Solved New to OpenVMS, TELNET restrictions?

November 14, 2011 at 11:44:42
Specs: Alpha OpenVMS
Hi, I have a DEC Alpha server running OpenVMS at work and I was recently tasked with fixing a problem. Basically we had a guy across the country manage the server completely but it was no longer feasible to do so due to budget restrictions and newer software.

The problem I need to fix: he had set up some kind of filtering on TELNET where a user could only connect through a valid IP address. I would like to completely remove that restriction but I have no idea where to look. I tried using SEARCH to find any IP addresses in his files but no luck.

The restriction seems to just log me out the second I am authenticated and the log that is printed to the terminal doesn't provide any information.

Thanks!


See More: New to OpenVMS, TELNET restrictions?

Report •


#1
November 15, 2011 at 00:30:48
✔ Best Answer
A bit more information is required:
is only a certain user affected or all all users ?
what is the TCPIP software on the system ? TCPIP services for VMS or Multinet (check with the commands UCX or TCPIP SHOW VERSION,
MULTINET SHOW/VERSION.

I assume UCX or TCPIP, the software I have running:
If the restriction is for all users, then it could be through ACCEPT or REJECT settings in TCPIP SERVICE TELNET.
Does the command TCPIP SHOW SERVICE TELNET/FULL list IP addresses unhder ACCEPT or REJECT headings ?
If yes, read TCPIP> HELP SET SERVICE /ACCEPT
how to change the list.

If the TELNET service is not restricted this way, there could be a reject after login through the system wide SYS$MANGER:SYLOGIN.COM
(or the commandfile defined by the logical name SYS$SYLOGIN) : look for code handling Telnet logins.
If the restriction is for an individual user, then the location could be in the users LOGIN command file, usually LOGIN.COM (or whatever the user athorization file entry for LGICMD defines).
Search in these command files for commands dealing with "TN" terminal devices, and "TT_Accpornam" used to get the login source IP address.

Joseph Huber
http://www.huber-joseph.de


Report •

#2
November 15, 2011 at 08:21:58
Hi Joseph, thanks for the reply.

As far as I know, every user is only allowed to log in through TELNET if they are doing so from the IP address that the previous administrator put into the whitelist. I personally was unable to TELNET in using the SYSTEM account and the user account of the previous administrator.

I'm headed back up there today so I will try your suggestions and post an update in a few hours.

Thanks again


Report •

#3
November 15, 2011 at 11:07:26
The SYLOGIN.COM file appears to hold the key to this, but I can't quite figure out what to change to make it work. There are a few lines which say:

$ defi/user ccs$sy05$from0 "010.000.000.001" !allow this IP range
$ def/user ccs$sy05$to0 "010.001.000.254" !allow this IP range
$ defi/user ccs$sy05$do0 "7" !telnet, any, and ftp
$ run ccsall:sy05

Don't know if that means anything to you, I can't tell what is specific to his software or not.

EDIT: I think sy05 is a script or something, it might be the software that he wrote for the office to use. I added an "if accountname .nes. SYSTEM" before that block and now I can get it. I just need to find where in his software he restricts the IP addresses


Report •

Related Solutions

#4
November 16, 2011 at 02:27:08
$ run ccsall:sy05

No, sys05 is not a 'script', it is an executable (binary) program, located in the directory defined by the logical name CCSALL.

You have to look into the program source (or docu ?) to see if it does something more (important) than just disable/enable telnet access.
If You can't find the source, then maybe just add more of the address ranges to the list defined by "defi/user ccs$sy05$from0 ".

And, if You have a sufficiently new VMS/TCPIP version, consider to enable SSH access instead of Telnet: no more plain text passwords sent over the net.

Joseph Huber
http://www.huber-joseph.de


Report •

Ask Question