[HECnet] Disallow system from dz lines (OpenVMS/VAX 7.3)

Sun Dec 19 15:18:13 PST 2021

BTW Josh Dersch (I don’t know if he is here) posted this on Facebook. I logged in and couldn’t resist dropping a shell script to telnet to my DZ. that’s the driver for this sudden worry about security.

“ It was getting cold here in the basement today so I fired up the 11/750, running 4.3bsd-quasijarus.  If anyone wants to play around with it, ssh to vax750 at yahozna.dyndns.org (pw: vax750) and then login again as "guest"... tell your friends!”

---
Supratim Sanyal, W1XMT
QCOCAL::SANYAL via HECnet

> On Dec 19, 2021, at 6:07 PM, Johnny Billquist <bqt at softjar.se> wrote:
> 
> And by the way, I would really just change what hours you are allowed to log in as local. I wouldn't start mucking about with the line attributes.
> 
> Also, I'd create a second user with SETPRV, and then you can mess up SYSTEM as much as you want. Then it's easy to recover with your other user.
> 
>  Johnny
> 
>> On 2021-12-20 00:05, Johnny Billquist wrote:
>> I think the console is *always* possible to log in on, no matter what else you do.
>> And beyond that, you can always also just break into the system at boot on the console, and change accounting information. So it's always recoverable.
>>   Johnny
>>> On 2021-12-20 00:02, Supratim Sanyal wrote:
>>> Ok. A couple of things to try. Wanted a confidence boost to not lock myself out. Thanks.
>>> 
>>>> On Dec 19, 2021, at 5:49 PM, Johnny Billquist <bqt at softjar.se> wrote:
>>>> 
>>>> Yes, or /REMOTE... But, by default, a DZ line would be classified as local. If you set them as remote or dialup, it should also start playing with modem signalling...
>>>> 
>>>>   Johnny
>>>> 
>>>>> On 2021-12-19 23:47, Keith Halewood wrote:
>>>>> Don’t you just set the line characteristics with
>>>>> SET TERM/DIALUP TT….. and that’s classed as non-local?
>>>>> K
>>>>>>> On 19 Dec 2021, at 22:39, Johnny Billquist <bqt at softjar.se> wrote:
>>>>>> 
>>>>>> Uh... You do understand what the line "local" means, right?
>>>>>> That's what your DZ lines normally would be classified as.
>>>>>> 
>>>>>>   Johnny
>>>>>> 
>>>>>>> On 2021-12-19 23:23, Supratim Sanyal wrote:
>>>>>>> OpenVMS VAX 7.3: This stops remote logins to SYSTEM even if correct password is provided (works for set host and telnet with Digital TCP/IP, though my version of MULTINET does not honor it).
>>>>>>> Is there a way to deny SYSTEM account access when correct password is provided from DZ lines?
>>>>>>> Network:  -----  No access  ------            -----  No access  ------
>>>>>>> Batch:    ##### Full access ######            ##### Full access ######
>>>>>>> Local:    ##### Full access ######            ##### Full access ######
>>>>>>> Dialup:   -----  No access  ------            -----  No access ------
>>>>>>> Remote:   -----  No access  ------            -----  No access ------
>>>>>>> Thank you.
>>>>>>> Supratim
>>>>>> 
>>>>>> -- 
>>>>>> Johnny Billquist                  || "I'm on a bus
>>>>>>                                   ||  on a psychedelic trip
>>>>>> email: bqt at softjar.se             ||  Reading murder books
>>>>>> pdp is alive!                     ||  tryin' to stay hip" - B. Idol
>>>> 
>>>> -- 
>>>> Johnny Billquist                  || "I'm on a bus
>>>>                                   ||  on a psychedelic trip
>>>> email: bqt at softjar.se             ||  Reading murder books
>>>> pdp is alive!                     ||  tryin' to stay hip" - B. Idol
> 
> -- 
> Johnny Billquist                  || "I'm on a bus
>                                  ||  on a psychedelic trip
> email: bqt at softjar.se             ||  Reading murder books
> pdp is alive!                     ||  tryin' to stay hip" - B. Idol
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.sonic.net/mailman/private/hecnet-list/attachments/20211219/e3c492e7/attachment.htm>