| Title: | DECmcc user notes file. Does not replace IPMT. |
| Notice: | Use IPMT for problems. Newsletter location in note 6187 |
| Moderator: | TAEC::BEROUD |
| Created: | Mon Aug 21 1989 |
| Last Modified: | Wed Jun 04 1997 |
| Last Successful Update: | Fri Jun 06 1997 |
| Number of topics: | 6497 |
| Total number of notes: | 27359 |
Hello,
I'm running DECmcc V1.1 (Official release) and having problems with
Access Control.
I found that when I just started up DECmcc with the FCL or Iconic_map
interface, Access control information supplied with by or Pull down
menu is not passed on.
Example:
$ mana/enter
DECmcc (V1.1.0)
MCC> show node4 rtdmsu all cha,by user="doolaard",by passw="password"
Node4 rtdmsu
AT 16-JUL-1991 10:00:42 Characteristics
Access control information invalid at Node
>>When I now open up RTDMSU so no access control information needs to be
>>supplied :
>>On node RTDMSU:
#adduser
Enter login name for new user (initials, first or last name): guest
Enter uid for new user [270]:
Enter full name for new user: guest
What login group should this user go into [users]:
Enter another group that 'guest' should be a member of
(<RETURN> only if none):
Enter parent directory for guest [/usr/users]:
The shells are:
/bin/sh /bin/csh /usr/bin/ksh /usr/bin/sh5
Enter the users login shell name [/bin/csh]:
Adding new user ...
Creating home directory...
Until the password is set for guest they will not be able to login.
Changing password for guest
Enter new password:
Verify:
#
>>Now I go into DECmcc :
$ mana/enter
DECmcc (V1.1.0)
MCC> show node4 rtdmsu all cha
Node4 63.12
AT 16-JUL-1991 10:21:47 Characteristics
Examination of Attributes shows:
Identification = "RTDMSU Rotterdam C.S."
Management Version = V4.2.0
Incoming Timer = 20 Seconds
Outgoing Timer = 30 Seconds
Incoming Proxy = Enable
Outgoing Proxy = Enable
NSP Version = V4.1.0
Maximum Links = 32 Links
Delay Factor = 64
Delay Weight = 3
Inactivity Timer = 30 Seconds
Retransmit Factor = 10
Routing Version = V2.1.0
Type = EndNodeIV
Maximum Circuits = 1
Segment Buffer Size = 576
MCC>
>>All works as expexted.
>>If I now remove the guest account on node RTDMSU and I STAY in DECmcc
>>Access control information is used properly.
MCC>show node4 rtdmsu all cha,by user="doolaard",by passw="password"
Node4 63.12
AT 16-JUL-1991 10:21:47 Characteristics
Examination of Attributes shows:
Identification = "RTDMSU Rotterdam C.S."
Management Version = V4.2.0
Incoming Timer = 20 Seconds
Outgoing Timer = 30 Seconds
Incoming Proxy = Enable
Outgoing Proxy = Enable
NSP Version = V4.1.0
Maximum Links = 32 Links
Delay Factor = 64
Delay Weight = 3
Inactivity Timer = 30 Seconds
Retransmit Factor = 10
Routing Version = V2.1.0
Type = EndNodeIV
Maximum Circuits = 1
Segment Buffer Size = 576
MCC>
>>As soon as I go out of DECmcc in in again,I get Access control
>>information invalid at Node
I Found this to be the case for Register and Show commands in either
FCL or Iconic_map.
It also means that before Access Control works on all nodes I have to
do a show command on all those nodes when there is no Acces control
needed (a vallid decnet account or nml object) then secure all these
nodes and never leave DECmcc.
Is there a solution for this problem?
Carlo Doolaard.
| T.R | Title | User | Personal Name | Date | Lines |
|---|---|---|---|---|---|
| 1249.1 | PMs always pass access control | TOOK::CALLANDER | Jill Callander DTN 226-5316 | Wed Jul 17 1991 11:57 | 5 |
the PMs are always passing it, the question is actually "what does the dna4 am require for access control to work?" I have passed this along to the project lead for decnet modules, he is just back from vacation so.... | |||||
| 1249.2 | help is on the way... | TOOK::D_BALL | Fri Jul 19 1991 18:21 | 11 | |
Hi -
I am one of the access module developers. I would like the address to
node rtdmsu. I will be trying a few tests on different ultrix notes
with and without a guest account.
- darryl
| |||||
| 1249.3 | Node number but.... | HOO78C::DOOLAARD | Which way.... | Mon Jul 22 1991 12:40 | 14 |
Darril,
RTDMSU is a node in a hidden area node number 63.12 in Holland
(Rotterdam).
But as far as I looked in to the problem I'have seen the same problem on
VMS nodes (hidden area and non hidden area's). I also expirienced this
problem on a customer side.
It seems that if NML or the guest account is closed,so you need to
supply access control info,this access control info is not used
correctly. Only if you unsecure the node,do a show,then secure the node
and DO NOT leave DECmcc all works O.K.
Carlo.
| |||||
| 1249.4 | Now We're REALLY getting confused | TOOK::CAREY | Tue Jul 23 1991 13:25 | 44 | |
Hi Carlo,
We wanted to bang on your node directly because we haven't had this
kind of problem at all. We're trying to figure out what is going on,
but for us, access control works just fine on VMS and Ultrix systems.
That is, when we don't expect access rights, we don't have 'em.
When we use explicit information to gain access rights, they work.
When we have guest privs, they work. When we need different access
rights (to SET attributes, for example), we use them explicitly, and
they work.
I don't have any doubt at all that you're having a problem. But we've
got no idea what is happening, or how to reproduce it.
Could you let me know what Operating Systems and versions you've been
unsuccessful in gaining access to? Any special setup that you know
about? As I remember it, you had to stand on your head and sing three
verses of some song to get logged into your systems from a remote site;
you must have a lot of special security associated with your systems.
I know that there are [at least] two ways to encode access information
in a NICE message. In ages past, some systems only liked one of them.
I haven't seen this in years, and don't expect it is your problem.
We have seen some strange side effects from maximum security on VMS
systems. Let's see if I remember it correctly:
- VMS system with proxy access to a captive, non-privileged
account.
- Attempt to login with explicit valid access information to
another account.
- You can't gain access to this more privileged account remotely.
I've only seen this on VMS, and still argue about whether this is a
security feature, or a nightmare. RTDMSU looks like an Ultrix node.
So, we haven't got a clue.
Any ideas are welcome.
-Jim Carey
| |||||
| 1249.5 | More info to add to the confusion?? | HOO78C::DOOLAARD | Which way.... | Wed Jul 24 1991 11:52 | 153 |
More info and this time both the DECmcc node as well as the target
node are in the same (nonhidden) area 50: (So Jim if you want to test
it on our systems here let me now,there is in real life a valid nml
user account on HLRG02 and thus I need to close it for testing...)
The node wich runs DECmcc (HLRG07 node nr:50.830) runs VMS Version V5.4
The node HLRG02 runs also VAX VMS V5.4.
The node wich I'm going to use in this example for wich I supply access
control is node HLRG02 (50.452)
I'll be showing DECmcc's behaviour with a valid user and password set up for
the NML object and without a valid user and password (so I need to supply
access control info).
I'm running DECmcc version:
MCC> show mcc 0 all cha
MCC 0
AT 24-JUL-1991 13:55:29 Characteristics
Examination of Attributes Shows:
Component Version = V1.1.0
Component Identification = "DECmcc"
Step 1: Node HLRG02 has an object nml with a valid user name and password
I startup DECmcc on node HLRG07:
$manage/enter
DECmcc (V1.1.0)
MCC> show node4 hlrg02
Using default ALL IDENTIFIERS
Node4 50.452
AT 24-JUL-1991 14:00:05 Identifiers
Examination of Attributes shows:
Address = 50.452
Name = HLRG02
MCC>
Works fine
I now supply username and password:
MCC>show node4 hlrg02, by user "doolaard" , by password "12345678"
Using default ALL IDENTIFIERS
Node4 50.452
AT 24-JUL-1991 14:02:05 Identifiers
Examination of Attributes shows:
Address = 50.452
Name = HLRG02
Works also fine
Step 2:
Now I put on the object nml on node hlrg02 a non existing username:
$mc ncp
NCP>sho obj nml
Object Volatile Summary as of 24-JUL-1990 14:03:16
Object Number File/PID User Id Password
NML 19 NML.EXE NML$SERVER password
NCP>set obj nml user xxx
NCP>
On node hlrg07 I still was in DECmcc and when I do :
MCC>show node4 hlrg02
Using default ALL IDENTIFIERS
Node4 50.452
AT 24-JUL-1991 14:08:29 Identifiers
access control information invalid at Node
MCC>
Just like I expexted.
When I now supply access control information:
MCC>show node4 hlrg02, by user "doolaard" , by password "12345678"
Using default ALL IDENTIFIERS
Node4 50.452
AT 24-JUL-1991 14:11:37 Identifiers
Examination of Attributes shows:
Address = 50.452
Name = HLRG02
MCC>
Again just as I expexted
Step 3:
When I now go out of DECmcc on node HLRG07 and back in again (Must go out
and back into DECmcc to get the problem).
MCC>exit
$mana/enter
DECmcc (V1.1.0)
MCC>show node4 hlrg02, by user "doolaard" , by password "12345678"
Using default ALL IDENTIFIERS
Node4 hlrg02
AT 24-JUL-1991 14:15:48 Identifiers
access control information invalid at Node
MCC>
This is NOT what I expected!!!!
Also the show command without access control fails (expexted)
Step 4:
When I now put a existing username on the object nml on node HLRG02 it works
fine again:
NCP>set obj nml user nml$server (on node hlrg02)
MCC>show node4 hlrg02, by user "doolaard" , by password "12345678" (on HLRG07)
Using default ALL IDENTIFIERS
Node4 50.452
AT 24-JUL-1991 14:19:47 Identifiers
Examination of Attributes shows:
Address = 50.452
Name = HLRG02
OR
MCC>show node4 hlrg02
Using default ALL IDENTIFIERS
Node4 50.452
AT 24-JUL-1991 14:21:28 Identifiers
Examination of Attributes shows:
Address = 50.452
Name = HLRG02
If I now again put a nonexisting username on nml access control keeps working until I exit DECmcc and go in DECmcc again.
Hope this will bring some light............
By the way there are no special security setups for HLRG02 (Although I must
admit that Jim was right about the things I had to do to log into my home
account from abroad but thats security.....)
Carlo.
| |||||