HPE Community
Operating System - OpenVMS
1752777 Members
6364 Online
108789 Solutions
New Discussion юеВ

Re: limiting interactive logins

 
CHRIS KRALL
Occasional Contributor

тАО02-27-2009 10:28 AM

тАО02-27-2009 10:28 AM

limiting interactive logins

I wish to limit interactive access to a VMS node to certain persons. In the past the UAF flag

Local: ----- No access ------

could be set a such which prevented interactive logins, which remains true over decnet.

Username: jdoe
Password:

You are not authorized to login from this source

SSH appears to ignore this flag. I have also tried various lexical functions (getjpi) to no avail.

Anyone have any success limiting interactive logins to specific persons when the person is accessing via ssh?

0 Kudos
Reply
7 REPLIES 7
marsh_1
Honored Contributor

тАО02-27-2009 10:56 AM

тАО02-27-2009 10:56 AM

Re: limiting interactive logins

hi,

in the sshd2_config file there is the allowusers/denyusers/allowgroups/denygroups options to use.


HTH

0 Kudos
Reply
Robert Gezelter
Honored Contributor

тАО02-27-2009 11:03 AM

тАО02-27-2009 11:03 AM

Re: limiting interactive logins

Chris,

Yes. The LOCAL setting is a rather crude bludgeon.

The OP does not mention which IP stack or which version of OpenVMS is involved.

Personally, what I have done in several cases is to make a change to either SYS$MANAGER:SYLOGIN.COM (or a group login file invoked by SYLOGIN.COM) to check the device name against a Rights List Identifier.

If the user holds the Identifier, the login is permitted, if not, output the appropriate message and LOGOUT.

Using this approach, it is important to disable CNTRL-Y etc by default (else an enterprising user could just keep hitting the keys to bypass the check).

- Bob Gezelter, http://www.rlgsc.com
0 Kudos
Reply
CHRIS KRALL
Occasional Contributor

тАО02-27-2009 11:51 AM

тАО02-27-2009 11:51 AM

Re: limiting interactive logins

Mark

this rule would apply for sftp as well?
0 Kudos
Reply
marsh_1
Honored Contributor

тАО02-27-2009 12:22 PM

тАО02-27-2009 12:22 PM

Re: limiting interactive logins

hi,


yes, it uses ssh as well.
0 Kudos
Reply
marsh_1
Honored Contributor

тАО02-27-2009 12:33 PM

тАО02-27-2009 12:33 PM

Re: limiting interactive logins

sorry should have said file is in dir sys$sysdevice:[tcpip$ssh.ssh2] and disable/enable ssh service when you've done your change (assuming vms tcpip)

hth

0 Kudos
Reply
Hoff
Honored Contributor

тАО02-27-2009 02:04 PM

тАО02-27-2009 02:04 PM

Re: limiting interactive logins

That the sshd isn't (fully) checking the authorization database looks like a bug in the implementation.

If you have a support contract, send along a bug report to HP.
0 Kudos
Reply
Kees L.
Advisor

тАО03-01-2009 11:40 PM

тАО03-01-2009 11:40 PM

Re: limiting interactive logins

If you modify the userrecord with:
$ uaf modify user /nonetwork
then login through ssh will be disabled.
Also (s)ftp and similar by the way.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.