[Search for users] [Overall Top Noters] [List of all Conferences] [Download this site]

Conference bulova::decw_jan-89_to_nov-90

Title:DECWINDOWS 26-JAN-89 to 29-NOV-90
Notice:See 1639.0 for VMS V5.3 kit; 2043.0 for 5.4 IFT kit
Moderator:STAR::VATNE
Created:Mon Oct 30 1989
Last Modified:Mon Dec 31 1990
Last Successful Update:Fri Jun 06 1997
Number of topics:3726
Total number of notes:19516

2083.0. "how do I start a remote login session ?" by HANNAH::OSMAN (see HANNAH::IGLOO$:[OSMAN]ERIC.VT240) Fri Jan 19 1990 11:44

I'm trying to produce a login box on server OSMAN, using node LEVEL as
the client.  So, I end my normal session on OSMAN, then from another terminal
I delete the LOGINOUT process.

Now the OSMAN  screen is just grey with a mouse.

Then, from LEVEL, I do this:

	$ set proc/priv=all
	$ set display/create/perm/node=osman
	$ run sys$system:decw$startlogin

This fails.  (Screen flashes, mouse moves to middle, but no login box).

As an experiment, I try this:

	$ set proc/priv=all
	$ set display/create/perm/node=osman
	$ run dwhetris

This produces some sort of "client is not authorized" message.  So now I've
got all these questions:

o	What is /PERM ?  Why isn't it mentioned under HELP SET DISPLAY ?

o	If I have to authorize LEVEL as a client, under whose security
	do I authorize that ?  I've already got "DECNET LEVEL *" under my
	personal security, but if no one's logged in yet, whose security
	is checked ?

confused, thanks...

/Eric


T.RTitleUserPersonal
Name
DateLines
2083.1DECWIN::JMSYNGEJames M Synge, VMS DevelopmentFri Jan 19 1990 14:136
    The default 'trusted host' list contains just "LOCAL 0 SYSTEM" (or
    something similar.  What you want to do is create a file,
    SYS$MANAGER:DECW$SERVER_ACCESS_ALLOWED.DAT, on your workstation with an
    entry such as "DECNET LEVEL OSMAN".
    
    James
2083.2which file should we modify for server access ?HANNAH::OSMANsee HANNAH::IGLOO$:[OSMAN]ERIC.VT240Tue Jan 23 1990 10:108

	So when should we modify the ACCESS_ALLOWED file, and when should
	we modify the TRUSTED_ACCESS file ?

	How are they different ?
[
/Eric
2083.3...GSRC::WESTVariables don't, Constants aren'tTue Jan 23 1990 10:2411
  If I remember correctly the ACCESS_TRUSTED file allows those connections
to modify the host list, whereas the ACCESS_ALLOWED file does not.

  I has been my experience that pretty much all the connections should be
in the ACCESS_ALLOWED file only.  In fact you really don't need to have the
ACCESS_TRUSTED file unless a client needs to modify/maintain the host list
for other connections.

					-=> Jim <=-

2083.4can I start login box without DECW$STARTLOGIN?HANNAH::OSMANsee HANNAH::IGLOO$:[OSMAN]ERIC.VT240Tue Jan 23 1990 14:3824
    o.k. I've finally been able to start a login box on the server screen
    of my choice from the client of my choice BUT...
    
    I must have special privileges on the client, because apparantly
    DECW$STARTLOGIN requires privileges.
    
    But I've heard a rumor that it's possible to do without special
    privileges. Something about sending the name of the WS device (the one
    you created with SET DISPLAY/CREATE) to the job controller's mailbox.
    
    My real goal here is to speed up our slow VS2000's in our lab by
    presenting the login box from our big fast machine, on the VS2000 which
    would just be the server.
    
    But I don't have special privileges on the big machine (just username
    and password is what I have).
    
    So, how can I get the mailbox name of the job controller ?  What
    exactly is the message I should send it to tell it the WS device name?
    Will this really succeed in working ?
    
    Thanks.
    
    /Eric
2083.5JAMMER::JACKMarty JackTue Jan 23 1990 15:006
    The job controller mailbox is MBA1.  This string is the value of
    the symbol SYS$C_JOBCTLMB.  However, it is world no access; otherwise
    there would be a massive security hole.  For the record, the message
    is a word containing MSG$_TRMUNSOLIC, followed by the device name.
    There is some possibility that it is in ASCIC -- I don't remember for
    sure, and I can't get to the listings right now to check.
2083.6how can I create a login box from remote client?HANNAH::OSMANsee HANNAH::IGLOO$:[OSMAN]ERIC.VT240Wed Jan 24 1990 10:0114
    
    So the question remains:
    
    	Is there a way to fire up a login box from a client to a server
    	without having special privileges on the client ?
    
    	I'd like to log in on the client and type something that causes
    	the login box to appear on the server.
    
    	By the way, I DO have privs on the server.
    
    	Thanks.
    
    /Eric
2083.7possibly...?MINNIE::DOUGjust sing it like you feel itMon Jan 29 1990 11:1614
    this might be one way of avoiding the problem (it still probably
    involves the system manager to set a couple things up):
    
    shouldn't the startup of the remote session manager be part of the
    server's booting process?  in that case, couldn't you have decwindows
    start up (without a session manager) on the vs2000, then create a batch
    job in a queue which is accessible to the vs2000, but which runs on the
    big vax, which will run the loginout process with the display set as
    discussed in the previous replies?
    
    i am hoping to do something similar here (same configuration, same reason)
    after we have upgraded to vms 5.3, and ultrix 4.0.
    
    			--dd
2083.8BILBO::PIPERDerrell Piper - VMS SecuritySat Feb 03 1990 10:555
>    	Is there a way to fire up a login box from a client to a server
>    	without having special privileges on the client ?

No there is not.  You could install DECW$STARTLOGIN with privs and then put an
ACL on it to control access to those who need it.
2083.9why are privileges not needed in one place, needed in anotherHANNAH::OSMANsee HANNAH::IGLOO$:[OSMAN]ERIC.VT240Tue Feb 06 1990 10:5513
It's a bit incongruous.  A new product which I feel I better not name
here (we're not quite out yet) lets us say "create LAT X session...", which
causes the decnet node of your choice to send you a login box to your screen.

You don't need to be privileged to get this service.  So it seems over
restrictive that you need to be privileged to do it from a "regular"
workstation.

Thanks.

/Eric