HPE Community
Operating System - OpenVMS
1752681 Members
5644 Online
108789 Solutions
New Discussion юеВ

Re: Limit VMS account access to a predefined set of IP addresses

 
SOLVED
Go to solution
William Sederholm
New Member

тАО06-14-2007 02:22 AM

тАО06-14-2007 02:22 AM

Limit VMS account access to a predefined set of IP addresses

Can VMS logins be limited to only allow a specific set of IP addersses to connect? We have an environment where multiple users per shift are connecting to VMS using the same PCs which are running Attachmate Reflections 14. This is a 24X7 manufacturing environment so having individual accounts is not practical. The current environment is a 4 node ES45 VMSCluster running OpenVMS 7.3-2 and TCPIP Services for Openvms 5.4. It is a routed network environment that does not route DECnet.
0 Kudos
Reply
10 REPLIES 10
Karl Rohwedder
Honored Contributor

тАО06-14-2007 02:31 AM

тАО06-14-2007 02:31 AM

Re: Limit VMS account access to a predefined set of IP addresses

You may add some lines of DCL into your SYLOGIN.COM and check for the remote node (e.g. F$GETDVI("TT","TT_ACCPORNAM"), perhaps also in conjunction with username...

regards Kalle
Reply
labadie_1
Honored Contributor

тАО06-14-2007 02:32 AM

тАО06-14-2007 02:32 AM

Re: Limit VMS account access to a predefined set of IP addresses

Yes put a test in the sylogin or the login.com, and logout if condition not met.

Check that Telnet logs by IP address and not by name ( $ tcpip sh service telnet /fu), or adapt your tests (test for an IP address/range or test for node name in a list).

Reply
Hoff
Honored Contributor

тАО06-14-2007 02:34 AM

тАО06-14-2007 02:34 AM

Re: Limit VMS account access to a predefined set of IP addresses

So you want username FOO to be allowed access into the host only from IP 10.1.1.1 through 10.1.1.255 or such, or from a specific set of addresses?

There's not enough information in the connection to allow a firewall to detect the login request and filter it; firewalls don't have a way to peek into the OpenVMS login sequence and snag the target username.

This can usually be done within SYLOGIN (using DCL) by looking back at the incoming address (via translation of the available IP logical names, or via $getdvi TT_ACCPORNAM, depending on details), or (somewhat more work, more integrated, more elegant) by creating a customized LGI callout module for use within LOGINOUT (see the LGI materials in the manual set). In either case, if the login source and the username don't match requirements, the login process is punted.

A more advanced approach might involve using digital certificates and ssh; users would automatically log in, and the connection could be tied to various attributes such as the source PC. I'd be tempted to move this way, and you can use your own locally-issued certificates for this.

There are various other options.

Stephen Hoffman
HoffmanLabs
Reply
Ian Miller.
Honored Contributor

тАО06-14-2007 06:00 AM

тАО06-14-2007 06:00 AM

Re: Limit VMS account access to a predefined set of IP addresses

You use could use the /accept feature on the telnet service.
____________________
Purely Personal Opinion
0 Kudos
Reply
John Gillings
Honored Contributor

тАО06-14-2007 12:29 PM

тАО06-14-2007 12:29 PM

Re: Limit VMS account access to a predefined set of IP addresses

William,

If you can't get the other suggestions to work...

A big blunt instrument to block all but a select set of IP addresses. Define host routes for the allowed addresses, then point your default route to a non-existent address. Other nodes may be able to reach your node, but you won't respond to them.

A crucible of informative mistakes
0 Kudos
Reply
Robert Gezelter
Honored Contributor

тАО06-15-2007 02:17 AM

тАО06-15-2007 02:17 AM

Re: Limit VMS account access to a predefined set of IP addresses

Bill,

Personally, I would use a combination of modifications to SYS$MANAGER:SYLOGIN.COM, an entry in the Group logical name table (in EXECUTIVE_MODE for security) and a Rights Identifier to control:
- whether the person is permitted to login via TCP
- What address block(s) are permitted to login

This allows the capability to be controlled with a high degree of precision.

- Bob Gezelter, http://www.rlgsc.com
0 Kudos
Reply
Stephen Daddona
Frequent Advisor

тАО06-15-2007 03:25 AM

тАО06-15-2007 03:25 AM

Solution

Re: Limit VMS account access to a predefined set of IP addresses

I made a DCL procedure that's called from SYLOGIN.COM to check the login's IP against a file of approved IP addresses. The file is called TELNET_WHITELIST.DAT and would look like this:

10.10.1
foobar.com
(etc.)

The first entry says that any login with and IP of 10.10.1.* gets in. I also have a TELNET_BLACKLIST.DAT file. I use that to mainly block SYSTEM from telneting in. Both files can have usernames as well. The DCL keeps a log of login failures. Here's the DCL:


$!******************************************************************************
$!*
$!* SYS$MANAGER:INTERNET_CHECK.COM
$!*
$!******************************************************************************
$!
$ username = f$edit(f$getjpi("","username"),"trim")
$!
$ numbers = "0123456789"
$!
$ my_term = f$getjpi("","terminal")
$ my_server_and_port_name = f$getdvi(my_term,"tt_accpornam")
$ my_server_and_port_name = f$edit(my_server_and_port_name,"upcase,trim")
$ my_server_and_port_name_length = f$length(my_server_and_port_name)
$!
$! The symbol IP_ADDRESS can be either the number or the name
$! (ie: 198.31.44.4 vs. sierra.sierracollege.edu)
$! Also, the IP address can be 10.999.999.999 where 10 is a number private
$! to Sierra College
$!
$ ip_address = my_server_and_port_name - "Host: "
$ ip_address = f$element(0," ",ip_address)
$ ip_address = f$edit(ip_address,"upcase,trim")
$!
$ ip_address_length = f$length(ip_address)
$ ip_address_1 = f$extract(0,1,ip_address)
$!
$ if f$locate(ip_address_1,numbers) .lt. 10 ! 1st character is a number
$ then
$ class_a_address = f$element(0,".",ip_address)
$ class_b_address = class_a_address + "." + f$element(1,".",ip_address)
$ class_c_address = class_b_address + "." + f$element(2,".",ip_address)
$ domain = " "
$ else
$! 1st character is a name - strip the host name
$ domain = ip_address - f$element(0,".",ip_address) - "."
$ domain = f$edit(domain,"upcase,trim")
$ class_a_address = " "
$ class_b_address = " "
$ class_c_address = " "
$ endif
$!
$! Check if the IP address is from a SLIP connection
$! The SLIP address is in the form "slip-99-999-999-99.yada.yada.yada.etc"
$! and the numbers vary
$ if (f$extract(0,4,ip_address) .eqs. "slip") -
.or. (f$extract(0,4,ip_address) .eqs. "SLIP")
$ then
$ ip_address = ip_address - f$element(0,".",ip_address) - "."
$ class_c_address = f$element(0,".",ip_address)
$ endif
$!
$ on error then goto logout
$!
$! Logout if the IP address, 'network' address or username
$! is in TELNET_BLACKLIST.DAT
$ open/read/share=write blacklist sys$manager:telnet_blacklist.dat
$!
$BLACKLIST_LOOP:
$ read/end=check_whitelist blacklist blacklist_record
$ blacklist_record = f$edit(blacklist_record,"upcase,trim")
$!
$ if username .eqs. blacklist_record
$ then
$ close blacklist
$ login_failure_reason = "**** Username is in TELNET_BLACKLIST.DAT ****"
$ goto logout
$ endif
$!
$ if ip_address .eqs. blacklist_record
$ then
$ close blacklist
$ login_failure_reason = "**** IP address is in TELNET_BLACKLIST.DAT ****"
$ goto logout
$ endif
$!
$ if class_a_address .eqs. blacklist_record
$ then
$ close blacklist
$ login_failure_reason = -
"**** 'Class A' address is in TELNET_BLACKLIST.DAT ****"
$ goto logout
$ endif
$!
$ if class_b_address .eqs. blacklist_record
$ then
$ close blacklist
$ login_failure_reason = -
"**** 'Class B' address is in TELNET_BLACKLIST.DAT ****"
$ goto logout
$ endif
$!
$ if class_c_address .eqs. blacklist_record
$ then
$ close blacklist
$ login_failure_reason = -
"**** 'Class C' address is in TELNET_BLACKLIST.DAT ****"
$ goto logout
$ endif
$!
$ if domain .eqs. blacklist_record
$ then
$ close blacklist
$ login_failure_reason = -
"**** 'Domain' address is in TELNET_BLACKLIST.DAT ****"
$ goto logout
$ endif
$!
$ goto blacklist_loop
$!
$CHECK_WHITELIST:
$! Logout if the IP address, "network" address or username is NOT
$! in TELNET_WHITELIST.DAT
$ close blacklist
$ open/read/share=write whitelist sys$manager:telnet_whitelist.dat
$!
$WHITELIST_LOOP:
$ read/end=whitelist_failure whitelist whitelist_record
$!
$ if f$extract(0,1,whitelist_record) .eqs. "!" then goto whitelist_loop
$!
$ whitelist_record = f$element(0,"!",whitelist_record)
$ whitelist_record = f$edit(whitelist_record,"upcase,trim")
$ whitelist_record_length = f$length("whitelist_record")
$!
$ if f$locate(whitelist_record,my_server_and_port_name) -
.ge. my_server_and_port_name_length
$ then
$ close whitelist
$ goto bye
$ endif
$!
$ if (ip_address .eqs. whitelist_record) -
.or. (domain .eqs. whitelist_record) -
.or. (class_a_address .eqs. whitelist_record) -
.or. (class_b_address .eqs. whitelist_record) -
.or. (class_c_address .eqs. whitelist_record) -
.or. (username .eqs. whitelist_record)
$ then
$ close whitelist
$ goto bye
$ else
$ goto whitelist_loop
$ endif
$!
$WHITELIST_FAILURE:
$ close whitelist
$ login_failure_reason = -
"**** Username, IP address or 'network' address not in TELNET_WHITELIST.DAT ****
"
$!
$LOGOUT:
$ on error then logout/brief
$ open/append login_failures sys$common:[sysmgr]telnet_login_failures.log
$ datetime = f$time()
$ write login_failures -
f$fao("!13AS!30AS!24AS!70AS",username,ip_address,datetime,login_failure_reason)
$ close login_failures
$ logout/brief
$!
$BYE:
$ exit


Good luck!
Reply
Aaron Sakovich
Super Advisor

тАО06-15-2007 04:59 AM

тАО06-15-2007 04:59 AM

Re: Limit VMS account access to a predefined set of IP addresses

Hi William,

Maybe I'm being dense here, but I'm not certain I entirely understand your question. Are you asking if you can restrict which PCs will be allowed to host a login session to the VMS system, or are you looking for a way to specify that specific users can only login from specific hosts?

In the case of the former, it is relatively easy to allow telnet to only allow logins from specific hosts (since you're running HP's TCP/IP Services, docu is available via $ TCPIP HELP SET SERVICE /ACCEPT and $ TCPIP HELP SET SERVICE /REJECT). Simply set the telnet service to reject all connections by default, and then accept only those hosts you would like to allow in.

If you're using SSH (also supported by Reflection v14 and TCP/IP Service v5.4, preferably with ECO6), the same effective settings can be managed via the TCPIP$SSH_DEVICE:[TCPIP$SSH.SSH2]SSHD2_CONFIG. file, using the AllowHosts and DenyHosts entries.

If you want to restrict certain users to login from only specific hosts, this will need to be done in the login command processing, preferably in the SyLogin.com file. As others have mentioned before, it will require a data file that correlates users to hosts, and then the process to check one against the other. SMOP, but there are good starting points listed above.

HTH!
0 Kudos
Reply
Dean McGorrill
Valued Contributor

тАО06-15-2007 05:10 AM

тАО06-15-2007 05:10 AM

Re: Limit VMS account access to a predefined set of IP addresses

Hi William,
There are vms supplied logicals or remote id and system eg from a set host from
foobar..

"SYS$REM_ID" = "MCGORRILL"
"SYS$REM_NODE" = "FOOBAR::"

..They used to only be in global cells which
I'd examine until they gave us logicals. (I'm not sure how a tcpip connect fills these logicals.)
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.