Operating System - OpenVMS
1839230 Members
3186 Online
110137 Solutions
New Discussion

Re: Restrict set host login to remote node.

 
shiva27
Frequent Advisor

Restrict set host login to remote node.

Hi,

We don't want to login to remote servers thru set ho "remote server name".
Our enviornment use,
1.Telnet is disable in both servers (local & remote).
2.Decnet over IP configured - Don't want to disturb this setting.
3.Local & Bind database host entry - Don't want to disturb.


I verified the configuration ,found remote server entry is available in Decnet_regirster database

Can you please suggest, if i remove this entry then we will not be able to login via "set ho" to remove server.

Is there any other things we've to verify to accomplish this?

OVMS : V8.3

19 REPLIES 19
Thomas Ritter
Respected Contributor

Re: Restrict set host login to remote node.

You could disable remote access using NCP.
$ MC NCP show exec char

Look for this line.
Default access = incoming and outgoing

NCP>help set exec default
Hakan Zanderau ( Anders
Trusted Contributor

Re: Restrict set host login to remote node.

If you remove an entry from the local namespace, don't forget to flush the cache.

$ mc ncl flush session control naming cache entry "*"

Why is it important to restrict the outgoing selection of a node/host ?
If you have access to a node (username/password), you could easily use SYLOGIN.COM to refuse users from a specific source to continue a login.

Hakan
Don't make it worse by guessing.........
Jan van den Ende
Honored Contributor

Re: Restrict set host login to remote node.

Shiva,

to specifically block incoming sethost sessions, add this command to SYS$SYLOGIN (needs write access, eg SYSPRV to modify this file):

.
.
.
$ if f$extract(0,2,F$GETJI("","terminal") .eqs. "RT"
$ then
$ ! maybe some message here..
$ logout/brief
$ endif
.
.
.


Proost.

Have one on me.

jpe
Don't rust yours pelled jacker to fine doll missed aches.
Jan van den Ende
Honored Contributor

Re: Restrict set host login to remote node.

shiva,

from your Forum Profile:


I have assigned points to 0 of 118 responses to my questions.


Maybe you can find some time to do some assigning?

http://forums1.itrc.hp.com/service/forums/helptips.do?#33

Mind, I do NOT say you necessarily need to give lots of points. It is fully up to _YOU_ to decide how many. If you consider an answer is not deserving any points, you can also assign 0 ( = zero ) points, and then that answer will no longer be counted as unassigned.
Consider, that every poster took at least the trouble of posting for you!

To easily find your streams with unassigned points, click your own name somewhere.
This will bring up your profile.
Near the bottom of that page, under the caption "My Question(s)" you will find "questions or topics with unassigned points " Clicking that will give all, and only, your questions that still have unassigned postings.

Thanks on behalf of your Forum colleagues.

PS. nothing personal in this. I try to post it to everyone with this kind of assignment ratio in this forum. If you have received a posting like this before please do not take offence none is intended!

PPS. Zero points for THIS entry, please.

Proost.

Have one on me.

jpe
Don't rust yours pelled jacker to fine doll missed aches.
Hakan Zanderau ( Anders
Trusted Contributor

Re: Restrict set host login to remote node.

Jan,

or having a look at the job-logicals SYS$REM_*
would be a better way of determing the source and protocol.

Hakan
Don't make it worse by guessing.........
Robert Gezelter
Honored Contributor

Re: Restrict set host login to remote node.

Shiva,

First, for the sake of clarity, and the benefit of others who may be following this thread, now or in the future, we should refer to the command without any abbreviations. This is particularly important for the sake of those whose fluency in English is limited.

The abbreviated command is: SET HOST

There are several ways that the ability to login using SET HOST can be restricted.

The most obvious way, and the one with the least global impact is the use of restrictions on REMOTE login. This is administered from within the AUTHORIZE utility. This restricts the logins on an individual account basis to certain hours of the day.

If this is not an absolute ban, but a ban on certain nodes or from certain nodes, code can be inserted into the system-wide login file (generally SYS$MANAGER:SYLOGIN.COM) to check at each login. This can include checks against:

- which node the connection originates from (as was mentioned using the SYS$REM* logical names),
- the particular node is authorized for that account (e.g., does the user hold a certain rights identifier)
- or other criteria

One could also probably remove the process (REMACP) from the DECnet configuration. I would not recommend this as it affects all users, not just individual users.

- Bob Gezelter, http://www.rlgsc.com
shiva27
Frequent Advisor

Re: Restrict set host login to remote node.

Is there any simple way to stop SET host login on remote node ? or say if we defined something on remote node so that incoming login request from "SET HOST" will restrict like Telnet ( Assumed telnet service disable).
Jeremy Begg
Trusted Contributor

Re: Restrict set host login to remote node.

Hello,

It's not entirely clear if you want to stop the SET HOST command from working, or if (instead) you want to block incoming SET HOST requests.

Assuming you want to block incoming SET HOST requests, here are few suggestions, in decreasing order of severity.

1. Delete (or rename) SYS$SYSTEM:REMACP.EXE. This is the program which receives incoming SET HOST connections.

Or ...

2. Edit SYS$MANAGER:RTTLOAD.COM to exit immediately. This procedure runs the REMACP program.

Or ...

3. Set the SYSGEN parameter RJOBLIM to 0. This parameter limits the number of concurrent incoming SET HOST connections.

Note that if you do 1 or 2, the system will continue to accept SET HOST logins until the next reboot. You can delete the REMACP process to prevent them.

Less drastic than all the above is to modify the system-wide SYLOGIN.COM procedure to force a logout if the user's terminal is an RT device. For example:

$ term = f$getdvi(0,"TERMINAL")
$ if f$locate("RTA",term) .lt. f$length(term)
$ then
$ logout
$ stop/id=0
$ endif


Regards,
Jeremy Begg
Joseph Huber_1
Honored Contributor

Re: Restrict set host login to remote node.

shiva, could You tell us what the principle target of the restriction is:
No remote access at all ?
Just not telnet and decnet set host, but SET HOST/LAT is allowed ?
Only SSH as the remote access method ?
If the latter, then
AUTORIZE MODIFY user/NOREMOTE
will forbid all remote login but SSH for the specified user. Do this for all users once.
Do it also for user DEFAULT, then it is automatically for new users as well.
Through authorize You can e.g. let a door open for system management users in case SSH stops working.
http://www.mpp.mpg.de/~huber
Joseph Huber_1
Honored Contributor

Re: Restrict set host login to remote node.

Aah sorry, also Telnet is in the same class as SSH, not seen as REMOTE class login.
So my above suggestion is not perfect, but still with Telnet (and RSH) server disabled, it allows SSH login, without manipulating xxACP setup.
http://www.mpp.mpg.de/~huber
shiva27
Frequent Advisor

Re: Restrict set host login to remote node.

Joseph,

Before upgradation,it was not allowing to login from testing server to production server by "SET HOST".

Now Once we logged into testing server and try to login production as
test>SET HOST LONDON
username:xyz
pass:****

PROD>

So, i dont want to allow the user to login from test server to PROD server , Telnet is already disable.

Note:Same user profile copied from V7.3-2 to V8.3.
Hakan Zanderau ( Anders
Trusted Contributor

Re: Restrict set host login to remote node.

Wouldn't the EASIEST way be to edit SYLOGIN.COM
in node LONDON to refuse login from the testnode ??

That would survive another upgrade of node LONDON.

Hakan
Don't make it worse by guessing.........
Joseph Huber_1
Honored Contributor

Re: Restrict set host login to remote node.

shiva27,
Yes, therefore I was asking these questions, if You want to inhibit all but SSH:
removing REMACP still lets SET HOST/LAT open.
Modifying users /NOREMOTE inhibits all remote logins without manipulating processes.
http://www.mpp.mpg.de/~huber
shiva27
Frequent Advisor

Re: Restrict set host login to remote node.

Hi All,

Thanks for your help, I'm checking sylogin.com file to restrict SET HOST use from test server.

I've tried "account/noremote" option but this will not work in our environment.

Can you please suggest how can assign the points to you guys for your better support to fix this issues.
Jeremy Begg
Trusted Contributor

Re: Restrict set host login to remote node.

Give everyone 10 points :-)
shiva27
Frequent Advisor

Re: Restrict set host login to remote node.

Thx again for gr8 help.
Jon Pinkley
Honored Contributor

Re: Restrict set host login to remote node.

RE:"Can you please suggest how can assign the points to you guys for your better support to fix this issues."

See Jan's comment dated May 22, 2009 07:14:28 GMT in this thread, where he references

http://forums.itrc.hp.com/service/forums/helptips.do?#33

This is an excerpt:

How many points should I assign to replies?
Every response to your question is eligible to earn between 1-10 points. No need to worry about running out of points - when a truly awesome reply rolls in that deserves a 10, you will be able to assign it a 10! However, be careful to assign points based on the value that a reply truly provides. Use the following scale as a guideline:



o N/A: The answer was simply a point of clarification to my original question

o 1-3: The answer didn't really help answer my question, but thanks for your assistance!

o 4- 7: The answer helped with a portion of my question, but I still need some additional help!

o 8-10: The answer has solved my problem completely! Now I'm a happy camper!


Although assigning points is not mandatory, it is a key component of a strong, interactive community, and it is STRONGLY ENCOURAGED. Others have taken time to help you, so please take a moment to give them credit for their assistance!
it depends
comarow
Trusted Contributor

Re: Restrict set host login to remote node.

A simple solution is to lock users onto your system, don't give them Netmbx privildge.
Jan van den Ende
Honored Contributor

Re: Restrict set host login to remote node.

Shiva,

I may risk insulting you, but

>>>
Can you please suggest how can assign the points to you guys for your better support to fix this issues.
<<<

Does this mean you do not know the mechanics of the process?

Here we go.

choose a question you asked which has unrewarded answers.

In the header of each answer, you see a timestamp, and EITHER the assigned point (which are UNchangeable) OR a pull-down menu.
In the latter case, YOU decide on a value for that answer.

If you are finished with assgning, scroll down to the and of the question, and choose
to assign the points (and only THEN they do get registrated.

hth

Proost.

Have one on me.

jpe
Don't rust yours pelled jacker to fine doll missed aches.