HP3000-L Archives

March 2001, Week 1

HP3000-L@RAVEN.UTC.EDU
Options: Use Monospaced Font
Show Text Part by Default
Show All Mail Headers

Message: [<< First] [< Prev] [Next >] [Last >>]
Topic: [<< First] [< Prev] [Next >] [Last >>]
Author: [<< First] [< Prev] [Next >] [Last >>]

Print Reply
Subject:
Re: Cobol and creation of FTP-client
From:
[log in to unmask]
Reply To:
[log in to unmask]
Date:
Fri, 2 Mar 2001 12:42:39 -0500
Content-Type:
text/plain
Parts/Attachments:
text/plain (69 lines) 
X-no-Archive:yes
Tony Summers wrote:
> If password sensitivity is an issue for you I would recommend avoiding the
JCL route.

and Joshua Johnson wrote:
> 6) You should consider putting username and password information in a
> secured place!

I had written:
> I write my ftps...
> with the user name and password in a netrc file, and the ftp
> commands in another file, is to secure them from prying eyes.

MPE's use of netrc is such a well-kept secret that I cannot even find it
documented at docs.hp.com. I can find it on an older LaserROM, in the
Software Release Bulletin for January 1993. But I am convinced that it is
worth knowing. It is standard on UNIXen. Even IBM's ftp clients support it.
perl's Net::ftp can also use it's equivalent. So, this knowledge is useful
on other systems, and those who use other systems could ask us about its use
on ours.

The LaserROM article has two points, and a note. The second point is merely
the format of the netrc file, which is
machine <string> login <string> password <string>
where "machine", "login", and "password" must be in lower-case, among some
other notes, which are likely available from several other sources, and
worth looking into if you wish to use netrc files. The first point and note
are:

------
1. The file resides in NETRC.<home-group>.  File equations are allowed,
   so if you were logged as JOE.SCHMOE and wanted to use a NETRC file
   residing elsewhere on the system, you could issue the file equation:
      file NETRC.<JOE's home group>=NETRC.<other-group>.<other-account>
------
I have to wonder if symbolic links could also work? But since I favored
BA-only ftp jobs, I created a logon UDC for this user that sets the
appropriate file equation, and similarly secured the UDC. I liked to keep my
netrc files (and you can have as many as you want or need, but I believe the
file equation limits us to one per user name) in their own group in SYS, so
even account managers cannot readily access them (if one is concerned that
an account manager could stream such a job under the BA-only ftp user to
help or print UDC, it is probably worth aliasing these commands in the BA
user's logon UDC). Oh, and while the file equation does need to be of the
form NETRC.<homegroup>, the target does NOT need to be named NETRC, and I
would recommend that it in fact not be so named, as that is an invitation to
the curious. Use inobvious names and all the tricks at your disposal to
secure these files! The note addresses securing these files:
--------
Note: unencrypted password stored in a file like this constitute a
      security risk.  If this is a problem, try the following command:
         :altsec netrc.<home-group>.<account>;access=(r,w,a,l,x:cr)
      If this is still a problem, don't use a NETRC file!  It is
      provided for usability, but its use is by no means required.
--------
I created them from manager.sys, and limit access to R and L for the
individual user, as that seems to be all that is actually necessary. I am
more concerned that someone read a known ftp job or grep for ftp strings,
than that someone will find a way to access a well-secured file. Should
someone compromise manager.sys, or get SM privileges, than I probably have
some other concerns in addition to my system becoming a jumping off point to
secure the system of someone else who had trusted me to access their system
via ftp.

Greg Stigers
http://www.cgiusa.com
I regret never getting the chance to discuss this with an auditor

ATOM RSS1 RSS2