[Info-vax] prevent user login during and after startup

Tue Sep 16 15:33:55 EDT 2014

On Tuesday, September 16, 2014 2:33:54 PM UTC-4, bdho... at acm.org wrote:
> DEC TCP/IP 4.2 (UCX), VAX VMS 7.1, emulated VAX 4000-105A (Charon-VAX)
> 
> 
> 
> When VMS boots, the UCX services are enabled and running.  The users apparently are chomping at the bit to login and milliseconds after telnet is started, they are logging-in.  Sometimes I have system stuff to do, so I enter a "ucx disable service telnet" ... then I get complaints about users being disconnected and losing work.
> 
> 
> 
> How can I boot the system so that users can't login?
> 
> 
> 
> The system manager and operators (right now: me, myself, and I, the three stooges) use the operator console, serial ports, or DECnet to connect to the system, all users connect with telnet.  
> 
> 
> 
> I tried "set logins/interactive=0" but some users have OPER privilege.  (Loud on-going discussion about users with privileges that they don't need, don't understand, but won't allow to be removed because it makes them feel important.  I'm considering severely beating my predecessors that "fixed" access problems by adding privs to user accounts ... anyone out there need a VMS system manager / programmer / analyst?)
> 
> 
> 
> I looked at disabling telnet at startup, but apparently UCX has only "set configuration enable service", there is no "set configuration disable service".  If telnet was disabled on startup, then I could do an "ucx enable service telnet" when needed.  Bugger!
> 
> 
> 
> The UCX command "set service/limit=0 telnet" or "set service/reject=hosts=* telnet" looked promising, but that changes the permanent database and apparently would have to be done and undone each startup.
> 
> 
> 
> I'd rather not totally disable the Ethernet connection or all UCX services as I want the NTP service to get the clock synced.  The clock (and the rest of the hardware) is emulated so it does not keep time when shutdown.  There are processes that use timestamps and the clock needs to get corrected quickly.
> 
> 
> 
> Ideally I don't want the users to have any window to login before I'm ready for them to login.  The system should be ready for the users and a simple command should open the floodgates.  Am I looking at this wrong and should try a different approach?  Is there a command I overlooked?  Is there shareware or DECUS tape utility that'll help?
> 
> 
> 
> I guess I could do a "show service telnet/full/permanent", record the results, delete the telnet service from the permanent database, then manually add the telnet service and options to the permanent database but not enable it.  Has anyone tried something like this?

First, I must note that I am offsite without my laptop, so I do not have access to check some things.

An approach that I have used in several similar situations is similar to what Dan has mentioned: code inserted into SYS$MANAGER:SYLOGIN.COM to check several conditions prior to allowing a login to continue.

In this case, that would work.

In any event, my recollection is that the code that actually does the startup of telnet is in SYS$STARTUP:TCPIP$STARTUP.COM. I would have to sit down with a listing (which I cannot do where I am at the moment), but it should be straightforward to suppress the starting of telnet from that point.

At a later point in the startup, when telnet use is acceptable, one can start telnet by invoking SYS$MANAGER:TCPIP$TELNET_STARTUP.COM.

- Bob Gezelter, http://www