LISTSERV - HP3000-L Archives

HP3000-L Archives

September 2004, Week 2

HP3000-L@RAVEN.UTC.EDU

	LISTSERV Archives
	HP3000-L Home
	HP3000-L September 2004, Week 2

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Re: FTP to HP3k and security
From:	donna garverick <[log in to unmask]>
Reply To:	[log in to unmask][log in to unmask]
Date:	Mon, 13 Sep 2004 10:19:13 -0700
Content-Type:	text/plain
Parts/Attachments:	text/plain (69 lines)

--- "Baker, Mike L." <[log in to unmask]> wrote:

> I have not had a chance to test any of this, but I thought I would
> ask the question first.  I'm sure someone else has had to deal with
> this.  We daily have a sun unix server ftp files to the hp.  There is
> no password setup on the group.accounts that ftp logs in too (we are
> talking more than one client [i.e.group.account] here).  As part of
> our sarbains/oxley fun and games, we have to secure the hp.  When we
> do implement security on the hp, either all mpe security and/or with
> security/3000, I am assuming that ftp (into the hp) will get asked
> the password after the group.account is entered, if one has been
> implemented, correct?  I guess what I am getting at, is can ftp into
> the hp be allowed to not need to enter a password, even though a user
> logging into the hp with vt-mgr or serial would need to.

rather than worry about how to HARDCODE this into a process on your sun
box....do strongly consider using .netrc files.

if nothing else, when passwords get hardcoded into jobs (a bit of a
concept on unix boxes :-) they're nearly impossible to update when the
time comes to change passwords.  in a lot of cases, the only way to
flush them out is to see what fails after the passwords are changed!!
since password changing is a part of sar-ox....the more up-front
thought you give to this now, the happier you'll be in the future.

for folks that have used dscopy forever and ever...i'm willing to bet
that many of you encapsulated the logon into a stand-alone file.  you
may have even gone so far as to put this file into a secure group.  i
know we did/do and it's a clean and secure way of enabling different
production needs and yet keep passwords safe.

netrc files are essentially no different.  since it is unix you do need
to pay attention to the rwx on the file and directory.

fwiw, mpe's ftp uses netrc files as well.  they can be regular mpe
files (that is, they don't have to be named with a leading dot).  if
they're in a group other than the initator's home group...all that you
need is a file equation that includeds the home group on the left-hand
side.

one nice feature of netrc files is that they can include multiple
locations.  for example, i have a (mpe) netrc file name 'netrcall' that
includes logons for all the boxes that i need to go to.  real nice :-)

hth          - d

=====
Donna Garverick     Sr. System Programmer
dgarverick -at- longs -dot- com
925-210-6631        Longs Drug Stores

Come, my friends, 'Tis not too late to seek a newer world.
Tho' much is taken, much abides; and tho'
We are not now that strength which in old days
Moved earth and heaven, that which we are, we are.
"Ulysses", A. Tennyson

>>>MY opinions, not Longs Drug Stores'<<<

__________________________________
Do you Yahoo!?
New and Improved Yahoo! Mail - Send 10MB messages!
http://promotions.yahoo.com/new_mail

* To join/leave the list, search archives, change list settings, *
* etc., please visit http://raven.utc.edu/archives/hp3000-l.html *

ATOM RSS1 RSS2

RAVEN.UTC.EDU