[Info-vax] OpenVMS and Distributed Security (was: Re: ISS$_RIGHTS)

[Stephen Hoffman]

On 2019-05-01 15:06:05 +0000, Tim Lovern said:

> ...need to make a service impersonate the user executing it 
> remotely....  Any help would be great!

Yeah, I saw that you found $find_held and related.  That's one part of 
the puzzle, and will lead you to other parts on the path you're 
currently on.

Beware: binary identifier values don't map across systems, nor across 
clusters.  That detail is obvious in some contexts, but I've seen it 
bite folks in other contexts.

Now some details to ponder...

The OpenVMS hack-around for this approach has been the proxy database, 
and there are proxy databases for both IP and DECnet.   System services 
here include $DISPLAY_PROXY, among others.

This proxying is effectively what you're re-implementing here too, 
though apparently you're rolling your own and with mapping specific 
identifiers.  What you're doing can work, too.

LDAP and Kerberos would probably be the typical approach used here 
elsewhere.  This though OpenVMS is effectively not integrated with 
that; not with LDAP beyond passwords, and Kerberos integration is very 
old and very limited.  Probably also insecure too, but I've not checked 
the version of Kerberos against the CVE listings lately.  OpenVMS does 
have some LDAP calls available, but they're very rarely used, and the 
APIs are most aligned with to C, C++, Bliss and Macro32 calls.  See the 
Utility Routines Reference Manual for details on the LDAP calls, and 
see the Open Source Security Manuals for details on what documentation 
is available for Kerberos.

Another common approach for these delegations is certificate pairs 
either with ssh or SSL and possibly a certificate chain, and that also 
ties into authenticating and encrypting the connections, though 
connection authentication and encryption is still fairly rare among 
apps on OpenVMS, and OpenVMS itself.  OpenVMS lacks mechanisms for 
managing and storing certificates and passwords, beyond apps and 
OpenVMS itself dumping that data in various uncoordinated files 
scattered around.  Certificates can be used to avoid the obvious risks 
of proxying unauthenticated connections.

It's a little sad, watching somebody else also having to re-invent what 
are fundamental and basic security features of modern platforms, and 
this on "the most secure operating system on the planet".  And I've 
previously mentioned the problems with (lack of?) documentation around 
writing secure apps on OpenVMS, too.  Here we are again.  These sorts 
of apps can be quite subtle, and mistakes and vulnerabilities here can 
be nasty.


-- 
Pure Personal Opinion | HoffmanLabs LLC