>Debbie Blumenthal Wrote... >A question for all you experts... >We've been discussing certain security aspects here, specifically >for the HP3000. There are (at least) two goals: >- specify a number of sign-ons (preferrably allowed to set number by >Userid), after which the user is prompted for a new password. >- limit number of concurrent sign-ons under same Userid, if possible, >by time of day (i.e. limit of 10 "USERX" 9am - 4pm) ----------------REPLY SEPARATOR-------------------------------------- At S&C, have used a "FREE" method to accomplish the problem of multi logons by the use of a system wide logon UDC and with the use of a couple of command files. The method is cheap, the results are good, and I will try to summarize the implementation as follows: SYSUDC.GROUP.SYS ---------------------- STARTMENU OPTION LOGON,NOBREAK,NOLIST,NOHELP SETVAR HPAUTOCONT TRUE <--Dont get hung on errors used for checking SETVAR ESC CHR(27) <---/-- Used to easy allow editing of CMD files SETVAR BELL CHR(7) <--/ IF HPINTERACTIVE THEN IF NOT FINFO('!["!HPUSER"+".MLOGON.ACCT"]','EXISTS') THEN IF NOT FINFO('!["!HPACCOUNT"+".MLOGON.ACCT"]','EXISTS') THEN SETVAR HPMSGFENCE 1 ^--\Checks for existence of a file ERRCLEAR \by user name then account name TELL !HPUSER.!HPACCOUNT; MULTI LOGON ON !HPLDEVIN IF CIERROR<>1619 AND CIERROR<>1620 THEN <-- (if User logged SETVAR HPMSGFENCE 0 on already) XEQ MLOGON.CMD.ACCT IF "!SCMULTI"<>"YES" THEN BYE ENDIF ENDIF SETVAR HPMSGFENCE 0 ENDIF ENDIF . . . . ENDIF ---------------------------------- MLOGON.CMD.ACCT OPTION nobreak,nohelp,nolist ECHO ![ESC]H![ESC]J <---Homes and Clears screen ECHO ***************************************************** ECHO ***************************************************** ECHO ** ** ECHO ** ** ECHO ** Y O U A R E A L R E A D Y ** ECHO ** L O G G E D O N O N C E . ** ECHO ** ** ECHO ** ** ECHO ** CONTACT OPERATIONS FOR A MULTI ACCESS CODE OR ** ECHO ** TYPE BYE TO RELEASE THE TERMINAL. ** ECHO ** ** ECHO ** PAGER: 81-34 ** ECHO ** PHONE: OPERATIONS Extn 999 ** ECHO ** TONY - Extn 999 ** ECHO ***************************************************** ECHO ***************************************************** ECHO ECHO SETVAR SCMULTI "YES" SETVAR SCCODE 0 CONTINUE SETVAR HPMSGFENCE 2 CONTINUE WHILE "!SCCODE"<>"![!HPMONTH*!HPHOUR*(!HPMINUTE/2+1)*!HPDAY*!HPDATE*11]" CONTINUE INPUT SCCODE;PROMPT="INPUT CODE FROM OPERATIONS OR BYE?";WAIT=90 CONTINUE IF "!SCCODE"="BYE" OR "!SCCODE"="0" THEN CONTINUE SETVAR SCMULTI "NO" CONTINUE SETVAR SCCODE "![!HPMONTH*!HPHOUR*(!HPMINUTE/2+1)*!HPDAY*!HPDATE*11]" ENDIF ENDWHILE SETVAR HPMSGFENCE 0 The code inside the While loop locks the users screen until they input a code from Operations, or type BYE to sign off. The code is an algorythm which changes every 2 minutes. Varying the constant (11) will drastically change the resultant number ranges. Operations uses the following cmd file to issue a release code for the user which will allow a multi logon on a one time basis. :Help Relcode USER DEFINED COMMAND FILE: RELCODE.CMD.ACCT ECHO THE RELEASE CODE FOR FREEING A TERMINAL IS: ECHO ![!HPMONTH*!HPHOUR*(!HPMINUTE/2+1)*!HPDAY*!HPDATE*11] ECHO ------------ ------------------------------------ :LISTF @.MLOGON.COM,2 ACCOUNT= ACCT GROUP= MLOGON FILENAME CODE ------------LOGICAL RECORD----------- ----SPACE---- SIZE TYP EOF LIMIT R/B SECTORS #X MX PROG 72B FA 1 4 3 16 1 1 GEORGE 72B FA 1 4 3 16 1 1 MANAGER 72B FA 1 4 3 16 1 1 MGR 72B FA 1 4 3 16 1 1 TECHOP 72B FA 1 4 3 16 1 1 If a file exists with a user name or an account name in this group, that user will be automatically allowed multiple log on capability. PROG and TECHOP are accounts, the rest are users. Contents of one of the files is shown below. :PRINT MGR.MLOGON.ACCT ALLOW USER MULTI LOG ON CAPABILITY ^-- Actual contents of file is not important, only that the file exists. This method is somewhat crude, but is FREE and handles all the situations we have encountered. It does not interfere with our programmers having multiple sessions and it allows operations to let someone log on twice if there is a good reason on a one time basis, or by creating a file in the MLOGON group, on a more permanent basis. Tony Peters _/_/_/_/_/ _/_/_/_/_/ Project Manager - New Technology _/ _/ _/ _/ S&C Electric Canada Ltd _/ _/ _/ 90 Belfield Rd _/_/_/_/_/ _/_/_/ _/ Toronto ON M9W 1G4 _/ _/ _/ Ph 416 249-9171 _/ _/ _/ Fax 416 249-3193 _/_/_/_/_/ _/_/_/_/_/ Email [log in to unmask]