https://community.hpe.com/t5/operating-system-openvms/limiting-interactive-logins/m-p/4368554#M93570 Chris,<BR /><BR />Yes. The LOCAL setting is a rather crude bludgeon. <BR /><BR />The OP does not mention which IP stack or which version of OpenVMS is involved.<BR /><BR />Personally, what I have done in several cases is to make a change to either SYS$MANAGER:SYLOGIN.COM (or a group login file invoked by SYLOGIN.COM) to check the device name against a Rights List Identifier.<BR /><BR />If the user holds the Identifier, the login is permitted, if not, output the appropriate message and LOGOUT.<BR /><BR />Using this approach, it is important to disable CNTRL-Y etc by default (else an enterprising user could just keep hitting the keys to bypass the check).<BR /><BR />- Bob Gezelter, <A href="http://www.rlgsc.com" target="_blank">http://www.rlgsc.com</A> Fri, 27 Feb 2009 19:03:10 GMT Robert Gezelter 2009-02-27T19:03:10Z https://community.hpe.com/t5/operating-system-openvms/limiting-interactive-logins/m-p/4368552#M93568 I wish to limit interactive access to a VMS node to certain persons. In the past the UAF flag<BR /><BR />Local: ----- No access ------ <BR /><BR />could be set a such which prevented interactive logins, which remains true over decnet.<BR /><BR />Username: jdoe<BR />Password:<BR /><BR />You are not authorized to login from this source<BR /><BR />SSH appears to ignore this flag. I have also tried various lexical functions (getjpi) to no avail. <BR /><BR />Anyone have any success limiting interactive logins to specific persons when the person is accessing via ssh?<BR /><BR /> Fri, 27 Feb 2009 18:28:22 GMT https://community.hpe.com/t5/operating-system-openvms/limiting-interactive-logins/m-p/4368552#M93568 CHRIS KRALL 2009-02-27T18:28:22Z https://community.hpe.com/t5/operating-system-openvms/limiting-interactive-logins/m-p/4368553#M93569 hi,<BR /><BR /> in the sshd2_config file there is the allowusers/denyusers/allowgroups/denygroups options to use.<BR /><BR /><BR />HTH<BR /><BR /> Fri, 27 Feb 2009 18:56:45 GMT https://community.hpe.com/t5/operating-system-openvms/limiting-interactive-logins/m-p/4368553#M93569 marsh_1 2009-02-27T18:56:45Z https://community.hpe.com/t5/operating-system-openvms/limiting-interactive-logins/m-p/4368554#M93570 Chris,<BR /><BR />Yes. The LOCAL setting is a rather crude bludgeon. <BR /><BR />The OP does not mention which IP stack or which version of OpenVMS is involved.<BR /><BR />Personally, what I have done in several cases is to make a change to either SYS$MANAGER:SYLOGIN.COM (or a group login file invoked by SYLOGIN.COM) to check the device name against a Rights List Identifier.<BR /><BR />If the user holds the Identifier, the login is permitted, if not, output the appropriate message and LOGOUT.<BR /><BR />Using this approach, it is important to disable CNTRL-Y etc by default (else an enterprising user could just keep hitting the keys to bypass the check).<BR /><BR />- Bob Gezelter, <A href="http://www.rlgsc.com" target="_blank">http://www.rlgsc.com</A> Fri, 27 Feb 2009 19:03:10 GMT https://community.hpe.com/t5/operating-system-openvms/limiting-interactive-logins/m-p/4368554#M93570 Robert Gezelter 2009-02-27T19:03:10Z https://community.hpe.com/t5/operating-system-openvms/limiting-interactive-logins/m-p/4368555#M93571 Mark<BR /><BR />this rule would apply for sftp as well? Fri, 27 Feb 2009 19:51:39 GMT https://community.hpe.com/t5/operating-system-openvms/limiting-interactive-logins/m-p/4368555#M93571 CHRIS KRALL 2009-02-27T19:51:39Z https://community.hpe.com/t5/operating-system-openvms/limiting-interactive-logins/m-p/4368556#M93572 hi,<BR /><BR /><BR /> yes, it uses ssh as well. Fri, 27 Feb 2009 20:22:21 GMT https://community.hpe.com/t5/operating-system-openvms/limiting-interactive-logins/m-p/4368556#M93572 marsh_1 2009-02-27T20:22:21Z https://community.hpe.com/t5/operating-system-openvms/limiting-interactive-logins/m-p/4368557#M93573 sorry should have said file is in dir sys$sysdevice:[tcpip$ssh.ssh2] and disable/enable ssh service when you've done your change (assuming vms tcpip)<BR /><BR />hth<BR /><BR /> Fri, 27 Feb 2009 20:33:14 GMT https://community.hpe.com/t5/operating-system-openvms/limiting-interactive-logins/m-p/4368557#M93573 marsh_1 2009-02-27T20:33:14Z https://community.hpe.com/t5/operating-system-openvms/limiting-interactive-logins/m-p/4368558#M93574 That the sshd isn't (fully) checking the authorization database looks like a bug in the implementation. <BR /><BR />If you have a support contract, send along a bug report to HP. Fri, 27 Feb 2009 22:04:09 GMT https://community.hpe.com/t5/operating-system-openvms/limiting-interactive-logins/m-p/4368558#M93574 Hoff 2009-02-27T22:04:09Z https://community.hpe.com/t5/operating-system-openvms/limiting-interactive-logins/m-p/4368559#M93575 If you modify the userrecord with:<BR />$ uaf modify user /nonetwork<BR />then login through ssh will be disabled.<BR />Also (s)ftp and similar by the way. Mon, 02 Mar 2009 07:40:19 GMT https://community.hpe.com/t5/operating-system-openvms/limiting-interactive-logins/m-p/4368559#M93575 Kees L. 2009-03-02T07:40:19Z