[Info-vax] VMS - Virtual Terminals - A security risk way back yonder OR was that an Old Wives Tale ?
John E. Malmberg
wb8tyw at qsl.network
Thu Feb 11 08:56:43 EST 2016
On 2/11/2016 5:33 AM, IanD wrote:
>
> I was curious, as in, wondering, contemplating, dreaming about past
> times if there was actually an inherent security flaw in their design
> and that's what caused them to fall out of favour or at least in the
> site I went to all those years ago
Virtual terminals are not available for SSH or DecTerm sessions.
Other than that, the only security risk I am aware of is the same as for
DECNET/LAT/TELNET which was used to connect to them. Someone with a
network sniffer can capture login credentials.
Virtual terminals are not used by the VMS Batch queue facility.
Virtual terminals can expose bugs in applications in ways that are
harmful for performance.
One creative programmer decided to put an "Are you sure you want to
Exit?" query in an exit handler, and if anything other than success with
data indicating "yes" was returned, unwound the exit handler.
When a disconnected session timeout, the sys$qiow() for the query
returned an error. The program unwound the exit handler, and the VMS
would try to immediately kill the process, sending it into the exit
handler. Repeat forever.
For users running that application, I had to disable the virtual terminals.
Regards,
-John
More information about the Info-vax
mailing list