HPE Community
Operating System - OpenVMS
1753465 Members
4667 Online
108794 Solutions
New Discussion юеВ

Re: Navigating the manuals - LGI_CALLOUT

 
SOLVED
Go to solution
Richard W Hunt
Valued Contributor

тАО12-05-2007 07:20 AM

тАО12-05-2007 07:20 AM

Navigating the manuals - LGI_CALLOUT

Running OpenVMS for Alpha v 7.3-2, patched at least through mid-Nov. 2007. Using the OVMS documentation disk that came with the install kit.

I have been searching the manuals on my CD and I've done at least some web searching, but I'm having trouble finding documentation on how to write a login callout routine.

We have some DoD requirements to display a specific warning and ask a specific question BEFORE the user presents a username and password. While I disagree with this concept (because it means I don't yet know to whom I am speaking and therefore cannot truly audit a refusal to agree to usage terms), that is what the requirement says. You know what they say: "The right way, the wrong way, and the Navy way." Two guesses as to which way this isn't. Anyway, I thought a login callout might help me do this per exact requirements.

Considering the headache I had with the PASSWORD_POLICY module, I know I'm asking for trouble with a login callout. But I have to at least give management a risk/reward analysis. Without knowing what is involved, I don't know how to properly evaluate the risk. Or the cost in man-hours to make it work.

Where would I find more on implementing a LGI_CALLOUT routine?

BTW I have also searched SYS$EXAMPLES source code for references to the word CALLOUT and the parameter LGI_CALLOUT. I've also searched the .PDF docs on my "OpenVMS documentation for Windows" disks. And I've searched the forum for LGI_CALLOUT and login policy. So far, no joy for OVMS, though I did hit a couple of UNIX articles I might have to read later.
Sr. Systems Janitor
0 Kudos
Reply
13 REPLIES 13
Jan van den Ende
Honored Contributor

тАО12-05-2007 07:56 AM

тАО12-05-2007 07:56 AM

Re: Navigating the manuals - LGI_CALLOUT

Richard,

>>>
requirements to display a specific warning and ask a specific question BEFORE the user presents a username and password.
<<<

Well, more or less the same (in a police setting).

We use SYS$ANNOUNCE for that.
It displays a message before the Username: prompt.
Some wording like "<...> Continuing implies acceptance of the above terms."

Of course, your wording will have to follow your rules, but the concept will be clear.

Note that you can put in and leave out anything in SYS$ANNOUNCE.

hth

Proost.

Have one on me.

jpe
Don't rust yours pelled jacker to fine doll missed aches.
0 Kudos
Reply
Jim_McKinney
Honored Contributor

тАО12-05-2007 07:59 AM

тАО12-05-2007 07:59 AM

Re: Navigating the manuals - LGI_CALLOUT

The LGI callouts are documented in the VMS Utility Routines Manual - online, one place to find it is http://www.openvms-rocks.com/docs/OPSYS/VMSOS731/vmsos731/4493/4493pro_032.html#4493_lginout_chap .
Reply
Richard Whalen
Honored Contributor

тАО12-05-2007 08:05 AM

тАО12-05-2007 08:05 AM

Re: Navigating the manuals - LGI_CALLOUT

There is also the system password, but from looking at the LOGINOUT sources it looks like the system password is requested before SYS$ANNOUNCE is displayed and from your description the request is for SYS$ANNOUNCE then sysetm password

SET

TERMINAL

/SYSPASSWORD

/SYSPASSWORD
/NOSYSPASSWORD (default)

Requires LOG_IO (logical I/O) privilege.

Determines whether the terminal requires that a system password
be entered before the Username: prompt.
0 Kudos
Reply
Richard W Hunt
Valued Contributor

тАО12-05-2007 08:11 AM

тАО12-05-2007 08:11 AM

Re: Navigating the manuals - LGI_CALLOUT

The specific requirement is not satisfied by use of the SYS$ANNOUNCE features.

Right now I am "close" to the requirement by putting something in the SYLOGIN.COM file to ask the "do you agree to the terms and conditions etc etc etc" question that is the requirement. But the exact requirement is that I must ask that question BEFORE the username and password are presented. While I deeply disagree with the security implications of running more code than minimally necessary in the context, the requirement is out there for all USA DoD systems. So if I CAN reach compliance, I need to do so or tell the government managers why I can't. And can you say "Pointy-haired bosses" Mr. Dilbert?
Sr. Systems Janitor
0 Kudos
Reply
Robert Gezelter
Honored Contributor

тАО12-05-2007 08:15 AM

тАО12-05-2007 08:15 AM

Re: Navigating the manuals - LGI_CALLOUT

Richard,

I would concur that the LGI_ callouts are not needed, as least to implement that requirement. SYS$ANNOUNCE (and its after login validation, SYS$WELCOME).

Note that the logicals need to be defined in the SYSTEM logical name table (ASSIGN/SYSTEM). To read the text string(s) from a file, the "@" must be the first character, to wit:

$ ASSIGN/SYSTEM "@SYS$MANAGER:WARNINGBANNER.TXT" SYS$ANNOUNCE

Should cause the referenced file to appear on the terminal before the Username prompt.

- Bob Gezelter, http://www.rlgsc.com
0 Kudos
Reply
Robert Gezelter
Honored Contributor

тАО12-05-2007 08:22 AM

тАО12-05-2007 08:22 AM

Re: Navigating the manuals - LGI_CALLOUT

Richard,

The LGI$ callouts are documented in the Utility Routines Reference manual available online from the OpenVMS www site at http://www.hp.com/go/openvms

There is a related, but probably not relevant section of the System Services Reference Manual relating to the $ACME Credentials Management system service.

- Bob Gezelter, http://www.rlgsc.com
Reply
Jim_McKinney
Honored Contributor

тАО12-05-2007 08:39 AM

тАО12-05-2007 08:39 AM

Re: Navigating the manuals - LGI_CALLOUT

Since your requirement involves interaction prior to LOGINOUT's password authentication you'll most likely want to take a look at the LGI$ICR_IACT_START and LGI$ICR_AUTHENTICATE LGI_CALLOUTs in the doc. The doc does have example code that could help you get started.
Reply
Richard W Hunt
Valued Contributor

тАО12-05-2007 09:32 AM

тАО12-05-2007 09:32 AM

Re: Navigating the manuals - LGI_CALLOUT

I've looked into the ACME stuff. Doesn't seem to apply.

Once I found out where to look, I was indeed looking more closely at the IACT_INIT segment as a possible candidate for this requirement.

Thanks to all for the directions. The documentation I needed wasn't where I expected it and navigating the documentation CD is trickier than it looks if you are thinking in the wrong direction. Since this is a security-related action, I was looking all over the security stuff. But of course it wasn't there, was it?

In any case, I'll leave the thread open another day or two but I think I know enough to at least have a clue. USUALLY I'm clueless - but sometimes I get lucky.

Sr. Systems Janitor
0 Kudos
Reply
Jess Goodman
Esteemed Contributor

тАО12-05-2007 11:33 AM

тАО12-05-2007 11:33 AM

Solution

Re: Navigating the manuals - LGI_CALLOUT

I made a quick modification to our loginout callout code to give you an example of how you could do this. See attachment.

After installing this code as a loginout callout image on a system, initiating login results in:

$ TELNET HOME
%TELNET-I-TRYING, Trying ... 127.0.0.1
%TELNET-I-SESSION, Session 01, host 127.0.0.1, port 23
-TELNET-I-ESCAPE, Escape character is ^]
Are you a spy? YES

%TELNET-S-REMCLOSED, Remote connection closed
-TELNET-I-SESSION, Session 01, host 127.0.0.1, port 23


$ TELNET HOME
%TELNET-I-TRYING, Trying ... 127.0.0.1
%TELNET-I-SESSION, Session 01, host 127.0.0.1, port 23
-TELNET-I-ESCAPE, Escape character is ^]
Are you a spy? NO

Username: barnold
Password:
I have one, but it's personal.
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.