HP3000-L Archives

March 2000, Week 2

HP3000-L@RAVEN.UTC.EDU
Options: Use Monospaced Font
Show Text Part by Default
Show All Mail Headers

Message: [<< First] [< Prev] [Next >] [Last >>]
Topic: [<< First] [< Prev] [Next >] [Last >>]
Author: [<< First] [< Prev] [Next >] [Last >>]

Print Reply
Subject:
Creating an "FTP only" user
From:
James Hofmeister <[log in to unmask]>
Reply To:
[log in to unmask]
Date:
Thu, 9 Mar 2000 22:54:40 -0500
Content-Type:
text/plain
Parts/Attachments:
Creating (75 lines) 
Hello Friends,

Re: Creating an "FTP only" user

---------------------------------------------------Tom Genute writes--
James, A valid MPE logon is required for FTP logons in MPE/iX 6.0, but
it does not execute logon UDCs and an FTP logon does not display on a
SHOWJOB like the previous versions of FTP and programmatic logons from
DSCOPY.

I've tested an FTP user ID with a UDC set at the user level to verify
this. In addition, the system UDC executes VESOFT security LOGON. The
FTP ID I set up cannot logon interactively because there is no
security profile set up, but I can logon with FTP.

Patch FTPFDH3 must do more than relax syntax.
---------------------------------------------------Tom Genute writes--

Tom, part of this is correct:
  1. Valid MPE logon is required for FTP on both 5.5 and past as well
     as 6.0 and beyond.
  2. FTP 6.0 and beyond does not display on a showjob like FTP 5.5
     and past or like programmatic logons from DSCOPY.

and part is incorrect...
  1. "but it does not execute logon UDCs ... like the previous
     versions of FTP".  This is not true because NO version of FTP
     has ever executed logon UDC's.
  2. "Patch FTPFDH3 must do more than relax syntax".  This is not
     true.

Here is my story:

FTP/iX Version "5.5 and past" accepts the logon string and does a
RPMCREATE to actually logon to the local 3000.  This logon can be
seen in ":showjob", but this logon does not execute logon UDC's.
Just as a side note DSCOPY programmatic logons are the same, logon
UDC's are not executed.

FTP/iX Version "6.0 and beyond" accepts the logon string and does a
AIFCHANGELOGON so we don't logon to the local 3000.  This connection
can be identified as a FTPSRVR.ARPA.SYS process under INETD.NET.SYS
in a ":showproc" and in fact it is a child process of INETD which
goes away if you perform an :abortjob of the INETD job.  As you
would expect, since we don't logon, we are not executing logon UDC's.

In all 3 cases DSCOPY, FTP "5.5 and past" and FTP "6.0 and beyond"
UDC's are not executed, so the "OPTION LOGON, NOBREAK / BYE" trick
works great.  This is a really Kewl trick.

Now, your question is how does VESOFT security work if FTP and DSCOPY
are not executing the system wide UDC's which start the VESOFT
security check.  The answer is VESOFT is MAGIC!  I think I just heard
a bunch of folks running out to buy some magic for their 3000.  Well
I am not 100% sure it is magic, actually I am 95% sure the VESOFT
folks have debugged the code path for both FTP and DSCOPY and have
inserted "hook's" routines with in the system libraries which make
call's to their security product and then once the logon security is
validated, their code returns to the FTP or DSCOPY code entry point
and these HP products then continue executing totally unaware of the
VESOFT Security checking.  I am only 95% sure of this and I left a
margin of 5% for one of VESOFT folks to prove me wrong.  I am not
aware of configuration options, etc. for the VESOFT Security product
so maybe I better leave a 10% margin of error.

This is my story and I am sticking to it (until somebody proves me
wrong).

Enjoy,

James Hofmeister
Hewlett Packard
Worldwide Technology Network Expert Center
P.S. My Ideals are my own, not necessarily my employers.

ATOM RSS1 RSS2