LISTSERV - HP3000-L Archives

HP3000-L Archives

March 2000, Week 2

HP3000-L@RAVEN.UTC.EDU

	LISTSERV Archives
	HP3000-L Home
	HP3000-L March 2000, Week 2

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Creating an "FTP only" user
From:	James Hofmeister <[log in to unmask]>
Reply To:	[log in to unmask]
Date:	Thu, 9 Mar 2000 14:54:57 -0500
Content-Type:	text/plain
Parts/Attachments:	Creating (64 lines)

Hello Friends,

RE: Creating an "FTP only" user

----------------------------------------Costas Anastassiades writes--
I wanted to set up a user just for FTP. The user will have a password
but since all FTP clients will logon using this user, the password
won't be the best kept one. So I didn't want the user to be able to
access the system prompt or execute any other command should someone
get clever and actually logon as a normal session.

This is what I came up with.
-create a new user with SF, IA and a specific HOME group
-assign him a UDC which has OPTION LOGON and NOBREAK and which PAUSES
for say 5 minutes (more than enough FTP time for my needs) and then
issues a BYE
----------------------------------------Costas Anastassiades writes--

Yes, this works with out the pause... I never cease to be amazed by
the creative solutions and tricks I learn out here on 3000-L //:+)


--------------------------------------------------Tom Genute writes--
Note that I don't think this method will work with MPE/IX 6.0.   FTP
doesn't create a session under 6.0 and can't even be trapped by
VESOFT's Security/3000.   This has created a big security hole.   The
only way to find out who is logged on to the FTP server is: LISTFILE
FTPSRVR.ARPA.SYS,8  (or ,9)
--------------------------------------------------Tom Genute writes--

Yes, this "UDC OPTION LOGON / BYE" method does work on MPE/iX 6.0 &
6.5.  You still have to have a valid MPE logon user.account for
FTP/iX on 6.0 & 6.5. I tested and verified it works on my machines.

Another note:  VESOFT was relying on a invalid MPE logon syntax that
supported their ability to "hook" into FTP on MPE/iX 5.5 and
previous.   This stopped working when FTP/iX on 6.0 performed greater
syntax checking.  The FTP/iX syntax checking has since been "relaxed"
on MPE/iX 6.0 to once again allow VESOFT the ability to hook their
security product into FTP.  This change was the ability to specify a
PASSWORD on the SESSION name in a logon.  Example:

  Hello YOURNAME/password,MANAGER.SYS
                *********
                This is invalid Syntax to MPE, but was the hook that
VESOFT was using on MPE/iX 5.5 and prior to pass a password into their
FTP security software.

This "relaxed" syntax checking is available in patch:

  SR: 5003-458612
FROM: FTPFDH3 6.0 GENERAL RELEASE

Enhancement to USER command to allow session passwords for VESOFT.

I hope this helps.

Regards,

James Hofmeister
Hewlett Packard
Worldwide Technology Network Expert Center
P.S. My Ideals are my own, not necessarily my employers.

ATOM RSS1 RSS2

RAVEN.UTC.EDU