Operating System - OpenVMS
cancel
Showing results for 
Search instead for 
Did you mean: 

Limit VMS account access to a predefined set of IP addresses

SOLVED
Go to solution
William Sederholm
Occasional Visitor

Limit VMS account access to a predefined set of IP addresses

Can VMS logins be limited to only allow a specific set of IP addersses to connect? We have an environment where multiple users per shift are connecting to VMS using the same PCs which are running Attachmate Reflections 14. This is a 24X7 manufacturing environment so having individual accounts is not practical. The current environment is a 4 node ES45 VMSCluster running OpenVMS 7.3-2 and TCPIP Services for Openvms 5.4. It is a routed network environment that does not route DECnet.
10 REPLIES
Karl Rohwedder
Honored Contributor

Re: Limit VMS account access to a predefined set of IP addresses

You may add some lines of DCL into your SYLOGIN.COM and check for the remote node (e.g. F$GETDVI("TT","TT_ACCPORNAM"), perhaps also in conjunction with username...

regards Kalle
labadie_1
Honored Contributor

Re: Limit VMS account access to a predefined set of IP addresses

Yes put a test in the sylogin or the login.com, and logout if condition not met.

Check that Telnet logs by IP address and not by name ( $ tcpip sh service telnet /fu), or adapt your tests (test for an IP address/range or test for node name in a list).

Hoff
Honored Contributor

Re: Limit VMS account access to a predefined set of IP addresses

So you want username FOO to be allowed access into the host only from IP 10.1.1.1 through 10.1.1.255 or such, or from a specific set of addresses?

There's not enough information in the connection to allow a firewall to detect the login request and filter it; firewalls don't have a way to peek into the OpenVMS login sequence and snag the target username.

This can usually be done within SYLOGIN (using DCL) by looking back at the incoming address (via translation of the available IP logical names, or via $getdvi TT_ACCPORNAM, depending on details), or (somewhat more work, more integrated, more elegant) by creating a customized LGI callout module for use within LOGINOUT (see the LGI materials in the manual set). In either case, if the login source and the username don't match requirements, the login process is punted.

A more advanced approach might involve using digital certificates and ssh; users would automatically log in, and the connection could be tied to various attributes such as the source PC. I'd be tempted to move this way, and you can use your own locally-issued certificates for this.

There are various other options.

Stephen Hoffman
HoffmanLabs
Ian Miller.
Honored Contributor

Re: Limit VMS account access to a predefined set of IP addresses

You use could use the /accept feature on the telnet service.
____________________
Purely Personal Opinion
John Gillings
Honored Contributor

Re: Limit VMS account access to a predefined set of IP addresses

William,

If you can't get the other suggestions to work...

A big blunt instrument to block all but a select set of IP addresses. Define host routes for the allowed addresses, then point your default route to a non-existent address. Other nodes may be able to reach your node, but you won't respond to them.

A crucible of informative mistakes
Robert Gezelter
Honored Contributor

Re: Limit VMS account access to a predefined set of IP addresses

Bill,

Personally, I would use a combination of modifications to SYS$MANAGER:SYLOGIN.COM, an entry in the Group logical name table (in EXECUTIVE_MODE for security) and a Rights Identifier to control:
- whether the person is permitted to login via TCP
- What address block(s) are permitted to login

This allows the capability to be controlled with a high degree of precision.

- Bob Gezelter, http://www.rlgsc.com
Stephen Daddona
Frequent Advisor
Solution

Re: Limit VMS account access to a predefined set of IP addresses

I made a DCL procedure that's called from SYLOGIN.COM to check the login's IP against a file of approved IP addresses. The file is called TELNET_WHITELIST.DAT and would look like this:

10.10.1
foobar.com
(etc.)

The first entry says that any login with and IP of 10.10.1.* gets in. I also have a TELNET_BLACKLIST.DAT file. I use that to mainly block SYSTEM from telneting in. Both files can have usernames as well. The DCL keeps a log of login failures. Here's the DCL:


$!******************************************************************************
$!*
$!* SYS$MANAGER:INTERNET_CHECK.COM
$!*
$!******************************************************************************
$!
$ username = f$edit(f$getjpi("","username"),"trim")
$!
$ numbers = "0123456789"
$!
$ my_term = f$getjpi("","terminal")
$ my_server_and_port_name = f$getdvi(my_term,"tt_accpornam")
$ my_server_and_port_name = f$edit(my_server_and_port_name,"upcase,trim")
$ my_server_and_port_name_length = f$length(my_server_and_port_name)
$!
$! The symbol IP_ADDRESS can be either the number or the name
$! (ie: 198.31.44.4 vs. sierra.sierracollege.edu)
$! Also, the IP address can be 10.999.999.999 where 10 is a number private
$! to Sierra College
$!
$ ip_address = my_server_and_port_name - "Host: "
$ ip_address = f$element(0," ",ip_address)
$ ip_address = f$edit(ip_address,"upcase,trim")
$!
$ ip_address_length = f$length(ip_address)
$ ip_address_1 = f$extract(0,1,ip_address)
$!
$ if f$locate(ip_address_1,numbers) .lt. 10 ! 1st character is a number
$ then
$ class_a_address = f$element(0,".",ip_address)
$ class_b_address = class_a_address + "." + f$element(1,".",ip_address)
$ class_c_address = class_b_address + "." + f$element(2,".",ip_address)
$ domain = " "
$ else
$! 1st character is a name - strip the host name
$ domain = ip_address - f$element(0,".",ip_address) - "."
$ domain = f$edit(domain,"upcase,trim")
$ class_a_address = " "
$ class_b_address = " "
$ class_c_address = " "
$ endif
$!
$! Check if the IP address is from a SLIP connection
$! The SLIP address is in the form "slip-99-999-999-99.yada.yada.yada.etc"
$! and the numbers vary
$ if (f$extract(0,4,ip_address) .eqs. "slip") -
.or. (f$extract(0,4,ip_address) .eqs. "SLIP")
$ then
$ ip_address = ip_address - f$element(0,".",ip_address) - "."
$ class_c_address = f$element(0,".",ip_address)
$ endif
$!
$ on error then goto logout
$!
$! Logout if the IP address, 'network' address or username
$! is in TELNET_BLACKLIST.DAT
$ open/read/share=write blacklist sys$manager:telnet_blacklist.dat
$!
$BLACKLIST_LOOP:
$ read/end=check_whitelist blacklist blacklist_record
$ blacklist_record = f$edit(blacklist_record,"upcase,trim")
$!
$ if username .eqs. blacklist_record
$ then
$ close blacklist
$ login_failure_reason = "**** Username is in TELNET_BLACKLIST.DAT ****"
$ goto logout
$ endif
$!
$ if ip_address .eqs. blacklist_record
$ then
$ close blacklist
$ login_failure_reason = "**** IP address is in TELNET_BLACKLIST.DAT ****"
$ goto logout
$ endif
$!
$ if class_a_address .eqs. blacklist_record
$ then
$ close blacklist
$ login_failure_reason = -
"**** 'Class A' address is in TELNET_BLACKLIST.DAT ****"
$ goto logout
$ endif
$!
$ if class_b_address .eqs. blacklist_record
$ then
$ close blacklist
$ login_failure_reason = -
"**** 'Class B' address is in TELNET_BLACKLIST.DAT ****"
$ goto logout
$ endif
$!
$ if class_c_address .eqs. blacklist_record
$ then
$ close blacklist
$ login_failure_reason = -
"**** 'Class C' address is in TELNET_BLACKLIST.DAT ****"
$ goto logout
$ endif
$!
$ if domain .eqs. blacklist_record
$ then
$ close blacklist
$ login_failure_reason = -
"**** 'Domain' address is in TELNET_BLACKLIST.DAT ****"
$ goto logout
$ endif
$!
$ goto blacklist_loop
$!
$CHECK_WHITELIST:
$! Logout if the IP address, "network" address or username is NOT
$! in TELNET_WHITELIST.DAT
$ close blacklist
$ open/read/share=write whitelist sys$manager:telnet_whitelist.dat
$!
$WHITELIST_LOOP:
$ read/end=whitelist_failure whitelist whitelist_record
$!
$ if f$extract(0,1,whitelist_record) .eqs. "!" then goto whitelist_loop
$!
$ whitelist_record = f$element(0,"!",whitelist_record)
$ whitelist_record = f$edit(whitelist_record,"upcase,trim")
$ whitelist_record_length = f$length("whitelist_record")
$!
$ if f$locate(whitelist_record,my_server_and_port_name) -
.ge. my_server_and_port_name_length
$ then
$ close whitelist
$ goto bye
$ endif
$!
$ if (ip_address .eqs. whitelist_record) -
.or. (domain .eqs. whitelist_record) -
.or. (class_a_address .eqs. whitelist_record) -
.or. (class_b_address .eqs. whitelist_record) -
.or. (class_c_address .eqs. whitelist_record) -
.or. (username .eqs. whitelist_record)
$ then
$ close whitelist
$ goto bye
$ else
$ goto whitelist_loop
$ endif
$!
$WHITELIST_FAILURE:
$ close whitelist
$ login_failure_reason = -
"**** Username, IP address or 'network' address not in TELNET_WHITELIST.DAT ****
"
$!
$LOGOUT:
$ on error then logout/brief
$ open/append login_failures sys$common:[sysmgr]telnet_login_failures.log
$ datetime = f$time()
$ write login_failures -
f$fao("!13AS!30AS!24AS!70AS",username,ip_address,datetime,login_failure_reason)
$ close login_failures
$ logout/brief
$!
$BYE:
$ exit


Good luck!
Aaron Sakovich
Super Advisor

Re: Limit VMS account access to a predefined set of IP addresses

Hi William,

Maybe I'm being dense here, but I'm not certain I entirely understand your question. Are you asking if you can restrict which PCs will be allowed to host a login session to the VMS system, or are you looking for a way to specify that specific users can only login from specific hosts?

In the case of the former, it is relatively easy to allow telnet to only allow logins from specific hosts (since you're running HP's TCP/IP Services, docu is available via $ TCPIP HELP SET SERVICE /ACCEPT and $ TCPIP HELP SET SERVICE /REJECT). Simply set the telnet service to reject all connections by default, and then accept only those hosts you would like to allow in.

If you're using SSH (also supported by Reflection v14 and TCP/IP Service v5.4, preferably with ECO6), the same effective settings can be managed via the TCPIP$SSH_DEVICE:[TCPIP$SSH.SSH2]SSHD2_CONFIG. file, using the AllowHosts and DenyHosts entries.

If you want to restrict certain users to login from only specific hosts, this will need to be done in the login command processing, preferably in the SyLogin.com file. As others have mentioned before, it will require a data file that correlates users to hosts, and then the process to check one against the other. SMOP, but there are good starting points listed above.

HTH!
Dean McGorrill
Valued Contributor

Re: Limit VMS account access to a predefined set of IP addresses

Hi William,
There are vms supplied logicals or remote id and system eg from a set host from
foobar..

"SYS$REM_ID" = "MCGORRILL"
"SYS$REM_NODE" = "FOOBAR::"

..They used to only be in global cells which
I'd examine until they gave us logicals. (I'm not sure how a tcpip connect fills these logicals.)
Hoff
Honored Contributor

Re: Limit VMS account access to a predefined set of IP addresses

Typically, TCPIP$INET_HOST and TCPIP$INET_HOSTADDR would be the logical names of interest. AFAIK, these are present in both TCP/IP Services and in Multinet.