[Info-vax] VMS - Virtual Terminals - A security risk way back yonder OR was that an Old Wives Tale ?

Stephen Hoffman seaohveh at hoffmanlabs.invalid
Thu Feb 11 09:12:52 EST 2016 

On 2016-02-11 11:33:48 +0000, IanD said:

> On Thursday, February 11, 2016 at 7:16:22 PM UTC+11, Johnny Billquist wrote:
> 
> <snip>
> 
>> Are you talking about some application that allowed you to keep 
>> sessions around, similar to screen and other tools in Unix today?
>> 
>> Because otherwise I don't understand your text. Virtual terminals 
>> exists  in VMS. They are devices. I believe subsystems like BATCH 
>> depends on  them existing for things to work, so I have a hard time 
>> believing that  you are talking about the virtual terminal device... Or 
>> that it was  "removed".
> 
> Here's a great description of what I am meaning by virtual terminals
> 
> http://labs.hoffmanlabs.com/node/1109
> 
> These were terminal devices that stayed alive if you disconnected, 
> allowing you to reconnect later and resume
> 
> They used to be good when you dialed up systems and the phone line 
> would drop out on you
> 
> I have not used them in a long long time, not even sure if they are 
> still supported
> 
> I was curious, as in, wondering, contemplating, dreaming about past 
> times if there was actually an inherent security flaw in their design 
> and that's what caused them to fall out of favour or at least in the 
> site I went to all those years ago


So you'd like folks to comment on decades-old memories of possible 
problems with a system you know little about?   Okay, then.

GNU screen and tmux are rather different from what OpenVMS calls 
virtual terminals, and virtual terminals are sometimes associated with 
a rather different sort of terminal server than what Windows refers to 
as a terminal server, and virtual terminals are rather different from 
what pseudo-terminals provide, too.

Virtual terminals are and always have been authenticated via loginout, 
so there's no way to get another session short of everybody sharing 
passwords, and that's going to cause other and bigger issues.  Outside 
of overlapping access credentials, if there were sessions of other 
users being offered by loginout upon reconnection, that would be a 
security bug in OpenVMS.

Virtual terminals have a defined timeout value, established by system 
parameter.   After that timeout, the user is assumed to have been 
permanently disconnected and the session is quit to release its 
resources.

Virtual terminals did cause problems with some applications; 
applications that weren't dealing appropriately with the associated 
condition status values returned from the disconnected session.

Virtual terminals are not viable with an encrypted transport using 
forward security, short of placing a console concentrator closer to the 
servers and encrypting the connection to that.   In antiquity, that 
system might have been the VAXcluster Console System (VCS) or one of 
the various third-party products — some of which are still around — or 
an open-source package such as minicom, or even screen or tmux.

Virtual terminals were a great idea when everybody was on flaky links.  
 The closest analog now would be connections from mobile devices, and — 
though some of us do — those devices aren't commonly used for command 
line access, as the command line is a rather specialized user 
interface.   Such users can also VPN or otherwise connect into a 
concentrator of some sort, and establish the serial connections from 
there.

Batch has zilch to do with virtual terminals, pseudo-terminals, screen, 
tmux, Windows terminal server or the price of tea in china.

Virtual terminals have not been removed.  Virtual terminals are still 
supported for local serial connections, telnet and LAT access.   Actual 
crap has not been removed from OpenVMS, for reasons of compatibility.

In this era, virtual terminals are also rather less useful than screen 
or tmux, or of the simple expedient of multiple parallel sessions from 
a workstation (even my phone can deal with multiple parallel ssh 
sessions), or of the various tools that can push out commands for 
multiple hosts that are used in production environments.



-- 
Pure Personal Opinion | HoffmanLabs LLC

More information about the Info-vax mailing list