[Info-vax] How to prevent ann account from being marked as an intruder?

Stephen Hoffman seaohveh at hoffmanlabs.invalid
Thu May 16 18:26:37 EDT 2019 

On 2019-05-16 17:59:35 +0000, Bob said:

> Is there any way I can flag one specific VMS account to NEVER be 
> blocked as an intruder?
> 
> We have devices that auto log in. An occasional glitch will cause them 
> to keep trying with an incorrect username or password, locking them 
> out. Any way to prevent this from the VMS side?
> 
> Alpha 7.3-2

TL;DR:

nope.



Long answer:

This OpenVMS Alpha V7.3-2 configuration is badly down-revision, and 
with known security vulnerabilities.

I'm here going to infer that this configuration follows the usual 
pattern of many similar requests, and involves a network using telnet, 
or maybe DECnet CTERM, or maybe LAT connections for these remote 
clients.  If this follows the usual path, there's little reason to be 
concerned about intrusions and little reason to even enable break-in 
evasion and related.  There's no reason to even set and use passwords 
here. Any passwords here are a polite fiction at best as this system is 
probably using wide-open telnet or maybe DECnet CTERM or LAT for 
logins.  This configuration might bamboozle 
less-than-technically-knowledgeable management folks, and might fool a 
cursory audit.  But it's insecure.

Turn it all off.  All of the security.  Passwords, etc.  Turn it off.  
Seriously.  Document that for the folks in management certainly, but 
documenting the various security holes that exist here is a good idea 
regardless.  Management will certainly push back here and as they 
should, which then gives you to opportunity to suggest a supported 
OpenVMS version and supported and secure network connections.  This all 
to make management "own" the configuration, and to make sure you don't 
"own" the fallout should this all go sideways.

You're apparently affiliated with an organization that is familiar with 
cloud-based security, with APTs, and with mobile and IoT security, so 
exactly none of the above should even be remotely surprising to you.

As for the question and for any efforts toward pretend-security here or 
if this configuration is VPN'd and otherwise isolated and locked down 
(as is certainly possible, but also fairly rare among the folks posting 
similar questions), no, there is no per-user intrusion-disable setting 
available within OpenVMS.  That knob is either enabled or disabled.  
Some folks will run periodic DELETE /INTRUSION commands to clean up the 
mess.  Potential alternatives to this current (inferred) design include 
using the automatic login facility ALF and SYSALF file (SYSMAN> ALF 
ADD, etc).  That effectively establishes a proxy.  Or use ssh and 
certificates, assuming the clients support ssh—though OpenVMS Alpha 
V7.3-2 can't make secure ssh connections, and that'll cause 
compatibility problems when interoperating with newer clients.  Maybe 
use Kerberos with telnet, on the off chance that the clients support 
that.  Kerberos will reduce the cleartext-password chatter typical of 
telnet, CTERM, or LAT connections.  Yes, OpenVMS does have Kerberized 
telnet available, though that's fairly rarely used.  And the version of 
Kerberos is unsurprisingly old.  
http://h30266.www3.hpe.com/odl/i64os/opsys/vmsos84/BA554_90008/ch02s06.html 
 Or fix whatever causes the (presumed) storm of login failures, of 
course.

VSI OpenVMS V8.4-2L1 or—if EV6 or later—V8.4-2L2, is the upgrade path 
here, on the way to x86-64.  As is ssh, and/or TLS connections from 
and/or to the clients.

Lots of work updating this configuration pending too, if there's not a 
migration else-platform planned or underway.




-- 
Pure Personal Opinion | HoffmanLabs LLC

More information about the Info-vax mailing list