Operating System - OpenVMS
cancel
Showing results for 
Search instead for 
Did you mean: 

Restrict set host login to remote node.

 
shiva27
Frequent Advisor

Restrict set host login to remote node.

Hi,

We don't want to login to remote servers thru set ho "remote server name".
Our enviornment use,
1.Telnet is disable in both servers (local & remote).
2.Decnet over IP configured - Don't want to disturb this setting.
3.Local & Bind database host entry - Don't want to disturb.


I verified the configuration ,found remote server entry is available in Decnet_regirster database

Can you please suggest, if i remove this entry then we will not be able to login via "set ho" to remove server.

Is there any other things we've to verify to accomplish this?

OVMS : V8.3

19 REPLIES 19
Thomas Ritter
Respected Contributor

Re: Restrict set host login to remote node.

You could disable remote access using NCP.
$ MC NCP show exec char

Look for this line.
Default access = incoming and outgoing

NCP>help set exec default
Hakan Zanderau ( Anders
Trusted Contributor

Re: Restrict set host login to remote node.

If you remove an entry from the local namespace, don't forget to flush the cache.

$ mc ncl flush session control naming cache entry "*"

Why is it important to restrict the outgoing selection of a node/host ?
If you have access to a node (username/password), you could easily use SYLOGIN.COM to refuse users from a specific source to continue a login.

Hakan
Don't make it worse by guessing.........
Jan van den Ende
Honored Contributor

Re: Restrict set host login to remote node.

Shiva,

to specifically block incoming sethost sessions, add this command to SYS$SYLOGIN (needs write access, eg SYSPRV to modify this file):

.
.
.
$ if f$extract(0,2,F$GETJI("","terminal") .eqs. "RT"
$ then
$ ! maybe some message here..
$ logout/brief
$ endif
.
.
.


Proost.

Have one on me.

jpe
Don't rust yours pelled jacker to fine doll missed aches.
Jan van den Ende
Honored Contributor

Re: Restrict set host login to remote node.

shiva,

from your Forum Profile:


I have assigned points to 0 of 118 responses to my questions.


Maybe you can find some time to do some assigning?

http://forums1.itrc.hp.com/service/forums/helptips.do?#33

Mind, I do NOT say you necessarily need to give lots of points. It is fully up to _YOU_ to decide how many. If you consider an answer is not deserving any points, you can also assign 0 ( = zero ) points, and then that answer will no longer be counted as unassigned.
Consider, that every poster took at least the trouble of posting for you!

To easily find your streams with unassigned points, click your own name somewhere.
This will bring up your profile.
Near the bottom of that page, under the caption "My Question(s)" you will find "questions or topics with unassigned points " Clicking that will give all, and only, your questions that still have unassigned postings.

Thanks on behalf of your Forum colleagues.

PS. nothing personal in this. I try to post it to everyone with this kind of assignment ratio in this forum. If you have received a posting like this before please do not take offence none is intended!

PPS. Zero points for THIS entry, please.

Proost.

Have one on me.

jpe
Don't rust yours pelled jacker to fine doll missed aches.
Hakan Zanderau ( Anders
Trusted Contributor

Re: Restrict set host login to remote node.

Jan,

or having a look at the job-logicals SYS$REM_*
would be a better way of determing the source and protocol.

Hakan
Don't make it worse by guessing.........
Robert Gezelter
Honored Contributor

Re: Restrict set host login to remote node.

Shiva,

First, for the sake of clarity, and the benefit of others who may be following this thread, now or in the future, we should refer to the command without any abbreviations. This is particularly important for the sake of those whose fluency in English is limited.

The abbreviated command is: SET HOST

There are several ways that the ability to login using SET HOST can be restricted.

The most obvious way, and the one with the least global impact is the use of restrictions on REMOTE login. This is administered from within the AUTHORIZE utility. This restricts the logins on an individual account basis to certain hours of the day.

If this is not an absolute ban, but a ban on certain nodes or from certain nodes, code can be inserted into the system-wide login file (generally SYS$MANAGER:SYLOGIN.COM) to check at each login. This can include checks against:

- which node the connection originates from (as was mentioned using the SYS$REM* logical names),
- the particular node is authorized for that account (e.g., does the user hold a certain rights identifier)
- or other criteria

One could also probably remove the process (REMACP) from the DECnet configuration. I would not recommend this as it affects all users, not just individual users.

- Bob Gezelter, http://www.rlgsc.com
shiva27
Frequent Advisor

Re: Restrict set host login to remote node.

Is there any simple way to stop SET host login on remote node ? or say if we defined something on remote node so that incoming login request from "SET HOST" will restrict like Telnet ( Assumed telnet service disable).
Jeremy Begg
Trusted Contributor

Re: Restrict set host login to remote node.

Hello,

It's not entirely clear if you want to stop the SET HOST command from working, or if (instead) you want to block incoming SET HOST requests.

Assuming you want to block incoming SET HOST requests, here are few suggestions, in decreasing order of severity.

1. Delete (or rename) SYS$SYSTEM:REMACP.EXE. This is the program which receives incoming SET HOST connections.

Or ...

2. Edit SYS$MANAGER:RTTLOAD.COM to exit immediately. This procedure runs the REMACP program.

Or ...

3. Set the SYSGEN parameter RJOBLIM to 0. This parameter limits the number of concurrent incoming SET HOST connections.

Note that if you do 1 or 2, the system will continue to accept SET HOST logins until the next reboot. You can delete the REMACP process to prevent them.

Less drastic than all the above is to modify the system-wide SYLOGIN.COM procedure to force a logout if the user's terminal is an RT device. For example:

$ term = f$getdvi(0,"TERMINAL")
$ if f$locate("RTA",term) .lt. f$length(term)
$ then
$ logout
$ stop/id=0
$ endif


Regards,
Jeremy Begg
Joseph Huber_1
Honored Contributor

Re: Restrict set host login to remote node.

shiva, could You tell us what the principle target of the restriction is:
No remote access at all ?
Just not telnet and decnet set host, but SET HOST/LAT is allowed ?
Only SSH as the remote access method ?
If the latter, then
AUTORIZE MODIFY user/NOREMOTE
will forbid all remote login but SSH for the specified user. Do this for all users once.
Do it also for user DEFAULT, then it is automatically for new users as well.
Through authorize You can e.g. let a door open for system management users in case SSH stops working.
http://www.mpp.mpg.de/~huber