign on as the  operator responsable for the
terminal on which  you enter it.  This tells  the system that you
are responsable for all the commands entered until you type enter
or someone else enters sign_on.


User Name
   is the operators  Multics user name.  If you  don't give this,
   you are prompted for it.


The  sign_on command  prompts for  the Multics  password.  If you
decide  that  you  don't  want to  sign_on,  enter  "quit"  for a

The sign_on command prints the following message:

    sign_on:   USER_NAME   signed  on  as   operator  on  channel

If someone  else is signed  on when the sign_on  command is give,
the messages are:

    sign_on:  OLD_USER_NAME signed off.
    sign_on:   USER_NAME   signed  on  as   operator  on  channel

MTB-680                                Multics Technical Bulletin
                                                   Operator Login

----------------                        ----------------
sign_off                                sign_off
----------------                        ----------------

Names:  sign_off, signoff

Syntax As A Command


Use this command to sign off  as the operator responsable for the
terminal on which you entry it.  If your site requires signing on
and off, you or someone else will have to use the sign_on command
to  sign  on  as  responsable operator  for  the  terminal before
entering any other commands.