[Info-vax] VMS - Virtual Terminals - A security risk way back yonder OR was that an Old Wives Tale ?

Johnny Billquist bqt at softjar.se
Thu Feb 11 09:21:57 EST 2016 

On 2016-02-11 15:12, Stephen Hoffman wrote:
> On 2016-02-11 11:33:48 +0000, IanD said:
>
>> On Thursday, February 11, 2016 at 7:16:22 PM UTC+11, Johnny Billquist
>> wrote:
>>
>> <snip>
>>
>>> Are you talking about some application that allowed you to keep
>>> sessions around, similar to screen and other tools in Unix today?
>>>
>>> Because otherwise I don't understand your text. Virtual terminals
>>> exists  in VMS. They are devices. I believe subsystems like BATCH
>>> depends on  them existing for things to work, so I have a hard time
>>> believing that  you are talking about the virtual terminal device...
>>> Or that it was  "removed".
>>
>> Here's a great description of what I am meaning by virtual terminals
>>
>> http://labs.hoffmanlabs.com/node/1109
>>
>> These were terminal devices that stayed alive if you disconnected,
>> allowing you to reconnect later and resume
>>
>> They used to be good when you dialed up systems and the phone line
>> would drop out on you
>>
>> I have not used them in a long long time, not even sure if they are
>> still supported
>>
>> I was curious, as in, wondering, contemplating, dreaming about past
>> times if there was actually an inherent security flaw in their design
>> and that's what caused them to fall out of favour or at least in the
>> site I went to all those years ago
>
>
> So you'd like folks to comment on decades-old memories of possible
> problems with a system you know little about?   Okay, then.
>
> GNU screen and tmux are rather different from what OpenVMS calls virtual
> terminals, and virtual terminals are sometimes associated with a rather
> different sort of terminal server than what Windows refers to as a
> terminal server, and virtual terminals are rather different from what
> pseudo-terminals provide, too.
>
> Virtual terminals are and always have been authenticated via loginout,
> so there's no way to get another session short of everybody sharing
> passwords, and that's going to cause other and bigger issues.  Outside
> of overlapping access credentials, if there were sessions of other users
> being offered by loginout upon reconnection, that would be a security
> bug in OpenVMS.
>
> Virtual terminals have a defined timeout value, established by system
> parameter.   After that timeout, the user is assumed to have been
> permanently disconnected and the session is quit to release its resources.
>
> Virtual terminals did cause problems with some applications;
> applications that weren't dealing appropriately with the associated
> condition status values returned from the disconnected session.
>
> Virtual terminals are not viable with an encrypted transport using
> forward security, short of placing a console concentrator closer to the
> servers and encrypting the connection to that.   In antiquity, that
> system might have been the VAXcluster Console System (VCS) or one of the
> various third-party products — some of which are still around — or an
> open-source package such as minicom, or even screen or tmux.
>
> Virtual terminals were a great idea when everybody was on flaky links.
> The closest analog now would be connections from mobile devices, and —
> though some of us do — those devices aren't commonly used for command
> line access, as the command line is a rather specialized user
> interface.   Such users can also VPN or otherwise connect into a
> concentrator of some sort, and establish the serial connections from there.
>
> Batch has zilch to do with virtual terminals, pseudo-terminals, screen,
> tmux, Windows terminal server or the price of tea in china.
>
> Virtual terminals have not been removed.  Virtual terminals are still
> supported for local serial connections, telnet and LAT access.   Actual
> crap has not been removed from OpenVMS, for reasons of compatibility.
>
> In this era, virtual terminals are also rather less useful than screen
> or tmux, or of the simple expedient of multiple parallel sessions from a
> workstation (even my phone can deal with multiple parallel ssh
> sessions), or of the various tools that can push out commands for
> multiple hosts that are used in production environments.

I obviously made the wrong connection here, and/or show my VMS 
ignorance. Virtual terminals in RSX are used by the batch subsystem, so 
I thought it was done the same in VMS.

	Johnny

-- 
Johnny Billquist                  || "I'm on a bus
                                   ||  on a psychedelic trip
email: bqt at softjar.se             ||  Reading murder books
pdp is alive!                     ||  tryin' to stay hip" - B. Idol

More information about the Info-vax mailing list