HP OpenVMS Systems

ask the wizard
Content starts here

Controlling remote (modem) access?

» close window

The Question is:

I have a modem connected to the first serial port on my machine and would like to restrict dial-in access to one specific user.  This user is mobile so dial-back is not appropriate.  Is this possible through some trick or will it be neccessary to run "IF"
s in the SYLOGIN.COM to check the port then another to check the username.  I am quite new to VMS and as much help as possible would be appreciated.
Thanks in advance

The Answer is :

 No tricks, just straight DCL or OpenVMS security features -- take your pick.
 You can determine a port name using the F$GETDVI lexical function.  The item
 code "TT_PHYDEVNAM" will return the physical device name. Use the logical
 name "TT" or SYS$COMMAND to refer to the terminal. You should also check
 for an interactive login (though your SYLOGIN.COM procedure should already
 be coded to distinguish the different login modes.
 Suppose the terminal name is _TTA0:,  the relevant fragments of SYLOGIN.COM
 are as follows:
$ Set NoOn
$ Goto MODE_'F$MODE()'
$!   login is on TTA0
  To check the username, use the lexical function F$GETJPI:
  though, you should note that this value is space filled to 12 characters,
  so it's probably better to remove blanks it with F$EDIT to simplify
  So, you can test for specific username(s) and take appropriate action.
  The problem with this scheme is that it doesn't scale very well. Adding
  extra dialin ports and/or users is very cumbersome. A better way to handle
  the issue is to use the built in VMS features to restrict different types
  of access. First you need to declare the terminal as "DIALUP". Place the
  following in your SYSTARTUP_VMS.COM procedure:
  Any user who logs in on this terminal, or any other with the DIALUP
  characteristic will have the DIALUP identifier. You can use ACL to
  grant or deny access to objects by users connected to that port. For
  The UAF can also be used to restrict dialup access to particular times
  of the day, or deny access altogether. For example, to deny all DIALUP
  access for a particular user:
  If this user attempts to login at the DIALUP port, they will get an error
  message "You are not authorized to login from this source".
  The benefits of using the UAF are you don't need any code in SYLOGIN.COM,
  you can add as many dialup modems as you like (a properly configured
  terminal server will also be recognised as a DIALUP port), you have
  much greater control over who can dialin and when they can dialin (see the
  UAF documentation for details on specifying date and time windows), you
  can selectively protect resources from access by people when dialed in,
  and you can configure the AUDIT journal to record dialup logins and
  resource access independently from local accesses.
  See OpenVMS Guide to System Security, Chapter 3 for discussion of how to
  usew dialup access in a secure manner.

answer written or last revised on ( 27-MAR-2000 )

» close window