Turn off SET HOST for DECnet

Thomas A. Williams · ‎01-05-2007

Here's what I'm looking to do:

Restrict DECnet access to task-to-task communications only. No SET HOST capability.

Someone mentioned to me there may be a logical OR SYSGEN param (or maybe even an NCL setting?) that would allow this.

Has anyone heard of this?

Thanks.

John Abbott_2 · ‎01-05-2007

Would using the UAF mod usr/NOREMOTE suffice ? (prohibits SET HOST whilst allowing TASK (network) logins).

Regards
John.

Don't do what Donny Dont does

Jan van den Ende · ‎01-05-2007

Thomas,

if you really want to totally remove the functionality from your system, you can modify the definition for the SET command to no nonger contain the HOST syntax.

Use VERB SET to get the current definition, and remove the SET HOST paragraph.
Then SET COMMAND

Be careful NOT to accidentially change any other paragraphs, because that could change the behavior of other SET commands.

hth,

Proost.

Have one on me.

jpe

Don't rust yours pelled jacker to fine doll missed aches.

Thomas A. Williams · ‎01-05-2007

1) The UAF /noremote option actually worked. Too bad there's no way to do it on a systemwide basis...

2) I'm not familiar with the VERB SET command. Can you expand on how to do that? It's not the same as SET COMMAND, is it?

EdgarZamora_1 · ‎01-05-2007

Modifying the SET command makes me shudder.

Not foolproof, but simple... why not just add some code in SYLOGIN.COM to check for RT terminal and log out if it's RT?

John Abbott_2 · ‎01-05-2007

> 1) The UAF /noremote option actually worked. Too bad there's no way to do it on a systemwide basis...

UAF> MOD */NOREMOTE

:-)
J.

Don't do what Donny Dont does

Thomas A. Williams · ‎01-05-2007

Hey Edgar - This is actually Jeff Lanka. Small world.

the SYLOGIN mod actually sounds like a decent idea too. Thanks

Jan van den Ende · ‎01-05-2007

Thomas,

from John's response and your answer I conclude that I probably misunderstood your question.

Setting accounts to /NOREMOTE disables _INCOMING_ connections, while removing SET HOST disables _OUTGOING_ connections.

And AFAIK (not tested though, can anyone confirm or dismiss this?) /NOREMOTE also disables incoming TELNET.

_IF_ however /NOREMOTE looks like what you need, do _one_ AUTHORIZE MOD */NOREMOTE, and you are done. (this also modifies the DEFAULT account, so accounts creared in the future will also have that setting).
As a bonus: it can be re-enabled at will on a per-account basis.

---

VERB [] is a (partial) reverse of SET COMMAND -- it extracts (for ) the CLD into a file, in CLD syntax, so it is available for SET COMMAND.

- just remembered, VERB is not standard VMS, it's DECUS-ware, I think now available on the freeware CD.

hth

Proost.

Have one on me.

jpe

Don't rust yours pelled jacker to fine doll missed aches.

EdgarZamora_1 · ‎01-05-2007

Hey Jeff... long time! I'm down in Naples, Florida now!

Regarding UAF /NOREMOTE... sounds great, too bad there's not the same switch for telnet.

Thomas A. Williams · ‎01-05-2007

ewwww.... DECUSware - we're not allowed to use that here, oh well...

Actually restricting TELNET would be OK, seeing as how we're striving for SSH only, TELNET is being shut down too. I think /noremote might be our best bet.

EdgarZamora_1 · ‎01-05-2007

>And AFAIK (not tested though, can anyone >confirm or dismiss this?) /NOREMOTE also >disables incoming TELNET.

Just tested it and it disables incoming telnet too!

Thomas A. Williams · ‎01-05-2007

>Hey Jeff... long time! I'm down in Naples, Florida now!

>Regarding UAF /NOREMOTE... sounds great, too bad there's not the same switch for telnet.

Naples - have you watched the swamp buggy races yet?

I'll tell Maria hello for you... I'm at 55 Water St. these days...

AFA TELNET, we've just disabled that service.

Ian Miller. · ‎01-05-2007

You could set an ACL on RTPAD.EXE preventing access to all. This will stop non-priv users.

____________________
Purely Personal Opinion

Karl Rohwedder · ‎01-05-2007

Another way to prevent users from using SET HOST would be to disable access to the RTPAD image, either with /PROTE or by setting ACL's.

Changing the VERB defnition does not help, because a user may reset the commands for his current process only at his own will.

regards Kalle

Jan van den Ende · ‎01-05-2007

Edgar wrote:

>>>
Just tested it and it disables incoming telnet too!
<<<
and Thomas wrote:
>>>
seeing as how we're striving for SSH
<<<

Then be aware, and test first: I would expect /NOREMOTE to disallow SSH as well!

SYLOGIN testing to disallow RT and TN terminal name are probably your better option; pretty good match between "need" & "gain".
As an aside: How about FTP? The command mode of ftp also allows for many "pretty" accesses!

Proost.

Have one on me.

jpe

Don't rust yours pelled jacker to fine doll missed aches.

Thomas A. Williams · ‎01-05-2007

/NOREMOTE allows SSH.

EdgarZamora_1 · ‎01-05-2007

Hmmm... I just discovered that on a 7.3-1 system, the /NOREMOTE prevented me from using telnet too, but on my 7.3-2 system, the /NOREMOTE only prevented SET HOST and not telnet. I don't have the time to test SSH right now.

Thomas A. Williams · ‎01-05-2007

I tested on 7.3-2, and /NOREMOTE did NOT allow TELNET

EdgarZamora_1 · ‎01-05-2007

Well that's really strange. Maybe it has something to do with the version of TCPIP? Here's a log of my test...

CLCC1>
CLCC1> SHOW SYS/NOPROC
OpenVMS V7.3-2 on node CLCC1 5-JAN-2007 10:15:17.09 Uptime 54 01:56:32
CLCC1> TCPIP SHO VER

HP TCP/IP Services for OpenVMS Alpha Version V5.4 - ECO 4
on a AlphaServer 4100 5/533 4MB running OpenVMS V7.3-2

CLCC1> AUTH :== $SYS$SYSTEM:AUTHORIZE
CLCC1>
CLCC1> AUTH MOD EZAMORA /NOREMOTE
%UAF-I-MDFYMSG, user record(s) updated
CLCC1>
CLCC1> SET HOST 0

CLCC1 - Test System

Username: EZAMORA
Password:
You are not authorized to login from this source
%REM-S-END, control returned to node CLCC1::
CLCC1> TELNET CLCC1
%TELNET-I-TRYING, Trying ... 10.10.200.5
%TELNET-I-SESSION, Session 01, host clcc1, port 23
-TELNET-I-ESCAPE, Escape character is ^]

CLCC1 - Test System

Username: EZAMORA
Password:

Last interactive login on Friday, 5-JAN-2007 10:03:10.37
Last non-interactive login on Thursday, 4-JAN-2007 12:41:46.22

///////// //
#########/ ##/
#########/ ##/
##/ ##/
##/ ##/
##/ ##/
##/ ##/
##/////// ##///////
#########/ #########/
#########/ #########/
TEST SYSTEM
TEST SYSTEM
///////// /////////
#########/ #########/
#########/ #########/
##/ ##/
##/ ##/
##/ ##/
##/ ##/
##/////// ##///////
#########/ #########/
#########/ #########/
CLCC1> LO
EZAMORA logged out at 5-JAN-2007 10:16:55.41
%TELNET-S-REMCLOSED, Remote connection closed

Thomas A. Williams · ‎01-05-2007

re: Version of TCPIP

could be - we're running ECO6

Anton van Ruitenbeek · ‎01-05-2007

By modifying the security on RTPAD you get nasty errors. These things is not what you want to give to users. It's not Micro$oft that people accept errors as a good thing .....
The best thing looks like modifying SET (duable but think about OpenVMS upgrades) or modify RTPAD.EXE (install another for it with a beautiful message).
Modifying the SYLOGIN.COM only gives you control over the incomming DECNet but actualy you want control over outgoing DECNet. But if you are in control over all the machines where to go to by DECNet modifying SYLOGIN is also a neat thing to do.

AvR

NL: Meten is weten, maar je moet weten hoe te meten! - UK: Measuremets is knowledge, but you need to know how to measure !

Jim_McKinney · ‎01-05-2007

> or modify RTPAD.EXE (install another for it with a beautiful message)

This is simplistic and can be circumvented by the user either deassigning of redefining the logical name; but it should give you some idea of what is possible.

$ create sethost.mar
.psect DATA ,noexe,nowrt,page

message: .ascid /%SYSTEM-I-NOSETHOST, SET HOST currently unavailable/

.psect CODE ,exe,nowrt,page
.entry SETHOST ,^m<>

pushal message
calls #1,g^lib$put_output
$exit_s r0

.end SETHOST
$ macro sethost
$ link sethost
$ define rtpad sys$disk:[]sethost
$ set host 0
%SYSTEM-I-NOSETHOST, SET HOST currently unavailable

Hein van den Heuvel · ‎01-05-2007

Anton> or modify RTPAD.EXE (install another for it with a beautiful message)

How about this one...

$ create my_rtpad.mar
.entry start ,^m<>
movl #13861156, R0
ret
.end start
$ macro my_rtpad
$ link my_rtpad
$ def rtpad sys$login:my_rtpad.exe
$ set host ...

:^)

Hein.

(Ha die Anton! Best wensen voor her nieuwe jaar!)

$

Jan van den Ende · ‎01-05-2007

Anton, Jim, Hein,

On modifying RTPAD, INSTALLing ot DEFINing another version, an users defying that:

For authorisation purposes, DEFINE/EXEC in one of the tables in the SYS$SYSTEM searchlist. For preventing users overriding the define, add /NOALIAS (see HELP DEFINE).

And I also prefer some nice, informative message to the user over a message that may be technically true, but sounds (looks) like an error while it just should inform about a policy.

Proost.

Have one on me.

jpe

Don't rust yours pelled jacker to fine doll missed aches.

Robert Gezelter · ‎01-06-2007

Thomas,

Modifying or restricting access to RTPAD will not achieve the result. A user could easily bring over their own copy of RTPAD (although RTPAD appears to be installed with the TMPMBX privilege).

While I do not have the time to try it at the moment, relying on access control or removing the command from the default DCL tables is not much of a prevention. A user could just obtain a copy of the image elsewhere and use it instead of the standard RTPAD. This would likely remain undetected (except for the remote login at the destination).

The modifications to SYLOGIN are more useful, you can prevent the access by checking the name of the device and the originating node using the F$GETDVI lexical function.

You could also block incomming connections by removing the listener that RTPAD connects with, but that would have the effect of preventing ALL use of RTPAD, which can be operationally a problem.

On several occasions, I have limited RTPAD (and TELNET) access by creating and granting an identifier specific to that purpose, and checking it in either SYLOGIN, or in a GROUP login that is automatically (and unavoidably) invoked by SYLOGIN.

- Bob Gezelter, http://www.rlgsc.com

Categories

Company

Local Language

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Discussions

Forums

Forums

Discussions

Forums

Discussions

Forums

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Community

Resources

Other HPE Sites

Discussions

Forums

Blogs

Turn off SET HOST for DECnet

Turn off SET HOST for DECnet

Re: Turn off SET HOST for DECnet

Re: Turn off SET HOST for DECnet

Re: Turn off SET HOST for DECnet

Re: Turn off SET HOST for DECnet

Re: Turn off SET HOST for DECnet

Re: Turn off SET HOST for DECnet

Re: Turn off SET HOST for DECnet

Re: Turn off SET HOST for DECnet

Re: Turn off SET HOST for DECnet

Re: Turn off SET HOST for DECnet

Re: Turn off SET HOST for DECnet

Re: Turn off SET HOST for DECnet

Re: Turn off SET HOST for DECnet

Re: Turn off SET HOST for DECnet

Re: Turn off SET HOST for DECnet

Re: Turn off SET HOST for DECnet

Re: Turn off SET HOST for DECnet

Re: Turn off SET HOST for DECnet

Re: Turn off SET HOST for DECnet

Re: Turn off SET HOST for DECnet

Re: Turn off SET HOST for DECnet

Re: Turn off SET HOST for DECnet

Re: Turn off SET HOST for DECnet

Re: Turn off SET HOST for DECnet