- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - OpenVMS
- >
- Re: Limit VMS account access to a predefined set o...
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО06-14-2007 02:22 AM
тАО06-14-2007 02:22 AM
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО06-14-2007 02:31 AM
тАО06-14-2007 02:31 AM
Re: Limit VMS account access to a predefined set of IP addresses
regards Kalle
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО06-14-2007 02:32 AM
тАО06-14-2007 02:32 AM
Re: Limit VMS account access to a predefined set of IP addresses
Check that Telnet logs by IP address and not by name ( $ tcpip sh service telnet /fu), or adapt your tests (test for an IP address/range or test for node name in a list).
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО06-14-2007 02:34 AM
тАО06-14-2007 02:34 AM
Re: Limit VMS account access to a predefined set of IP addresses
There's not enough information in the connection to allow a firewall to detect the login request and filter it; firewalls don't have a way to peek into the OpenVMS login sequence and snag the target username.
This can usually be done within SYLOGIN (using DCL) by looking back at the incoming address (via translation of the available IP logical names, or via $getdvi TT_ACCPORNAM, depending on details), or (somewhat more work, more integrated, more elegant) by creating a customized LGI callout module for use within LOGINOUT (see the LGI materials in the manual set). In either case, if the login source and the username don't match requirements, the login process is punted.
A more advanced approach might involve using digital certificates and ssh; users would automatically log in, and the connection could be tied to various attributes such as the source PC. I'd be tempted to move this way, and you can use your own locally-issued certificates for this.
There are various other options.
Stephen Hoffman
HoffmanLabs
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО06-14-2007 06:00 AM
тАО06-14-2007 06:00 AM
Re: Limit VMS account access to a predefined set of IP addresses
Purely Personal Opinion
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО06-14-2007 12:29 PM
тАО06-14-2007 12:29 PM
Re: Limit VMS account access to a predefined set of IP addresses
If you can't get the other suggestions to work...
A big blunt instrument to block all but a select set of IP addresses. Define host routes for the allowed addresses, then point your default route to a non-existent address. Other nodes may be able to reach your node, but you won't respond to them.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО06-15-2007 02:17 AM
тАО06-15-2007 02:17 AM
Re: Limit VMS account access to a predefined set of IP addresses
Personally, I would use a combination of modifications to SYS$MANAGER:SYLOGIN.COM, an entry in the Group logical name table (in EXECUTIVE_MODE for security) and a Rights Identifier to control:
- whether the person is permitted to login via TCP
- What address block(s) are permitted to login
This allows the capability to be controlled with a high degree of precision.
- Bob Gezelter, http://www.rlgsc.com
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО06-15-2007 03:25 AM
тАО06-15-2007 03:25 AM
Solution10.10.1
foobar.com
(etc.)
The first entry says that any login with and IP of 10.10.1.* gets in. I also have a TELNET_BLACKLIST.DAT file. I use that to mainly block SYSTEM from telneting in. Both files can have usernames as well. The DCL keeps a log of login failures. Here's the DCL:
$!******************************************************************************
$!*
$!* SYS$MANAGER:INTERNET_CHECK.COM
$!*
$!******************************************************************************
$!
$ username = f$edit(f$getjpi("","username"),"trim")
$!
$ numbers = "0123456789"
$!
$ my_term = f$getjpi("","terminal")
$ my_server_and_port_name = f$getdvi(my_term,"tt_accpornam")
$ my_server_and_port_name = f$edit(my_server_and_port_name,"upcase,trim")
$ my_server_and_port_name_length = f$length(my_server_and_port_name)
$!
$! The symbol IP_ADDRESS can be either the number or the name
$! (ie: 198.31.44.4 vs. sierra.sierracollege.edu)
$! Also, the IP address can be 10.999.999.999 where 10 is a number private
$! to Sierra College
$!
$ ip_address = my_server_and_port_name - "Host: "
$ ip_address = f$element(0," ",ip_address)
$ ip_address = f$edit(ip_address,"upcase,trim")
$!
$ ip_address_length = f$length(ip_address)
$ ip_address_1 = f$extract(0,1,ip_address)
$!
$ if f$locate(ip_address_1,numbers) .lt. 10 ! 1st character is a number
$ then
$ class_a_address = f$element(0,".",ip_address)
$ class_b_address = class_a_address + "." + f$element(1,".",ip_address)
$ class_c_address = class_b_address + "." + f$element(2,".",ip_address)
$ domain = " "
$ else
$! 1st character is a name - strip the host name
$ domain = ip_address - f$element(0,".",ip_address) - "."
$ domain = f$edit(domain,"upcase,trim")
$ class_a_address = " "
$ class_b_address = " "
$ class_c_address = " "
$ endif
$!
$! Check if the IP address is from a SLIP connection
$! The SLIP address is in the form "slip-99-999-999-99.yada.yada.yada.etc"
$! and the numbers vary
$ if (f$extract(0,4,ip_address) .eqs. "slip") -
.or. (f$extract(0,4,ip_address) .eqs. "SLIP")
$ then
$ ip_address = ip_address - f$element(0,".",ip_address) - "."
$ class_c_address = f$element(0,".",ip_address)
$ endif
$!
$ on error then goto logout
$!
$! Logout if the IP address, 'network' address or username
$! is in TELNET_BLACKLIST.DAT
$ open/read/share=write blacklist sys$manager:telnet_blacklist.dat
$!
$BLACKLIST_LOOP:
$ read/end=check_whitelist blacklist blacklist_record
$ blacklist_record = f$edit(blacklist_record,"upcase,trim")
$!
$ if username .eqs. blacklist_record
$ then
$ close blacklist
$ login_failure_reason = "**** Username is in TELNET_BLACKLIST.DAT ****"
$ goto logout
$ endif
$!
$ if ip_address .eqs. blacklist_record
$ then
$ close blacklist
$ login_failure_reason = "**** IP address is in TELNET_BLACKLIST.DAT ****"
$ goto logout
$ endif
$!
$ if class_a_address .eqs. blacklist_record
$ then
$ close blacklist
$ login_failure_reason = -
"**** 'Class A' address is in TELNET_BLACKLIST.DAT ****"
$ goto logout
$ endif
$!
$ if class_b_address .eqs. blacklist_record
$ then
$ close blacklist
$ login_failure_reason = -
"**** 'Class B' address is in TELNET_BLACKLIST.DAT ****"
$ goto logout
$ endif
$!
$ if class_c_address .eqs. blacklist_record
$ then
$ close blacklist
$ login_failure_reason = -
"**** 'Class C' address is in TELNET_BLACKLIST.DAT ****"
$ goto logout
$ endif
$!
$ if domain .eqs. blacklist_record
$ then
$ close blacklist
$ login_failure_reason = -
"**** 'Domain' address is in TELNET_BLACKLIST.DAT ****"
$ goto logout
$ endif
$!
$ goto blacklist_loop
$!
$CHECK_WHITELIST:
$! Logout if the IP address, "network" address or username is NOT
$! in TELNET_WHITELIST.DAT
$ close blacklist
$ open/read/share=write whitelist sys$manager:telnet_whitelist.dat
$!
$WHITELIST_LOOP:
$ read/end=whitelist_failure whitelist whitelist_record
$!
$ if f$extract(0,1,whitelist_record) .eqs. "!" then goto whitelist_loop
$!
$ whitelist_record = f$element(0,"!",whitelist_record)
$ whitelist_record = f$edit(whitelist_record,"upcase,trim")
$ whitelist_record_length = f$length("whitelist_record")
$!
$ if f$locate(whitelist_record,my_server_and_port_name) -
.ge. my_server_and_port_name_length
$ then
$ close whitelist
$ goto bye
$ endif
$!
$ if (ip_address .eqs. whitelist_record) -
.or. (domain .eqs. whitelist_record) -
.or. (class_a_address .eqs. whitelist_record) -
.or. (class_b_address .eqs. whitelist_record) -
.or. (class_c_address .eqs. whitelist_record) -
.or. (username .eqs. whitelist_record)
$ then
$ close whitelist
$ goto bye
$ else
$ goto whitelist_loop
$ endif
$!
$WHITELIST_FAILURE:
$ close whitelist
$ login_failure_reason = -
"**** Username, IP address or 'network' address not in TELNET_WHITELIST.DAT ****
"
$!
$LOGOUT:
$ on error then logout/brief
$ open/append login_failures sys$common:[sysmgr]telnet_login_failures.log
$ datetime = f$time()
$ write login_failures -
f$fao("!13AS!30AS!24AS!70AS",username,ip_address,datetime,login_failure_reason)
$ close login_failures
$ logout/brief
$!
$BYE:
$ exit
Good luck!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО06-15-2007 04:59 AM
тАО06-15-2007 04:59 AM
Re: Limit VMS account access to a predefined set of IP addresses
Maybe I'm being dense here, but I'm not certain I entirely understand your question. Are you asking if you can restrict which PCs will be allowed to host a login session to the VMS system, or are you looking for a way to specify that specific users can only login from specific hosts?
In the case of the former, it is relatively easy to allow telnet to only allow logins from specific hosts (since you're running HP's TCP/IP Services, docu is available via $ TCPIP HELP SET SERVICE /ACCEPT and $ TCPIP HELP SET SERVICE /REJECT). Simply set the telnet service to reject all connections by default, and then accept only those hosts you would like to allow in.
If you're using SSH (also supported by Reflection v14 and TCP/IP Service v5.4, preferably with ECO6), the same effective settings can be managed via the TCPIP$SSH_DEVICE:[TCPIP$SSH.SSH2]SSHD2_CONFIG. file, using the AllowHosts and DenyHosts entries.
If you want to restrict certain users to login from only specific hosts, this will need to be done in the login command processing, preferably in the SyLogin.com file. As others have mentioned before, it will require a data file that correlates users to hosts, and then the process to check one against the other. SMOP, but there are good starting points listed above.
HTH!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО06-15-2007 05:10 AM
тАО06-15-2007 05:10 AM
Re: Limit VMS account access to a predefined set of IP addresses
There are vms supplied logicals or remote id and system eg from a set host from
foobar..
"SYS$REM_ID" = "MCGORRILL"
"SYS$REM_NODE" = "FOOBAR::"
..They used to only be in global cells which
I'd examine until they gave us logicals. (I'm not sure how a tcpip connect fills these logicals.)