Operating System - OpenVMS
cancel
Showing results for 
Search instead for 
Did you mean: 

Max 5, or 4 logins from some, no limit from others

SOLVED
Go to solution
Willem Grooters
Honored Contributor

Max 5, or 4 logins from some, no limit from others

Anyone familiar with this problem:

My customer has a VMS machine:

* OpenVMS 7.3-1
* TCPIP 5.3-18
* assume all patches done
* Accessed via TELNET.

This machine is in a network that holds a number of PC's, and two Citrix servers.
From all these machines, people are able to login using Powerterm.

When trying to login from any PC (directly) the number of concurrent sessions (using different usernames) from any PC is not really limited - if required, the maximum number of TELNET sessions (so 50) could be started (eventually from 1 PC).
However, Login from any Citrix machine, it's not possible to have more than 4 or 5 sessions simultaniously (the limit is 5 when from one, when login is done from both servers, the number in total is limited to 8: 4 from each). This is handled on appearantly at login at VMS since the message is "User authorization failure", but it's sure that the user exists.
One of the Citrix machines now is marked as INTRUDER (so access is completely blocked - if correct), the other one is SUSCPECT.

What worries me is the difference in connecting using TELNET directly or via CITRIX.
I suspect something with CITRIX since the problem arises only from these machines.
Is there anything that could have been overlooked?
Willem Grooters
OpenVMS Developer & System Manager
10 REPLIES
Antoniov.
Honored Contributor

Re: Max 5, or 4 logins from some, no limit from others

Hi Willen,
I cannot help you but I hope give you any clue.
The # of session on single PC, using Powerterm, is limited by LAT protocol while telnet has not limited.
You can find this limit in Network property, LAT protocol, Advanced, Max Session (usually 8).
So I think (but I can mistake) Cytrix has similar limitation in Network property or in Network service parameter.

HTH
Antoniov
Antonio Maria Vigliotti
Martin P.J. Zinser
Honored Contributor

Re: Max 5, or 4 logins from some, no limit from others

Hello Willem,

to get the bases covered here:

a.) What is the MAXJOBS setting for the users in the UAF?

b.) How exactly does the intrusion record look like? Normally it should contain system/user not only a system?

c.) PowerTerm can use various communications protocols (LAT, CTERM, TELNET, COM). Are you using the same on the PCs vs. the Citrix servers?

d.) Try a reply/enable and check the operator messages for further details why the logins are rejected.

e.) Very stupid but... Is it possible there is somewhere a messup between keyboard mappings, so users think they enter something else than the system actually sees? (If you know keyboards with german layout and look at my name you will know how I come to this idea ;-)

Greetings, Martin

P.S. Obviously dele/int is your friend to get this temporarily working

P.P.S. You are one ECO behind on UCX/TCPIP, but I do not think this is the problem here.
Willem Grooters
Honored Contributor

Re: Max 5, or 4 logins from some, no limit from others

Solution part 1:

They found out that when users connect to VMS via Citrix, all sessions carry the same IP-address, and when users log in with the wrong username (including typing errors), this IP address is signed "INTRUDER".
It's quite obvious, definitely, but you just have to realise it. And it's quite likely to happen if you have a LOT of users with thick fingers (causing typo's)!

So the system parameters for intrusions have been changed (allow more mistakes within a periosd) so it won't happen that easy any more. One thing that also will be done is close monitoring of the intrusion database and accounting, to filter out real intrusions from typo's. It is understood it solution causes a loss in security, but to prevent this kind problems, it seems to be a requirement.

Lesson learned: BEWARE when applying (remote) access via one accesspoint. Of this is marked "intruder" tyou system is unaccesasable from that source!

Part 2 to come.
Willem Grooters
OpenVMS Developer & System Manager
John Gillings
Honored Contributor
Solution

Re: Max 5, or 4 logins from some, no limit from others

Willem,

This is expected, and documented behaviour. Under DECnet, the login attempt includes both the source node and source username, so any intrusion records can be qualified to a specific user/node pair. For telnet, the username is not available, so a decision has to be made as to how to log intrusion records. The default is to record an intrusion against the host, which means multiple login failures by multiple users add up and potentially block the entire host.

This is a classic security tradeoff between increased security and false alarms.

There are a number of things you can do.

1) If you can convince your users, use rlogin instead of telnet

2) Adjust LGI* parameters to loosen up intrusion detection. In particular LGI_BRK_TERM.

3) Define the system wide logical name TCPIP$TELNET_NO_REM_ID

Be aware that LGI_BRK_TERM or NO_REM_ID effectively bypasses intrusion detection for telnet sessions.
A crucible of informative mistakes
Willem Grooters
Honored Contributor

Re: Max 5, or 4 logins from some, no limit from others

John,

rlogin is no option, because it's supported by Powerterm (got that free with VMS).
The nice way is to have all users enter via Citrix and then you _could_ do with another product that supports rlogin. But even then, it would no doubt become quite costly with the number of concurrent users expected.
Loosening or even bypassing the intrusion rules _could_ be an option, when loggin in into the Citrix machine or local network is considered safe enough (Is there a Radius or TACACS server for VMS....)
Willem Grooters
OpenVMS Developer & System Manager
Ian Miller.
Honored Contributor

Re: Max 5, or 4 logins from some, no limit from others

yes there is a RADIUS server for VMS. See http://www.radiusvms.com
____________________
Purely Personal Opinion
Martin P.J. Zinser
Honored Contributor

Re: Max 5, or 4 logins from some, no limit from others

I am pretty sure Willem is aware of this, but others might find a look at

http://www.decus.de:8080/www/eng/vms/qaa/ipadd.htmlx

usefull if checking such events in the audit log, since the IP address is shown in a less than obvious format
Willem Grooters
Honored Contributor

Re: Max 5, or 4 logins from some, no limit from others

Martin,

I wasn't, but it makes sense when you know how VMS handles 32-bit integers - like an IP address. It's just one of those things you just need to be aware of. (If at the time of auditing it's known to be an IP address, why not handle that appropiately. Saves "us" a lot of extra trouble. Something for 7.3-2?)
Willem Grooters
OpenVMS Developer & System Manager
Antoniov.
Honored Contributor

Re: Max 5, or 4 logins from some, no limit from others

Hi Martin,
why IP conversion does fails?
IP address is a 32 bit unsigned integer, there is a sign problem?
I'm curious.
Bye
Antoniov
Antonio Maria Vigliotti
Martin P.J. Zinser
Honored Contributor

Re: Max 5, or 4 logins from some, no limit from others

Hello Willem,

it is already a bit better in 7.3-1. If you got working hostname resolution audit/anal will have the hostname in the output, the address is still 'backwards'. And yes there is nothing really complicated in the translation, but it nevertheless took me a while to figure it out when I first encountered it. Actually it only made 'click' when I remembered a report about a security flaw in MS IE, where entering an address just as a number gave that host the "local" security profile.

Greetings, Martin

P.S. Output of 7.3-1

Security Audit Analysis Utility

Security alarm (SECURITY) and security audit (SECURITY) on xxxxxx, system id: 29
Auditable event: Remote interactive login failure
Event time: 23-SEP-2003 17:19:12.08
PID: 32200511
Process name: _TNA42:
Username:
Terminal name: TNA42:, _TNA42:, Host: xxxxxx.deutsche-boerse.de Locn:
Remote nodename: xxxxxx.deutsche-
Remote node id: 3960345772 (5.172)
Remote username: TELNET_AC140EEC
Status: %LOGIN-F-NOSUCHUSER, no such user