Operating System - OpenVMS
cancel
Showing results for 
Search instead for 
Did you mean: 

ftp proxy on VMS 8.3 coming from Windows 2K3 SERVER monitoring box

 
Patrick Soehl
Occasional Visitor

ftp proxy on VMS 8.3 coming from Windows 2K3 SERVER monitoring box


I am using an ftp proxy (in tcpip, add proxy)
This goes through the tcpip$rsh object (?)

The idea is to have a set of perl scripts on a given windows 2k3 server node ONLY that invokes a perl script which displays monitoring choices , such as
show acms waiting tasks, for example.

This worked very well for a few years, then VMS 8.3 broke it, and my sysadmin group decided the use of that VMS account was no longer supported by them.

I am going through an internal security team to get it approved, the username that is, but I want to get it clamped down as much as possible.

it seems to me that there is/was a lexical or two, or predefined symbols that would pass to a login.com what commands were passed to it.

From within a Perl script on Windows, I'm executing something very like the following.

rsh -l monadmin $servername \@a:check_links.com

I want to lock this down to only a group of preapproved com files. And allow NO DCL commands at all.

Do any of you know how to detect what command is being passed to the VMS system

thanks in advance for any help,

Pat
5 REPLIES 5
Hoff
Honored Contributor

Re: ftp proxy on VMS 8.3 coming from Windows 2K3 SERVER monitoring box

What particular problem or application or requirements are you looking to address here with this use of an ftp and a proxy and Microsoft Windows Server? I'm having some difficulty discerning your particular requirements here. (I think I know what you're planning, but I'd rather confirm it.)

I'm mildly surprised that a security team is willing to allow ftp and rsh here; insecure protocols are usually eliminated from consideration.

Does this Windows Server box have security capabilities via ssh and related tools?

If this is a server monitoring and/or application and ACMS monitoring task, are you automating that mechanism here, or are you looking for interactive viewing into the server? (That goes to what sort of interface might be useful here.)

If OpenVMS has Apache (or can have Apache loaded) would a web interface address your requirements?



Patrick Soehl
Occasional Visitor

Re: ftp proxy on VMS 8.3 coming from Windows 2K3 SERVER monitoring box

Hi,

I very much appreciate people's willingness to back up and try to see what problem I'm trying to solve.

But what I'd really appreciate is a simple here's how u do it, or there's no way to do it, and leave it at that.

I will NOT be allowed to put Apache on these VMS systems, that is NOT an option. Please, trust me.

Is there a way to use a lex function or something on the remote node.

And yes, even in this environment, there are gaping holes. You would NOT believe. Good thing we're trustworthy.

I would still be doing the rsh from my w2k3 windows monitoring box is VMS 8.3 hadn't broken something.

John Gillings
Honored Contributor

Re: ftp proxy on VMS 8.3 coming from Windows 2K3 SERVER monitoring box

Pat,

Rather than try to parse arbitrary incoming RSH commands, turn the problem on its head. You can hijack the incoming RSH request, and instead of executing the incoming string as a command, execute your own procedure, using the string as a parameter.

Make a copy of SYS$SYSTEM:TCPIP$RSH_RUN.COM in the SYS$LOGIN of your monadmin user. Call it MY_RSH_RUN.COM

In your F$MODE().EQS."OTHER" branch of LOGIN.COM, detect the RSH process by process name:

$ rshproc="TCPIP$R_"
$ IF F$EXTRACT(0,F$LENGTH(rshproc),F$GETJPI("","PRCNAM")).EQS.rshproc THEN @MY_RSH_RUN/OUTPUT=MY_RSH_RUN.LOG

Modify MY_RSH_RUN.COM, replacing "EXIT 1" with LOGOUT.

You now have full control over all RSH commands sent to that username.

The command is in symbol 'RSHD$COMMAND' with which you can do what you like.

Simplest way to limit execution to a specific set of command procedures is to eliminate the "@" from your source RSH command. So your example becomes:

rsh -l monadmin #servername check_links

Now, in your MY_RSH_RUN command:

$ target=F$SEARCH(F$PARSE("PERMITTED_COMS:.COM;",RSHD$COMMAND))
$ IF target.NES."" THEN @'target'

where the logical name PERMITTED_COMS points to a directory containing your preapproved command procedures.

A crucible of informative mistakes
John Gillings
Honored Contributor

Re: ftp proxy on VMS 8.3 coming from Windows 2K3 SERVER monitoring box

Pat,

Something your security team will like...

you can also log all requests, source IP address, commands whatever you like. If you wanted to you could send an alert message on an "illegal" request.

Answering your specific question:

>Do any of you know how to detect what
>command is being passed to the VMS system

The command string is part of logical name SYS$NET. It's the remainder of the string after the first dollar sign "$". The initial part of the string gives the socket names for SYS$INPUT, SYS$OUTPUT and SYS$ERROR.

For example:

"SYS$NET" = "_BG3305:_BG3305:$show time" (LNM$PROCESS_TABLE)

Be especially careful of attempting to parse and identify commands, especially if you intend to execute any resulting string. There are many pitfalls and tricky ways to get DCL to execute commands. I recommend you stick with procedure names as described in my previous response.
A crucible of informative mistakes
Patrick Soehl
Occasional Visitor

Re: ftp proxy on VMS 8.3 coming from Windows 2K3 SERVER monitoring box

THANKS VERY MUCH! That's what I was looking for. My intention is to NOT ALLOW ANY DCL commands.