using logical or symbol to access system via decnet

Everything related to the OpenVMS security model, system access, system and data protection, and security auditing.
Post Reply

Topic author
willemgrooters
Valued Contributor
Posts: 78
Joined: Fri Jul 12, 2019 1:59 pm
Reputation: 0
Location: Netherlands
Status: Offline
Contact:

using logical or symbol to access system via decnet

Post by willemgrooters » Wed Mar 30, 2022 3:23 pm

One of the problems I know of using Decnet for login to a system is the use of a (plaintext) password, like:

Code: Select all

$ copy Node1"User1 Th1s1sAbadpwd":disk:[dir]file.ext [] /log
In case of logging, you'd see:

Code: Select all

%COPY-S-COPIED, Node1"User1 password"::disk:[dir]file.ext copied to (current location)
but when verification is on, you would see the full COPY line, including the password.

Years ago on a job where Decnet was used, there was a workaround using a logical or symbol containing the node, username and password, not normally visible in both command and result, but I do not recall how this was done. I tried both but both failed. Can anyone tell me how this could be done? (My systems have been setup for DECNet-Plus, using DOMAIN as namespace)


puder
VSI Expert
Member
Posts: 9
Joined: Thu Aug 29, 2019 1:44 pm
Reputation: 0
Status: Offline

Re: using logical or symbol to access system via decnet

Post by puder » Wed Mar 30, 2022 6:40 pm

I use this, which I call DEFPASS.COM

Code: Select all

$! define a logical name to hold the node"user pass"::
$
$ lognam = p1
$ node = p2
$ user = p3
$ pass = p4
$ if lognam .eqs. "" then inquire lognam "logical name"
$ if node .eqs. "" then inquire node "node"
$! if user .eqs. "" then user = f$getjpi("","username")
$ if user .eqs. "" then inquire user "username"
$ if pass .eqs. ""
$ then
$  on control_y then goto fix_term
$  set noon
$  set terminal/noecho
$  ! inquire pass "password"
$  read sys$command pass /prompt="password: "
$  fix_term:
$  set terminal/echo
$  set on
$ endif
$
$ node = f$edit(node,"collapse,lowercase")
$ user = f$edit(user,"collapse,lowercase")
$ ! pass = f$edit(pass,"collapse")
$
$ define 'lognam' "''node'""''user' ''pass'""::"
$
$ exit


sms
Valued Contributor
Posts: 69
Joined: Fri Aug 21, 2020 5:18 pm
Reputation: 0
Status: Offline

Re: using logical or symbol to access system via decnet

Post by sms » Wed Mar 30, 2022 9:56 pm

Code: Select all

> One of the problems I know of using Decnet for login to a system is
> the use of a (plaintext) password, [...]

   Would "no visible password" be better?

> [...] Years ago on a job where Decnet was used, there was a workaround
> using a logical or symbol containing the node, username and password,
> [...]

   Depending on exactly what you want to do (or not do), one possibility
might be something other than a symbol or logical name -- A DECnet proxy
can give you DECnet access without your explicitly specifying a password
(or even a user name, if it's the same on the remote system).

   For example, around here, on node ITS, as user SYSTEM:

ITS $ dire slow_*.com;   ! Local.

Directory SYS$SYSROOT:[SYSMGR]

SLOW_ITS.COM;6      

Total of 1 file.

ITS $ dire rex::slow_*.com;   ! DECnet-remote.

Directory REX::SYS$SYSROOT:[SYSMGR]

SLOW_ALP.COM;32     slow_rex.com;3      

Total of 2 files.

   On node REX (the remote node):

REX $ set default sys$system
REX $ run sys$system:authorize
UAF> show /proxy its::*

 Default proxies are flagged with (D) 

LOCAL:.ITS::SYSTEM
    SYSTEM (D)
UAF> 


   On node ITS, for a different user, SMS, without such a proxy
registered on REX:

its $ dire rex::
%DIRECT-E-OPENIN, error opening REX::*.*;* as input
-RMS-E-FND, ACP file or directory lookup failed
-SYSTEM-F-INVLOGIN, login information invalid at remote node

   But then, on REX (in AUTHORIZE):

UAF> add /proxy its::sms sms /default
%UAF-I-NAFADDMSG, proxy from LOCAL:.ITS::SMS to SMS added

   Finally, back on ITS:

its $ dire rex::

Directory REX::REX$DKA0:[sms]

LOGIN.COM;234       NET$SERVER.LOG;1    

Total of 2 files.


   A proxy can also be defined with different user names on the two
nodes, if you want that.  For example, on node REX, add the cross-user
proxy:

UAF> add /proxy its::sms system
%UAF-I-NAFADDMSG, proxy from LOCAL:.ITS::SMS to SYSTEM added

   Note: No /DEFAULT option in this case, because I want the default for
SMS on any node to be SMS on any other node.  (_My_ preference.)

   Then, user SMS on node ITS can access files as user SYSTEM on node
REX, by specifying the other user name, but without specifying a
password:

its $ dire rex"system"::slow_*.com;

Directory REX"system"::SYS$SYSROOT:[SYSMGR]

SLOW_ALP.COM;32     slow_rex.com;3      

Total of 2 files.


   Is _that_ what you remember?


Topic author
willemgrooters
Valued Contributor
Posts: 78
Joined: Fri Jul 12, 2019 1:59 pm
Reputation: 0
Location: Netherlands
Status: Offline
Contact:

Re: using logical or symbol to access system via decnet

Post by willemgrooters » Wed Sep 14, 2022 11:54 am

Sorry for late reply: At the time, I didn't do anything on system management, I was 'just an novice programmer" :) and it was all set up outside my view, quite likely the way you described it. Thanks for the explanation.


puder
VSI Expert
Member
Posts: 9
Joined: Thu Aug 29, 2019 1:44 pm
Reputation: 0
Status: Offline

Re: using logical or symbol to access system via decnet

Post by puder » Wed Sep 14, 2022 12:29 pm

I had forgotten about proxy settings. That is definitely the cleaner way to go, and I recall that it all seemed very natural using the set-up described by @sms. The same user has the same username on multiple systems with that as the /default proxy on each node from every other node in the same work group.
Last edited by puder on Wed Sep 14, 2022 12:31 pm, edited 2 times in total.

Post Reply