Operating System - OpenVMS
cancel
Showing results for 
Search instead for 
Did you mean: 

limiting interactive logins

 
CHRIS KRALL
Occasional Contributor

limiting interactive logins

I wish to limit interactive access to a VMS node to certain persons. In the past the UAF flag

Local: ----- No access ------

could be set a such which prevented interactive logins, which remains true over decnet.

Username: jdoe
Password:

You are not authorized to login from this source

SSH appears to ignore this flag. I have also tried various lexical functions (getjpi) to no avail.

Anyone have any success limiting interactive logins to specific persons when the person is accessing via ssh?

7 REPLIES
marsh_1
Honored Contributor

Re: limiting interactive logins

hi,

in the sshd2_config file there is the allowusers/denyusers/allowgroups/denygroups options to use.


HTH

Robert Gezelter
Honored Contributor

Re: limiting interactive logins

Chris,

Yes. The LOCAL setting is a rather crude bludgeon.

The OP does not mention which IP stack or which version of OpenVMS is involved.

Personally, what I have done in several cases is to make a change to either SYS$MANAGER:SYLOGIN.COM (or a group login file invoked by SYLOGIN.COM) to check the device name against a Rights List Identifier.

If the user holds the Identifier, the login is permitted, if not, output the appropriate message and LOGOUT.

Using this approach, it is important to disable CNTRL-Y etc by default (else an enterprising user could just keep hitting the keys to bypass the check).

- Bob Gezelter, http://www.rlgsc.com
CHRIS KRALL
Occasional Contributor

Re: limiting interactive logins

Mark

this rule would apply for sftp as well?
marsh_1
Honored Contributor

Re: limiting interactive logins

hi,


yes, it uses ssh as well.
marsh_1
Honored Contributor

Re: limiting interactive logins

sorry should have said file is in dir sys$sysdevice:[tcpip$ssh.ssh2] and disable/enable ssh service when you've done your change (assuming vms tcpip)

hth

Hoff
Honored Contributor

Re: limiting interactive logins

That the sshd isn't (fully) checking the authorization database looks like a bug in the implementation.

If you have a support contract, send along a bug report to HP.
Kees L.
Advisor

Re: limiting interactive logins

If you modify the userrecord with:
$ uaf modify user /nonetwork
then login through ssh will be disabled.
Also (s)ftp and similar by the way.