LISTSERV - HP3000-L Archives

HP3000-L Archives

September 2004, Week 3

HP3000-L@RAVEN.UTC.EDU

	LISTSERV Archives
	HP3000-L Home
	HP3000-L September 2004, Week 3

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	FTP to HP3k and security
From:	James Hofmeister <[log in to unmask]>
Reply To:	James Hofmeister <[log in to unmask]>
Date:	Wed, 15 Sep 2004 10:51:17 -0400
Content-Type:	text/plain
Parts/Attachments:	text/plain (123 lines)

Hello Tony,

> Also recently added (7.0 ?) to the FTP server is the option to enforce the
> user/account passwords to be entered.

This option was available in 1993 on MPE/iX 4.0 as a run parameter in the
JFTPSTRT.arpa.sys job as FTPMON;INFO="PASSWORD".  This feature was broke
when the INETD/FTPSRVR was implemented.  This function was re-introduced as
an option in 6.0 in the SETPARMS.arpa.sys in patches FTPFDY9 6.0, FTPGD01
6.5, FTPGD49, 7.0 and included in 7.5.

*******************************************************FTPDOC.ARPA.SYS**
The "PASSWORD = ON" SETPARMS.ARPA.SYS configuration option is a security
enhancement added to the FTP Server "FTPSRVR" to support the ability to
restrict the establishment of FTP connections to MPE USER.ACCOUNT's
where at least "one" password (a "USER" password or an "ACCOUNT"
password) must exist.

The system default for this enhancement is "PASSWORD = OFF".  This
option can be enabled by adding the line "PASSWORD = ON" to the file
SETPARMS.ARPA.SYS with a supported text EDITOR.

When the SETPARMS.ARPA.SYS file is configured with the "PASSWORD = ON"
option, the FTP Server  "FTPSRVR" will reject any attempt to establish
an inbound FTP client connection to the HP e3000 for MPE USER.ACCOUNT's
which do not have at least one MPE logon password.

The FTP Client will see the following error message:

  530 User log on unsuccessful

If FTP Console Logging is enabled, the FTP Server will generate the
following error message to the console:

0:40/#J93/62/FTP INVALID PASSWORD For: "USER.ACCOUNT,PUB" IP=127.0.0.1
*******************************************************FTPDOC.ARPA.SYS**

> In earlier versions of MPE, FTP used
> to be nicely integrated with security/3000 so you could have session based
> password security on your FTP sessions.

As far as I know as per my communications with other customers,
security/3000 is *still* interfaced to FTP/iX.   The VESOFT security product
*broke* when FTPMON and the server creation with RPMCREATE was eliminated
and replaced by INETD forking FTPSRVR with calls to AIFCHANGELOGON.

2 changes needed to be made...

1) VESOFT had to hook into new INETD and FTPSRVR code which did a fork and
AIFCHANGELOGON of FTPSRVR from INETD rather than the old RPMCREATE from
FTPMON.

2) VESOFT was relying on a feature that a non-existent in MPE session-id
password would be ignored in the parsing of the hello logon string by
RPMCREATE but found out that it was not ignored by the new call to
AIFCHANGELOGON.
In the logon string:
   "sessid/sesspass,manager/mgrpass.sys/syspass,group"
...VESOFT was relying on the command parser not catching a password being
added to the sessid.  RPMCREATE did not catch this, but with INETD and the
fork of FTPSRVR we perform an AIFCHANGELOGON to assure the correct file
system access.  At this point AIFCHANGELOGON did catch this non-existent
field in the logon string and fail the logon.

Syntax of valid MPE logon:
[session,]user[/userpass].account[/acctpass][,group[/grppass]]

Note:  MPE logon sequence does not allow for a session password.

This required a fix to FTP/iX to strip the "sesspass" from the logon string
prior to our call to AIFCHANGELOGON and a second associated repair.
  5003458612 fixed in FTPFDH3 6.0 fixed in 6.5 and beyond.
  8606109983 fixed in FTPFDP3 6.0, FTPFDP2 6.5, fixed in 7.0 and beyond.

These fixes were implemented in patches in 2000 and this solution also
required a VESOFT SECURITY patch be installed.

The current General Release patches for FTP are:

FTPHD75 for C.75.00
FTPHD67 for C.70.00
FTPHD74 for C.65.00
FTPGDN1 for C.60.00

Don't forget:  The file FTPDOC.arpa.sys (on your system) is the bible to
features of FTP/iX which are beyond the FTP RFC specification (features are
documented here which are not present in the reference manual set).  I
recommend that you install the above noted General Release patch and then
look at the updated FTPDOC.arpa.sys file for new features.

I hope this helps.

Regards,

James Hofmeister
Email: <first>.<last>@hp.com
Hewlett Packard - Global Solutions Engineering (WTEC)
P.S. My Ideals are my own, not necessarily my employers.


----- Original Message -----
From: "Tony Summers" <[log in to unmask]>
To: <[log in to unmask]>
Sent: Tuesday, September 14, 2004 4:54 AM
Subject: Re: [HP3000-L] FTP to HP3k and security


> There are at least two ways to protect in-bound FTP requests to the HP.
>
> You can add allow and deny statements to the INETDSEC file so that only
> certain IP addresses can initiate an FTP session.
>
> Also recently added (7.0 ?) to the FTP server is the option to enforce the
> user/account passwords to be entered.   In earlier versions of MPE, FTP
used
> to be nicely integrated with security/3000 so you could have session based
> password security on your FTP sessions.    Go to docs.hp for details on
the
> switch you have to send to FTP to turn on user based passwords.

* To join/leave the list, search archives, change list settings, *
* etc., please visit http://raven.utc.edu/archives/hp3000-l.html *

ATOM RSS1 RSS2

RAVEN.UTC.EDU