LISTSERV - HP3000-L Archives

HP3000-L Archives

February 1995, Week 2

HP3000-L@RAVEN.UTC.EDU

	LISTSERV Archives
	HP3000-L Home
	HP3000-L February 1995, Week 2

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Re: How do I break MPE security?
From:	Paul Taffel <[log in to unmask]>
Reply To:	Paul Taffel <[log in to unmask]>
Date:	Mon, 13 Feb 1995 19:47:47 -0800
Content-Type:	text/plain
Parts/Attachments:	text/plain (54 lines)

>Michael Hensley ([log in to unmask]) wrote (2/9):
>
>> These jobs have not been up-to-date in *years*, and were removed
>> from the documentation (I removed them myself).  I *think* the
>> new version 2.5 of Security can provide a better solution through
>> Procedure Exits (you can apparently change the pro-logon prompt,
>> messages, even the syntax of the HELLO command) ...
>
>Procedure Exists, including those to 'hook' into the logon process
>were available as patches to MPE/XL releases 3.0 & 3.1 and then
>bundled into MPE/iX 4.0. ... Someone from Vesoft would have to respond as to
>the features of their new version.
>
>-- Jerry
 
Allow me to supply a few answers:
 
- VESOFT's SECURITY/3000 product continues to support MINLOGON and MAXLOGON,
  job streams that modify the System message catalog to remove all
  helpful hints that might be gleaned from the logon error messages.
  The help text for both is available online within MPEX by typing:
    %HELP MINLOGON    or   %HELP MAXLOGON
  If anyone knows of messages that we fail to intercept, please let us
  know, and we'll fix it.
 
- Version 25 of SECURITY/3000 makes use of AIF:PE (procedure exits) to
  add the ability to implement logon security for interactive Jobs and
  Sessions without relying on System-wide UDCs.  Jerry, I believe that
  when you started beta-testing version 25 last year this had not yet
  been released.  If you'd like to take a look, please ask VESOFT tech
  support to send you the latest version.
 
- Version 25 also uses AIF:PE to allow interception of logons that don't
  result in the CI being run in an interactive environment, such as
  auto-logon DSCOPYs, and FTP access.
 
- Version 25 also uses AIF:PE to allow the definition of synonyms for the
  HELLO command: you can define shorter alternatives ('HI'), you can remove
  the need for HELLO at all (I logon as 'PAUL', that's ALL I type).  You
  can also (more relevant for this discussion) define a replacement for
  the HELLO command, and prevent anyone logging on by typing HELLO anything.
 
One last (important) note to anyone considering using AIF:PE to implement
security enhancements: don't forget to (somehow) secure the PEUTIL program
that HP thoughtfully leave behind in PUB.SYS.  Using it, any user on the
system can disable ALL procedure exits, system-wide.  We had to use another
procedure exit to close this loophole, in such a way that the SM (only)
can disable AIF:PE in an emergency.
 
Paul Taffel
VESOFT Development Staff
 
[log in to unmask]           (310) 282 0420

ATOM RSS1 RSS2

RAVEN.UTC.EDU