LISTSERV - HP3000-L Archives

HP3000-L Archives

April 1996, Week 3

HP3000-L@RAVEN.UTC.EDU

	LISTSERV Archives
	HP3000-L Home
	HP3000-L April 1996, Week 3

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Re: Re[2]: Internet HP3000 security issu
From:	Tom Emerson <[log in to unmask]>
Reply To:	Tom Emerson <[log in to unmask]>
Date:	Fri, 19 Apr 1996 12:02:00 +0000
Content-Type:	text/plain
Parts/Attachments:	text/plain (45 lines)

> From: Chris Bartram
> Subject: Re[2]: Internet HP3000 security issues
> Date: Friday, April 19, 1996 12:57PM
>
>  In <[log in to unmask]> [log in to unmask] writes:
>
> > > But without an "auto-logon" firewall proxy of some kind, you are stuck
> > with
> > > a user doing "MPE iX: HELLO JOE.PUBLIC".
> >
> > I agree!  I'm so *NOT* thrilled about this (say that phrase like
> > Chandler from "Friends") that until I need inbound telnet to this HP, I
> > think we will continue to use nqTlnet.
>
> I seem to recall that there is an AIF call that can intercept a logon;
> doesn't VESoft do something like this to intercept ftp (or some other
> service) logons?

Indeed there is!  VESOFT's security software includes a Procedure Exit
(AIF:PE) "trap" into the system at logon time for full processing by
Security/3000, regardless of the state of the "parm -1" logon flag.  AIF:PE
allows programmers to trap nearly every callable "procedure" in the system,
either before or after (or both!) the call actually occurs (i.e., on the way
"in" and "out" of the call).  The VESOFT module works by evaluating the
logon string, looking for embedded passwords (including the SESSION
password!), and if the logon fails, blanks the "hello" string making it an
invalid command/logon attempt (in other words, it never happens...)

> Might allow you some possibilities; albeit requiring some potentially
fancy
> s/w...

Yes.  Since the routine will turn an otherwise valid MPE logon (but failed
Security/3000 logon) into a non-logon string, other "translations" can be
included as well (such as removing "parm=-1" from the logon string on
pre-5.0 systems!)  Another side-effect of this is that MPE/iX boxes can now
benefit from "unix style" logons -- simply the user name and their password
(when prompted) without clarifying words like "hello" or specifics like MPE
user name, account, or group; options like "term=10" or "info='run
my.favorite.program'", and so on.

Tom Emerson
Former VESOFT technical support manager (hence, the lack of /PLUGing this --
as the rolliing stone's song goes, "I can't get no..." (compensation) )

ATOM RSS1 RSS2

RAVEN.UTC.EDU