Re: Restrict set host login to remote node.

shiva27 · ‎05-21-2009

Hi,

We don't want to login to remote servers thru set ho "remote server name".
Our enviornment use,
1.Telnet is disable in both servers (local & remote).
2.Decnet over IP configured - Don't want to disturb this setting.
3.Local & Bind database host entry - Don't want to disturb.

I verified the configuration ,found remote server entry is available in Decnet_regirster database

Can you please suggest, if i remove this entry then we will not be able to login via "set ho" to remove server.

Is there any other things we've to verify to accomplish this?

OVMS : V8.3

Thomas Ritter · ‎05-21-2009

You could disable remote access using NCP.
$ MC NCP show exec char

Look for this line.
Default access = incoming and outgoing

NCP>help set exec default

Hakan Zanderau ( Anders · ‎05-21-2009

If you remove an entry from the local namespace, don't forget to flush the cache.

$ mc ncl flush session control naming cache entry "*"

Why is it important to restrict the outgoing selection of a node/host ?
If you have access to a node (username/password), you could easily use SYLOGIN.COM to refuse users from a specific source to continue a login.

Hakan

Don't make it worse by guessing.........

Jan van den Ende · ‎05-21-2009

Shiva,

to specifically block incoming sethost sessions, add this command to SYS$SYLOGIN (needs write access, eg SYSPRV to modify this file):

.
.
.
$ if f$extract(0,2,F$GETJI("","terminal") .eqs. "RT"
$ then
$ ! maybe some message here..
$ logout/brief
$ endif
.
.
.

Proost.

Have one on me.

jpe

Don't rust yours pelled jacker to fine doll missed aches.

Jan van den Ende · ‎05-21-2009

shiva,

from your Forum Profile:

I have assigned points to 0 of 118 responses to my questions.

Maybe you can find some time to do some assigning?

http://forums1.itrc.hp.com/service/forums/helptips.do?#33

Mind, I do NOT say you necessarily need to give lots of points. It is fully up to _YOU_ to decide how many. If you consider an answer is not deserving any points, you can also assign 0 ( = zero ) points, and then that answer will no longer be counted as unassigned.
Consider, that every poster took at least the trouble of posting for you!

To easily find your streams with unassigned points, click your own name somewhere.
This will bring up your profile.
Near the bottom of that page, under the caption "My Question(s)" you will find "questions or topics with unassigned points " Clicking that will give all, and only, your questions that still have unassigned postings.

Thanks on behalf of your Forum colleagues.

PS. nothing personal in this. I try to post it to everyone with this kind of assignment ratio in this forum. If you have received a posting like this before please do not take offence none is intended!

PPS. Zero points for THIS entry, please.

Proost.

Have one on me.

jpe

Don't rust yours pelled jacker to fine doll missed aches.

Hakan Zanderau ( Anders · ‎05-22-2009

Jan,

or having a look at the job-logicals SYS$REM_*
would be a better way of determing the source and protocol.

Hakan

Don't make it worse by guessing.........

Robert Gezelter · ‎05-22-2009

Shiva,

First, for the sake of clarity, and the benefit of others who may be following this thread, now or in the future, we should refer to the command without any abbreviations. This is particularly important for the sake of those whose fluency in English is limited.

The abbreviated command is: SET HOST

There are several ways that the ability to login using SET HOST can be restricted.

The most obvious way, and the one with the least global impact is the use of restrictions on REMOTE login. This is administered from within the AUTHORIZE utility. This restricts the logins on an individual account basis to certain hours of the day.

If this is not an absolute ban, but a ban on certain nodes or from certain nodes, code can be inserted into the system-wide login file (generally SYS$MANAGER:SYLOGIN.COM) to check at each login. This can include checks against:

- which node the connection originates from (as was mentioned using the SYS$REM* logical names),
- the particular node is authorized for that account (e.g., does the user hold a certain rights identifier)
- or other criteria

One could also probably remove the process (REMACP) from the DECnet configuration. I would not recommend this as it affects all users, not just individual users.

- Bob Gezelter, http://www.rlgsc.com

shiva27 · ‎05-24-2009

Is there any simple way to stop SET host login on remote node ? or say if we defined something on remote node so that incoming login request from "SET HOST" will restrict like Telnet ( Assumed telnet service disable).

Jeremy Begg · ‎05-25-2009

Hello,

It's not entirely clear if you want to stop the SET HOST command from working, or if (instead) you want to block incoming SET HOST requests.

Assuming you want to block incoming SET HOST requests, here are few suggestions, in decreasing order of severity.

1. Delete (or rename) SYS$SYSTEM:REMACP.EXE. This is the program which receives incoming SET HOST connections.

Or ...

2. Edit SYS$MANAGER:RTTLOAD.COM to exit immediately. This procedure runs the REMACP program.

Or ...

3. Set the SYSGEN parameter RJOBLIM to 0. This parameter limits the number of concurrent incoming SET HOST connections.

Note that if you do 1 or 2, the system will continue to accept SET HOST logins until the next reboot. You can delete the REMACP process to prevent them.

Less drastic than all the above is to modify the system-wide SYLOGIN.COM procedure to force a logout if the user's terminal is an RT device. For example:

$ term = f$getdvi(0,"TERMINAL")
$ if f$locate("RTA",term) .lt. f$length(term)
$ then
$ logout
$ stop/id=0
$ endif

Regards,
Jeremy Begg

Joseph Huber_1 · ‎05-25-2009

shiva, could You tell us what the principle target of the restriction is:
No remote access at all ?
Just not telnet and decnet set host, but SET HOST/LAT is allowed ?
Only SSH as the remote access method ?
If the latter, then
AUTORIZE MODIFY user/NOREMOTE
will forbid all remote login but SSH for the specified user. Do this for all users once.
Do it also for user DEFAULT, then it is automatically for new users as well.
Through authorize You can e.g. let a door open for system management users in case SSH stops working.

http://www.mpp.mpg.de/~huber

Joseph Huber_1 · ‎05-25-2009

Aah sorry, also Telnet is in the same class as SSH, not seen as REMOTE class login.
So my above suggestion is not perfect, but still with Telnet (and RSH) server disabled, it allows SSH login, without manipulating xxACP setup.

http://www.mpp.mpg.de/~huber

shiva27 · ‎05-26-2009

Joseph,

Before upgradation,it was not allowing to login from testing server to production server by "SET HOST".

Now Once we logged into testing server and try to login production as
test>SET HOST LONDON
username:xyz
pass:****

PROD>

So, i dont want to allow the user to login from test server to PROD server , Telnet is already disable.

Note:Same user profile copied from V7.3-2 to V8.3.

Hakan Zanderau ( Anders · ‎05-26-2009

Wouldn't the EASIEST way be to edit SYLOGIN.COM
in node LONDON to refuse login from the testnode ??

That would survive another upgrade of node LONDON.

Hakan

Don't make it worse by guessing.........

Joseph Huber_1 · ‎05-26-2009

shiva27,
Yes, therefore I was asking these questions, if You want to inhibit all but SSH:
removing REMACP still lets SET HOST/LAT open.
Modifying users /NOREMOTE inhibits all remote logins without manipulating processes.

http://www.mpp.mpg.de/~huber

shiva27 · ‎05-26-2009

Hi All,

Thanks for your help, I'm checking sylogin.com file to restrict SET HOST use from test server.

I've tried "account/noremote" option but this will not work in our environment.

Can you please suggest how can assign the points to you guys for your better support to fix this issues.

Jeremy Begg · ‎05-26-2009

Give everyone 10 points :-)

shiva27 · ‎05-26-2009

Thx again for gr8 help.

Jon Pinkley · ‎05-29-2009

RE:"Can you please suggest how can assign the points to you guys for your better support to fix this issues."

See Jan's comment dated May 22, 2009 07:14:28 GMT in this thread, where he references

http://forums.itrc.hp.com/service/forums/helptips.do?#33

This is an excerpt:

How many points should I assign to replies?
Every response to your question is eligible to earn between 1-10 points. No need to worry about running out of points - when a truly awesome reply rolls in that deserves a 10, you will be able to assign it a 10! However, be careful to assign points based on the value that a reply truly provides. Use the following scale as a guideline:

o N/A: The answer was simply a point of clarification to my original question

o 1-3: The answer didn't really help answer my question, but thanks for your assistance!

o 4- 7: The answer helped with a portion of my question, but I still need some additional help!

o 8-10: The answer has solved my problem completely! Now I'm a happy camper!

Although assigning points is not mandatory, it is a key component of a strong, interactive community, and it is STRONGLY ENCOURAGED. Others have taken time to help you, so please take a moment to give them credit for their assistance!

it depends

comarow · ‎05-29-2009

A simple solution is to lock users onto your system, don't give them Netmbx privildge.

Jan van den Ende · ‎05-29-2009

Shiva,

I may risk insulting you, but

>>>
Can you please suggest how can assign the points to you guys for your better support to fix this issues.
<<<

Does this mean you do not know the mechanics of the process?

Here we go.

choose a question you asked which has unrewarded answers.

In the header of each answer, you see a timestamp, and EITHER the assigned point (which are UNchangeable) OR a pull-down menu.
In the latter case, YOU decide on a value for that answer.

If you are finished with assgning, scroll down to the and of the question, and choose
to assign the points (and only THEN they do get registrated.

hth

Proost.

Have one on me.

jpe

Don't rust yours pelled jacker to fine doll missed aches.

Categories

Company

Local Language

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Discussions

Forums

Forums

Discussions

Forums

Discussions

Forums

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Community

Resources

Other HPE Sites

Discussions

Forums

Blogs

Re: Restrict set host login to remote node.

Restrict set host login to remote node.