|
HP OpenVMS Systemsask the wizard |
|
The Question is: I have a modem connected to the first serial port on my machine and would like to restrict dial-in access to one specific user. This user is mobile so dial-back is not appropriate. Is this possible through some trick or will it be neccessary to run "IF" s in the SYLOGIN.COM to check the port then another to check the username. I am quite new to VMS and as much help as possible would be appreciated. Thanks in advance The Answer is :
No tricks, just straight DCL or OpenVMS security features -- take your pick.
You can determine a port name using the F$GETDVI lexical function. The item
code "TT_PHYDEVNAM" will return the physical device name. Use the logical
name "TT" or SYS$COMMAND to refer to the terminal. You should also check
for an interactive login (though your SYLOGIN.COM procedure should already
be coded to distinguish the different login modes.
Suppose the terminal name is _TTA0:, the relevant fragments of SYLOGIN.COM
are as follows:
$ Set NoOn
$ VERIFY = F$VERIFY(F$TRNLNM("SYLOGIN_VERIFY"))
$ Goto MODE_'F$MODE()'
...
$MODE_INTERACTIVE:
...
$ IF F$GETDVI("TT","TT_PHYDEVNAM").EQS."_TTA0:"
$ THEN
$! login is on TTA0
$!
$ ENDIF
To check the username, use the lexical function F$GETJPI:
user=F$GETJPI("","USERNAME")
though, you should note that this value is space filled to 12 characters,
so it's probably better to remove blanks it with F$EDIT to simplify
comparisons:
user=F$EDIT(F$GETJPI("","USERNAME"),"COLLAPSE")
So, you can test for specific username(s) and take appropriate action.
The problem with this scheme is that it doesn't scale very well. Adding
extra dialin ports and/or users is very cumbersome. A better way to handle
the issue is to use the built in VMS features to restrict different types
of access. First you need to declare the terminal as "DIALUP". Place the
following in your SYSTARTUP_VMS.COM procedure:
$ SET TERMINAL/PERMANENT/DIALUP TTA0:
Any user who logs in on this terminal, or any other with the DIALUP
characteristic will have the DIALUP identifier. You can use ACL to
grant or deny access to objects by users connected to that port. For
example:
$ SET SECURITY/ACL=(IDENTIFIER=DIALUP,ACCESS=NONE) filespec
The UAF can also be used to restrict dialup access to particular times
of the day, or deny access altogether. For example, to deny all DIALUP
access for a particular user:
UAF> MODIFY user/NODIALUP
If this user attempts to login at the DIALUP port, they will get an error
message "You are not authorized to login from this source".
The benefits of using the UAF are you don't need any code in SYLOGIN.COM,
you can add as many dialup modems as you like (a properly configured
terminal server will also be recognised as a DIALUP port), you have
much greater control over who can dialin and when they can dialin (see the
UAF documentation for details on specifying date and time windows), you
can selectively protect resources from access by people when dialed in,
and you can configure the AUDIT journal to record dialup logins and
resource access independently from local accesses.
See OpenVMS Guide to System Security, Chapter 3 for discussion of how to
usew dialup access in a secure manner.
|