[Search for users] [Overall Top Noters] [List of all Conferences] [Download this site]

Conference irocz::terminal_servers

Title:Terminal Servers
Notice:See Note 2 for Directory of important notes. Please use keywords.
Moderator:LAVC::CAHILLON
Created:Tue May 14 1991
Last Modified:Fri Jun 06 1997
Last Successful Update:Fri Jun 06 1997
Number of topics:3547
Total number of notes:12300

3427.0. "Securing "reverse" Telnet??" by SUOBOS::SCHWIEZER () Thu Jan 30 1997 14:37

I've setup a DECserver 300 for "reverse Telnet".

	VAX-OPA0-Port-----P1ofDECserver<----Telnet-Interface

I've no problems to connect. My question is how to secure this
telnet listener port?

If you use LAT you can define a seperate password protected service for 
each port. This password has to be entered at every connect request.

In the case of TELNET the port is as long secure as i have an active 
connection because no other is able to establish a second session to same
port. But if the TELNET session is broken there is the risk of accessing
a logged in console from anywhere within the network.

Below you find information regard my environment.

Regards
Hermann

TSM_SVR_SI_TS484> show server char
 

DECserver 300 V2.0 BL16     LAT V5.1   ROM 1.0.6   Uptime:   0 02:45:41

Address:   08-00-2B-24-6F-B0   Name:   SI_TS484           Number:     0

Identification:  SI_TS484 520/1

Circuit Timer:            80           Password Limit:            3
Console Port:              1           Prompt:              Local> 
Inactivity Timer:         30           Queue Limit:             100
Keepalive Timer:          20           Retransmit Limit:          8
Multicast Timer:          30           Session Limit:            64
Node Limit:              200           Software:          SH1601ENG

Service Groups:  34

Enabled Characteristics:

Announcements,  Broadcast,  Dump,  Lock

TSM_SVR_SI_TS484> show port 1 char
 


Port  1:                               Server: SI_TS484

Character Size:            8           Input Speed:        9600
Flow Control:            XON           Output Speed:       9600
Parity:                 None           Modem Control:  Disabled

Access:               Remote           Local Switch:       None
Backwards Switch:       None           Name:              VCS01
Break:                Remote           Session Limit:         4
Forwards Switch:        None           Type:               Soft
Default Protocol:        LAT

Preferred Service: SITDV

Authorized Groups:  34
(Current)  Groups:  34

Enabled Characteristics:

Input Flow Control,  Loss Notification,  Message Codes,
Output Flow Control,  Verification

TSM_SVR_SI_TS484> show telnet list 2001 char


Listener TCP-port:  2001
Identification:     
Ports:              1
Connections:        Enabled 

TSM_SVR_SI_TS484>
T.RTitleUserPersonal
Name		DateLines
3427.1LAVC::CAHILLJim CahillFri Jan 31 1997 13:081
Will enabling the REMOTE PASSWORD feature help?
3427.2IROCZ::D_NELSONDave Nelson LKG1-3/A11 226-5358Fri Jan 31 1997 19:3211
RE: .1

> Will enabling the REMOTE PASSWORD feature help?

Not on a DECserver 300.  That feature is only in DNAS.  We just discussed
this asme problem recently in another note (which I can't seem to locate).

Regards,

Dave
3427.3solution urgently required!SUOBOS::SCHWIEZERMon Feb 03 1997 08:3212
    Will it be possible to secure a reverse telnet connection like a
    passwort on a lat service?
    
    If no (hopefully not):
    
    Will it be possible to force the connection from the p1 port (where the
    vax is connected) via dedicated "ip service" to another port on which
    to connect via lat?
    If yes how?
    
    Regards 
    Hermann
3427.4IROCZ::D_NELSONDave Nelson LKG1-3/A11 226-5358Mon Feb 03 1997 14:2723
RE: .3

>    Will it be possible to secure a reverse telnet connection like a
>    password on a lat service?

We have no current plans to port this functionality from DNAS to the older
1MB DECserver software (e.g. for DECserver300).
    
>    Will it be possible to force the connection from the p1 port (where the
>    vax is connected) via dedicated "ip service" to another port on which
>    to connect via lat?
>    If yes how?
 
Uhhh...  Perhaps.  You could make a physical connection from port 1 to 
port 2.  Put the VAX console on port 3.  Make a telnet connection from
the management host to port 1.  Port 2 has a dedicated LAT conenction to
port 3 (with a LAT password).  This ties up three ports instead of one,
but it's all I can think of at the moment.

Regards,

Dave
3427.5which server support this?SUOBOS::SCHWIEZERWed Feb 05 1997 08:1916
    Dave,
    
    thanks for your help and information.
    
    I will implement a dedicated telnet service on the port where
    the console is connected. The dedicated telnet service points to
    another (server) port with telnet listener enabled.
    This port is hardwired to a third port which offers a password
    protected lat service. This works fine for the moment.
    
    It would be helpfull to know which server/software combination
    supports a feature like
      > SET TELN LIST port PASSW "somewhat"
    
    Regards,
    Hermann
3427.6IROCZ::D_NELSONDave Nelson LKG1-3/A11 226-5358Wed Feb 05 1997 14:2716
RE: .5

>    It would be helpfull to know which server/software combination
>    supports a feature like
>      > SET TELN LIST port PASSW "somewhat"
 
DNAS supports a "remote" password, like the "local" password (the # prompt).
It does not support separate passwords for each port/listener though -- just 
one remote password for the DECserver.

DNAS runs on DS90TL w/ 4MB, DS90M, DS700's w/ 4 MB, DS900's.

Regards,

Dave