HP3000-L Archives

October 1996, Week 2

HP3000-L@RAVEN.UTC.EDU
Options: Use Monospaced Font
Show Text Part by Default
Show All Mail Headers

Message: [<< First] [< Prev] [Next >] [Last >>]
Topic: [<< First] [< Prev] [Next >] [Last >>]
Author: [<< First] [< Prev] [Next >] [Last >>]

Print Reply
Subject:
Re[2]: Security re User Passwords
From:
Tony Peters <[log in to unmask]>
Reply To:
[log in to unmask]
Date:
Wed, 9 Oct 1996 13:45:38 -0400
Content-Type:
text/plain
Parts/Attachments:
text/plain (141 lines) 
>Debbie Blumenthal Wrote...
>A question for all you experts...

>We've been discussing certain security aspects here, specifically
>for the HP3000.  There are (at least) two goals:

>- specify a number of sign-ons (preferrably allowed to set number by
>Userid), after which the user is prompted for a new password.

>- limit number of concurrent sign-ons under same Userid, if possible,
>by time of day (i.e. limit of 10 "USERX" 9am - 4pm)
----------------REPLY SEPARATOR--------------------------------------
At S&C,  have used a "FREE" method to accomplish the problem of multi logons by
the use of a system wide logon UDC and with the use of a couple of command
files.

The method is cheap, the results are good, and I will try to summarize the
implementation as follows:

SYSUDC.GROUP.SYS
----------------------
STARTMENU
OPTION LOGON,NOBREAK,NOLIST,NOHELP
SETVAR HPAUTOCONT TRUE  <--Dont get hung on errors used for checking
SETVAR ESC CHR(27)      <---/-- Used to easy allow editing of CMD files
SETVAR BELL CHR(7)      <--/
IF HPINTERACTIVE THEN
  IF NOT FINFO('!["!HPUSER"+".MLOGON.ACCT"]','EXISTS') THEN
    IF NOT FINFO('!["!HPACCOUNT"+".MLOGON.ACCT"]','EXISTS') THEN
      SETVAR HPMSGFENCE 1     ^--\Checks for existence of a file
      ERRCLEAR                    \by user name then account name
      TELL !HPUSER.!HPACCOUNT; MULTI LOGON ON !HPLDEVIN
      IF CIERROR<>1619 AND CIERROR<>1620 THEN  <-- (if User logged
        SETVAR HPMSGFENCE 0                        on already)
        XEQ MLOGON.CMD.ACCT
        IF "!SCMULTI"<>"YES" THEN
          BYE
        ENDIF
      ENDIF
      SETVAR HPMSGFENCE 0
    ENDIF
  ENDIF
  .
  .
  .
  .
ENDIF

----------------------------------
MLOGON.CMD.ACCT
OPTION nobreak,nohelp,nolist
ECHO ![ESC]H![ESC]J   <---Homes and Clears screen
ECHO *****************************************************
ECHO *****************************************************
ECHO **                                                 **
ECHO **                                                 **
ECHO **   Y  O  U      A  R  E     A  L  R  E  A  D  Y  **
ECHO **   L  O  G  G  E  D      O  N     O  N  C  E .   **
ECHO **                                                 **
ECHO **                                                 **
ECHO **  CONTACT OPERATIONS FOR A MULTI ACCESS CODE OR  **
ECHO **    TYPE   BYE  TO RELEASE THE TERMINAL.         **
ECHO **                                                 **
ECHO **            PAGER:  81-34                        **
ECHO **            PHONE:  OPERATIONS Extn 999          **
ECHO **                    TONY     - Extn 999          **
ECHO *****************************************************
ECHO *****************************************************
ECHO
ECHO
SETVAR SCMULTI "YES"
SETVAR SCCODE 0
CONTINUE
SETVAR HPMSGFENCE 2
CONTINUE
WHILE "!SCCODE"<>"![!HPMONTH*!HPHOUR*(!HPMINUTE/2+1)*!HPDAY*!HPDATE*11]"
 CONTINUE
 INPUT SCCODE;PROMPT="INPUT CODE FROM OPERATIONS OR BYE?";WAIT=90
 CONTINUE
 IF "!SCCODE"="BYE"  OR "!SCCODE"="0" THEN
  CONTINUE
  SETVAR SCMULTI "NO"
  CONTINUE
  SETVAR SCCODE "![!HPMONTH*!HPHOUR*(!HPMINUTE/2+1)*!HPDAY*!HPDATE*11]"
 ENDIF
ENDWHILE
SETVAR HPMSGFENCE 0

The code inside the While loop locks the users screen until they
input a code from Operations, or type BYE to sign off.  The code is
an algorythm which changes every 2 minutes.  Varying the constant (11)
will drastically change the resultant number ranges.

Operations uses the following cmd file to issue a release code for
the user which will allow a multi logon on a one time basis.

:Help Relcode
USER DEFINED COMMAND FILE:  RELCODE.CMD.ACCT

ECHO THE RELEASE CODE FOR FREEING A TERMINAL IS:
ECHO          ![!HPMONTH*!HPHOUR*(!HPMINUTE/2+1)*!HPDAY*!HPDATE*11]
ECHO         ------------

------------------------------------
:LISTF @.MLOGON.COM,2
ACCOUNT=  ACCT        GROUP=  MLOGON
FILENAME  CODE  ------------LOGICAL RECORD-----------  ----SPACE----
                  SIZE  TYP        EOF      LIMIT R/B  SECTORS #X MX
PROG               72B  FA           1          4   3       16  1  1
GEORGE             72B  FA           1          4   3       16  1  1
MANAGER            72B  FA           1          4   3       16  1  1
MGR                72B  FA           1          4   3       16  1  1
TECHOP             72B  FA           1          4   3       16  1  1

If a file exists with a user name or an account name in this group,
that user will be automatically allowed multiple log on capability.
PROG and TECHOP are accounts, the rest are users.
Contents of one of the files is shown below.

:PRINT MGR.MLOGON.ACCT
ALLOW USER MULTI LOG ON CAPABILITY
^-- Actual contents of file is not important, only that the file
    exists.

This method is somewhat crude, but is FREE and handles all the
situations we have encountered.  It does not interfere with our
programmers having multiple sessions and it allows operations
to let someone log on twice if there is a good reason on a one
time basis, or by creating a file in the MLOGON group, on a
more permanent basis.


                                          Tony Peters
       _/_/_/_/_/           _/_/_/_/_/    Project Manager - New Technology
      _/            _/     _/      _/     S&C Electric Canada Ltd
     _/            _/     _/              90 Belfield Rd
    _/_/_/_/_/  _/_/_/   _/               Toronto ON  M9W 1G4
           _/    _/     _/                Ph  416 249-9171
          _/    _/     _/                 Fax 416 249-3193
 _/_/_/_/_/           _/_/_/_/_/          Email   [log in to unmask]

ATOM RSS1 RSS2