Discussion:
locking down a generic account
(too old to reply)
James P. Byrne
2007-09-28 03:55:21 UTC
Permalink
I would like to lock down a generic account by only allowing access to
that account via DECnet (set host 0) and was wondering if there was a
way to disable secure shell for a particular account. Disabling
network/remote access in the UAF record doesn't seem to do what I want.
I would imagine that I could write some DCL code for that accounts
login.com and determine whether the terminal type is FTA or RTA, and if
FTA then logout, but if there is a simpler way in Multinet to just
disable SSH for an account, that would be better since there are ways
around executing login.com.

Thanks.

Jim
Ken Connelly
2007-09-28 12:51:43 UTC
Permalink
Use the DenyUsers directive in the sshd2 config file
(ssh2_dir:sshd2_config) and then restart the ssh daemon.

-ken
Post by James P. Byrne
I would like to lock down a generic account by only allowing access to
that account via DECnet (set host 0) and was wondering if there was a
way to disable secure shell for a particular account. Disabling
network/remote access in the UAF record doesn't seem to do what I
want. I would imagine that I could write some DCL code for that
accounts login.com and determine whether the terminal type is FTA or
RTA, and if FTA then logout, but if there is a simpler way in Multinet
to just disable SSH for an account, that would be better since there
are ways around executing login.com.
Thanks.
Jim
--
- Ken
=================================================================
Ken Connelly Associate Director, Security and Systems
ITS Network Services University of Northern Iowa
email: ***@uni.edu p: (319) 273-5850 f: (319) 273-7373
James P. Byrne
2007-09-28 13:05:34 UTC
Permalink
Perfect! Thank you.

Jim
Post by Ken Connelly
Use the DenyUsers directive in the sshd2 config file
(ssh2_dir:sshd2_config) and then restart the ssh daemon.
-ken
Post by James P. Byrne
I would like to lock down a generic account by only allowing access
to that account via DECnet (set host 0) and was wondering if there
was a way to disable secure shell for a particular account.
Disabling network/remote access in the UAF record doesn't seem to do
what I want. I would imagine that I could write some DCL code for
that accounts login.com and determine whether the terminal type is
FTA or RTA, and if FTA then logout, but if there is a simpler way in
Multinet to just disable SSH for an account, that would be better
since there are ways around executing login.com.
Thanks.
Jim
James Byrne
2007-09-28 15:43:52 UTC
Permalink
Ken,

If I use the DenyUsers directive, will that generic account still be
able to securecopy data outbound?

Jim
Post by Ken Connelly
Use the DenyUsers directive in the sshd2 config file
(ssh2_dir:sshd2_config) and then restart the ssh daemon.
-ken
Post by James P. Byrne
I would like to lock down a generic account by only allowing access
to that account via DECnet (set host 0) and was wondering if there
was a way to disable secure shell for a particular account.
Disabling network/remote access in the UAF record doesn't seem to do
what I want. I would imagine that I could write some DCL code for
that accounts login.com and determine whether the terminal type is
FTA or RTA, and if FTA then logout, but if there is a simpler way in
Multinet to just disable SSH for an account, that would be better
since there are ways around executing login.com.
Thanks.
Jim
Ken Connelly
2007-09-28 16:31:22 UTC
Permalink
Probably yes, since that uses client software on the machine. DenyUsers
would prevent that user from coming *in* to the machine via the ssh
daemon (ssh, scp, sftp, etc.), but I don't believe it would affect
outbound connections since that uses the client program(s), not the server.

-ken
Post by James Byrne
Ken,
If I use the DenyUsers directive, will that generic account still be
able to securecopy data outbound?
Jim
Post by Ken Connelly
Use the DenyUsers directive in the sshd2 config file
(ssh2_dir:sshd2_config) and then restart the ssh daemon.
-ken
Post by James P. Byrne
I would like to lock down a generic account by only allowing access
to that account via DECnet (set host 0) and was wondering if there
was a way to disable secure shell for a particular account.
Disabling network/remote access in the UAF record doesn't seem to do
what I want. I would imagine that I could write some DCL code for
that accounts login.com and determine whether the terminal type is
FTA or RTA, and if FTA then logout, but if there is a simpler way in
Multinet to just disable SSH for an account, that would be better
since there are ways around executing login.com.
Thanks.
Jim
--
- Ken
=================================================================
Ken Connelly Associate Director, Security and Systems
ITS Network Services University of Northern Iowa
email: ***@uni.edu p: (319) 273-5850 f: (319) 273-7373
Bob Koehler
2007-09-28 12:56:30 UTC
Permalink
Post by James P. Byrne
I would like to lock down a generic account by only allowing access to
that account via DECnet (set host 0) and was wondering if there was a
way to disable secure shell for a particular account. Disabling
network/remote access in the UAF record doesn't seem to do what I want.
I would imagine that I could write some DCL code for that accounts
login.com and determine whether the terminal type is FTA or RTA, and if
FTA then logout, but if there is a simpler way in Multinet to just
disable SSH for an account, that would be better since there are ways
around executing login.com.
I'm not aware of anything in Multinet specifically for this, but
others may be. If it was my system I'd put the detection in sylogin
even though it's username specific and I'd have to add the check for
the username.

Assuming you keep your sylogin on the system disk, it's much harder
to skip. If you do want to keep the checks in the user's login.com
I'd do the following:

Set the UAF flag CAPTIVE or RESTRICTED, as appropriate.

Set the UAF location for the user's login.com to be somewhere on
the system disk, not in the account's login directory.

Make sure the user's login.com on the sytem disk is owned by SYSTEM
and read-only to the user.

Have the user's login.com on the system disk call (@) the normal
login.com in the user's directory so the user can make changes
as needed (unless that's not appropriate).
David J Dachtera
2007-09-29 21:24:51 UTC
Permalink
Post by James P. Byrne
I would like to lock down a generic account by only allowing access to
that account via DECnet (set host 0)
Well, setting in UAF for /NOACCESS/REMOTE should allow the CTERM (SET HOST n)
login.

You may need to tweak a parameter or two in Multinet. I seem to recall that
TELNET sessions in Multinet were REMOTE access at one time, but that may have
changed. Not sure...
--
David J Dachtera
dba DJE Systems
http://www.djesys.com/

Unofficial OpenVMS Marketing Home Page
http://www.djesys.com/vms/market/

Unofficial Affordable OpenVMS Home Page:
http://www.djesys.com/vms/soho/

Unofficial OpenVMS-IA32 Home Page:
http://www.djesys.com/vms/ia32/

Unofficial OpenVMS Hobbyist Support Page:
http://www.djesys.com/vms/support/
Loading...