[HECnet] Disallow system from dz lines (OpenVMS/VAX 7.3)
Supratim Sanyal
supratim at riseup.net
Sun Dec 19 15:18:13 PST 2021
BTW Josh Dersch (I don’t know if he is here) posted this on Facebook. I logged in and couldn’t resist dropping a shell script to telnet to my DZ. that’s the driver for this sudden worry about security.
“ It was getting cold here in the basement today so I fired up the 11/750, running 4.3bsd-quasijarus. If anyone wants to play around with it, ssh to vax750 at yahozna.dyndns.org (pw: vax750) and then login again as "guest"... tell your friends!”
---
Supratim Sanyal, W1XMT
QCOCAL::SANYAL via HECnet
> On Dec 19, 2021, at 6:07 PM, Johnny Billquist <bqt at softjar.se> wrote:
>
> And by the way, I would really just change what hours you are allowed to log in as local. I wouldn't start mucking about with the line attributes.
>
> Also, I'd create a second user with SETPRV, and then you can mess up SYSTEM as much as you want. Then it's easy to recover with your other user.
>
> Johnny
>
>> On 2021-12-20 00:05, Johnny Billquist wrote:
>> I think the console is *always* possible to log in on, no matter what else you do.
>> And beyond that, you can always also just break into the system at boot on the console, and change accounting information. So it's always recoverable.
>> Johnny
>>> On 2021-12-20 00:02, Supratim Sanyal wrote:
>>> Ok. A couple of things to try. Wanted a confidence boost to not lock myself out. Thanks.
>>>
>>>> On Dec 19, 2021, at 5:49 PM, Johnny Billquist <bqt at softjar.se> wrote:
>>>>
>>>> Yes, or /REMOTE... But, by default, a DZ line would be classified as local. If you set them as remote or dialup, it should also start playing with modem signalling...
>>>>
>>>> Johnny
>>>>
>>>>> On 2021-12-19 23:47, Keith Halewood wrote:
>>>>> Don’t you just set the line characteristics with
>>>>> SET TERM/DIALUP TT….. and that’s classed as non-local?
>>>>> K
>>>>>>> On 19 Dec 2021, at 22:39, Johnny Billquist <bqt at softjar.se> wrote:
>>>>>>
>>>>>> Uh... You do understand what the line "local" means, right?
>>>>>> That's what your DZ lines normally would be classified as.
>>>>>>
>>>>>> Johnny
>>>>>>
>>>>>>> On 2021-12-19 23:23, Supratim Sanyal wrote:
>>>>>>> OpenVMS VAX 7.3: This stops remote logins to SYSTEM even if correct password is provided (works for set host and telnet with Digital TCP/IP, though my version of MULTINET does not honor it).
>>>>>>> Is there a way to deny SYSTEM account access when correct password is provided from DZ lines?
>>>>>>> Network: ----- No access ------ ----- No access ------
>>>>>>> Batch: ##### Full access ###### ##### Full access ######
>>>>>>> Local: ##### Full access ###### ##### Full access ######
>>>>>>> Dialup: ----- No access ------ ----- No access ------
>>>>>>> Remote: ----- No access ------ ----- No access ------
>>>>>>> Thank you.
>>>>>>> Supratim
>>>>>>
>>>>>> --
>>>>>> Johnny Billquist || "I'm on a bus
>>>>>> || on a psychedelic trip
>>>>>> email: bqt at softjar.se || Reading murder books
>>>>>> pdp is alive! || tryin' to stay hip" - B. Idol
>>>>
>>>> --
>>>> Johnny Billquist || "I'm on a bus
>>>> || on a psychedelic trip
>>>> email: bqt at softjar.se || Reading murder books
>>>> pdp is alive! || tryin' to stay hip" - B. Idol
>
> --
> Johnny Billquist || "I'm on a bus
> || on a psychedelic trip
> email: bqt at softjar.se || Reading murder books
> pdp is alive! || tryin' to stay hip" - B. Idol
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.sonic.net/mailman/private/hecnet-list/attachments/20211219/e3c492e7/attachment.htm>
More information about the Hecnet-list
mailing list