[Search for users]
[Overall Top Noters]
[List of all Conferences]
[Download this site]
| Title: | VAX and Alpha VMS |
| Notice: | This is a new VMSnotes, please read note 2.1 |
| Moderator: | VAXAXP::BERNARDO |
|
| Created: | Wed Jan 22 1997 |
| Last Modified: | Fri Jun 06 1997 |
| Last Successful Update: | Fri Jun 06 1997 |
| Number of topics: | 703 |
| Total number of notes: | 3722 |
660.0. "IPC-E-BCKTRNSFAIL and remote login failure" by PRSSOS::MENICACCI () Fri May 30 1997 05:16
Hi,
one of our customer reported us the following problem.
Node A running OpenVMS V7.1 + Decnet Plus.
Node B running Decnet Phase IV.
Node B is not registered (on node A databases).
This is intentionally done for security reasons in this customer site.
Then, a user in node B is doing a SUCCESSFULL remote login (set host) to node
A.
This results in the following error message "Failure on the back translate
address request".
But, what bothers the customer is that, on node A, two remote interactive logins
are registered by AUDIT_SERVER. One with username <login>, the other with the
username used in that connection. Both with status IPC-E-BCKTRNSFAIL.
This customer is analyzing very precisely the audit journal and thinks that
these two records are erroneous because the remote login is successfull.
We reproduced the problem. The customer wants to know if this a bug or an
intended behaviour. He also wants to know if there is a way not to have these
messages (of course, he absolutely doesn't want to register node B).
%%%%%%%%%%% OPCOM 29-MAY-1997 11:38:17.50 %%%%%%%%%%%
Message from user AUDIT$SERVER on PRSSOS
Security alarm (SECURITY) and security audit (SECURITY) on PRSSOS, system id:
48
219
Auditable event: Remote interactive login failure
Event time: 29-MAY-1997 11:38:17.48
PID: 33C00EEE
Process name: _RTA2:
Username: <login>
Process owner: [SYSTEM]
Terminal name: _RTA2:, 48251::ES_MAGENC
Image name: DSA101:[SYS10.SYSCOMMON.][SYSEXE]LOGINOUT.EXE
Status: %IPC-E-BCKTRNSFAIL, failure on the back translate
address request
%%%%%%%%%%% OPCOM 29-MAY-1997 11:38:25.70 %%%%%%%%%%%
Message from user AUDIT$SERVER on PRSSOS
Security alarm (SECURITY) and security audit (SECURITY) on PRSSOS, system id:
48
219
Auditable event: Remote interactive login failure
Event time: 29-MAY-1997 11:38:25.64
PID: 33C00EEE
Process name: _RTA2:
Username: MAGENC
Process owner: [GUESTS_P,MAGENC]
Terminal name: _RTA2:, 48251::ES_MAGENC
Image name: DSA101:[SYS10.SYSCOMMON.][SYSEXE]LOGINOUT.EXE
Status: %IPC-E-BCKTRNSFAIL, failure on the back translate
address request
Thanks for any input,
Maria.
| T.R | Title | User | Personal
Name | Date | Lines |
|---|
| 660.1 | I guess it depends on what you consider to be a security problem | TWICK::PETTENGILL | mulp | Fri May 30 1997 18:32 | 18 |
| Node A is trying to determine the source of this remote logon, and while
the user appears to be authorized, there is still some concern about the
validity of the user who has been allowed to login. In particular, the
source of the login does not appear to be valid since its address can not
be looked up in order to determine the registered computer information.
This might be caused by someone connecting an unauthorixed computer system
to the network and then watching the wire to find passwords, and then using
such a password to log into node A.
Therefore LOGINOUT is reporting an error.
There is a bug in that LOGINOUT or the AUDIT service or both are not
correctly reporting the fact that the user is actually allowed to login.
This might be a design error in the AUDIT system in that no one anticipated
that a potentially severe security problem would be frequently ignored
and considered benign. Inside of DEC we appear to have given up on keeping
the various distributed name services working correctly.
|