LISTSERV - HP3000-L Archives

HP3000-L Archives

July 2001, Week 4

HP3000-L@RAVEN.UTC.EDU

	LISTSERV Archives
	HP3000-L Home
	HP3000-L July 2001, Week 4

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Re: MPEX "SEC" command
From:	Tom Emerson <[log in to unmask]>
Reply To:	Tom Emerson <[log in to unmask]>
Date:	Tue, 24 Jul 2001 18:15:38 -0400
Content-Type:	text/plain
Parts/Attachments:	text/plain (55 lines)

>-----Original Message-----
>From: HP-3000 Systems Discussion [mailto:[log in to unmask]]On
>Behalf Of Newton, Ernie
>I turned off my personal password in MPEX using
   SEC CHANGE ERNIE, @.@;NOPASS
>I then needed to do some testing things and happily created an account
>called TEST. I then tried to log into that account and MPEX asked me for my
>password again.  Problem is, it wouldn't take my password.
>
>Why did it do that?

On Tue, 24 Jul 2001 16:02:29 -0400, Jonathan M. Backus
<[log in to unmask]> wrote:
>The answer lies somewhere in your Security/3000 configuration file and/or
>within the security profiles defined.  I am being some what generalized on
>purpose.  Public discussion about how to cripple or remove security is
>typically not a good thing.

I'll second Jonathan's point on specific methods of circumvention, however
what follows here is information included in the Security/3000 manual, so
it is essentially public knowledge...

Security/3000 "profiles" go from the most specific (session,user.account)
to the most generic (@,@.@)  "ERNIE,@.@" is one step removed from the most
generic profile (well, two actually: "@.@" with a BLANK session name fits
between these two profiles)  Something like "@,@.TEST" or "@,MGR.TEST"
would be more specific than "ERNIE,@.@" and would take precedence.

That said, the way a SYSTEM MANAGER would determine what profiles are
active for a specific user/account/session/device combination is through
the use of the %SEC SHOW command.  (yes "device" -- you can attach
additional restrictions on dial-up connections for instance).  For example:

%sec show ERNIE,MGR.PROD
$VEPROFILE            SECURITY/3000 user profiles are ENFORCED
                        User is ERNIE,@.@
                        Real name is "Ernie Newton"
...
%sec show ERNIE,MGR.TEST
$VEPROFILE            SECURITY/3000 user profiles are ENFORCED
                        User is @,@.TEST
                        Real name is "Test User"
...

Another thing to consider is that Security/3000 profiles & passwords are
stored in a different location than the system tables (files).  So I
suspect that "some time in the past" your system had a TEST account, and a
profile was created for it, but the profile was never deleted when
the "testing" completed...

Tom

* To join/leave the list, search archives, change list settings, *
* etc., please visit http://raven.utc.edu/archives/hp3000-l.html *

ATOM RSS1 RSS2

RAVEN.UTC.EDU