Subject: | |
From: | |
Reply To: | Genute, A Thomas |
Date: | Thu, 9 Mar 2000 21:34:17 -0500 |
Content-Type: | text/plain |
Parts/Attachments: |
|
|
James,
A valid MPE logon is required for FTP logons in MPE/iX 6.0, but it does not
execute logon UDCs and an FTP logon does not display on a SHOWJOB like the
previous versions of FTP and programmatic logons from DSCOPY.
I've tested an FTP user ID with a UDC set at the user level to verify this.
In addition, the system UDC executes VESOFT security LOGON. The FTP ID I
set up cannot logon interactively because there is no security profile set
up, but I can logon with FTP.
Patch FTPFDH3 must do more than relax syntax.
Tom Genute
Phone: (212) 437-1744
-----Original Message-----
From: James Hofmeister [mailto:[log in to unmask]]
Sent: Thursday, March 09, 2000 2:55 PM
To: [log in to unmask]
Subject: Creating an "FTP only" user
Hello Friends,
RE: Creating an "FTP only" user
----------------------------------------Costas Anastassiades
writes--
I wanted to set up a user just for FTP. The user will have a
password
but since all FTP clients will logon using this user, the
password
won't be the best kept one. So I didn't want the user to be
able to
access the system prompt or execute any other command should
someone
get clever and actually logon as a normal session.
This is what I came up with.
-create a new user with SF, IA and a specific HOME group
-assign him a UDC which has OPTION LOGON and NOBREAK and
which PAUSES
for say 5 minutes (more than enough FTP time for my needs)
and then
issues a BYE
----------------------------------------Costas Anastassiades
writes--
Yes, this works with out the pause... I never cease to be
amazed by
the creative solutions and tricks I learn out here on 3000-L
//:+)
--------------------------------------------------Tom Genute
writes--
Note that I don't think this method will work with MPE/IX
6.0. FTP
doesn't create a session under 6.0 and can't even be trapped
by
VESOFT's Security/3000. This has created a big security
hole. The
only way to find out who is logged on to the FTP server is:
LISTFILE
FTPSRVR.ARPA.SYS,8 (or ,9)
--------------------------------------------------Tom Genute
writes--
Yes, this "UDC OPTION LOGON / BYE" method does work on
MPE/iX 6.0 &
6.5. You still have to have a valid MPE logon user.account
for
FTP/iX on 6.0 & 6.5. I tested and verified it works on my
machines.
Another note: VESOFT was relying on a invalid MPE logon
syntax that
supported their ability to "hook" into FTP on MPE/iX 5.5 and
previous. This stopped working when FTP/iX on 6.0
performed greater
syntax checking. The FTP/iX syntax checking has since been
"relaxed"
on MPE/iX 6.0 to once again allow VESOFT the ability to hook
their
security product into FTP. This change was the ability to
specify a
PASSWORD on the SESSION name in a logon. Example:
Hello YOURNAME/password,MANAGER.SYS
*********
This is invalid Syntax to MPE, but was the
hook that
VESOFT was using on MPE/iX 5.5 and prior to pass a password
into their
FTP security software.
This "relaxed" syntax checking is available in patch:
SR: 5003-458612
FROM: FTPFDH3 6.0 GENERAL RELEASE
Enhancement to USER command to allow session passwords for
VESOFT.
I hope this helps.
Regards,
James Hofmeister
Hewlett Packard
Worldwide Technology Network Expert Center
P.S. My Ideals are my own, not necessarily my employers.
|
|
|