net.digest August 1998

Click here for RAC Consulting sponsor message

Net.digest summarizes helpful technical discussions on the HP 3000 Internet newsgroup. Advice here is offered on a best-effort, Good Samaritan basis. Test these concepts for yourself before applying them to your HP 3000s.

It was a month of heavy traffic on the 3000-L Internet mailing list, traffic that felt even heavier as several posters felt compelled to pack messages with multi-megabyte attachments. Just the sort of behavior that makes people eager to avoid the Internet and find alternative summaries of it. As former net.digest editor John Burke noted after several T-shirt layouts jammed up hundreds of e-mail boxes and stalled the mail list server, don’t send attachments to mail lists. We’d go a step further and say don’t send any unrequested attachments in any e-mail. We think it’s like sending a beer truck and liquor set-ups to an AA meeting. Somebody’s might appreciate it, but it’s more gracious to check if that somebody is the recipient.

With that attachment deleted from our in-box, let’s take a quick peek at helpful messages. With fewer people getting a chance to go to shows like HP World, 3000 sites are rolling up sleeves to learn out on the Internet.

Tracking down users

It was a question born to be answered on the Internet. David Ross wanted to know how he could get a nodename from a given IP address to track down a user’s logon with only the IP address as a clue. SIGSYSMAN chair Donna Garverick warned that “if you can, do use DNS – preferably hosted off of some other Unix box. This gets you out of the IP/host name maintenance business, and lets you focus on keeping your 3000s happy. I’d not recommend using the hosts file unless you don’t have DNS available. Setting your 3000 up to use DNS isn’t that hard – shoot, even I figured it out.”

Neal Kazmi of Minisoft pointed out that “this can go one of two ways. Are you referring to the NSVT nodename, or the DNS/Internet nodename? The NSVT node name is sent by the emulator. The other node name is resolved by the DNS server or HOSTS file on a system.”

Internet wizard Chris Bartram explained how to use nslookup, the MPE/iX software for the job: “You can pick up the ported nslookup from www.3kassociates.com. Enable DNS (resolution; you don’t need to be running a nameserver on your 3000 to resolve names) by setting up RESLVCNF.NET.SYS (see example file RSLVSAMP.NET.SYS). Just type an IP address in nslookup and by default it’ll resolve the name of the node for you.”

Encypting to satisfy auditors

Wilson Wong asked if there was a way to encrypt MPE logon passwords to keep his auditors satisfied that the HP 3000 was secure, “so that they cannot be easily read with the ;pass parameter (i.e. listuser xxx.yyy;pass)” The replies generated one of the longest threads of the month on the list.

After mention of HP’s Security Monitor/iX, a tool in scant use, discussion moved to the more popular security aids available from Vesoft (Security/3000) and Monterrey Software. Tracy Johnson offered an opinion that “the answer to your auditors is not in encrypting passwords. The answer lies in restricting AM and SM capability to only those key personnel who can use the the “;pass” parameter within established policy. AM and SM capability also presumes the same capability to change another user’s password, and therefore also the ability to look it up.”

Chris Boggs reported in a virtual testimonial that “Our auditors were not satisfied by even limiting SM and AM capabilities to only two individuals (both in our department). Since we had Vesoft already, I changed our regular logon ID’s to use the Vesoft password which is encrypted. There are other features in Vesoft security which are handy when dealing with auditors such as password obsolescence, password “history,” minimum password standards, inactivity logouts, day/time restrictions, automatic deactivation of logonID’s after a certain number of failed logon attempts, and probably a few others.”

Bradmark’s Jerry Fochtman, who reported that he did a lot of security work on 3000s in the mid-80s, said some Interex Contributed Software Library routines can help: “I developed a routine to return the passwords for user/group/account (based upon caller’s capabilities) during this time. It also signaled if the password was encrypted, simply returning blanks in this case. There was another routine which given a password, would encrypt it based upon HP’s approach and tell the caller if the entered password matched the one in the system directory.”

Fochtman also took note of the Vesoft abilities and added his humble opinion on the security solution from Monterrey: “SAFE/3000 also utilizes one-way encryption for its passwords. And in terms of strictly security, is a better tool in several areas, such as network security.”

Michael Gueterman, whose company Easy Does It Technologies does pre-audits for 3000 sites, added notes on using only session-level passwords: “That’s fine for some things, but I still recommend keeping at least MPE Account passwords in place for all but the most “open” areas. For accounts with SM or PM, I also recommend MPE User passwords as well. Also, when at all possible, explicitly define what people are ALLOWED to access, instead of using generic wildcards. Wildcards make auditors unhappy, and an unhappy auditor is dangerous!”

He also noted that setting up either the Monterrey product or the Vesoft solution to be gatekeeper for logons has a prerequisite: “The one caveat I have for people using either SAFE/3000 or Security/3000 in this manner is to retain your MPE passwords on your SM/PM users regardless. That is because both packages must have a background job started prior to this “pre-logon” process to take effect. That means that if that job doesn’t get started for some reason, your system would be vulnerable without MPE passwords as a backup.”

“Both are great products, and each have their own strengths and weaknesses. SAFE/3000 (as the name applies “Security and Audit Facility”) allows you to restrict and audit access to the files once you’ve logged on, whereas Security/3000 brings the power of MPEX to a menuing system, and “smart” job streams.”

Interactive ABORTJOB development

Traffic on the 3000 news list often includes interactive development, sometimes from within HP’s labs. Last month CSY’s Jeff Vance developed a script to help in discovering “which job gets aborted when the “user.acct” form of the ABORTJOB command is used. The unfortunate answer is that it is not easily predictable and, worse, only the first matching job gets aborted. I wrote a simple script that fully supports wildcarded ABORTJOB’s (username, acctname and jobname can be wildcarded) and it also handles as list of candidate jobs to be aborted.”

John Burke offered some insightful online tuning of Vance’s script, noting that “applying ABORTJOB instead of NSCONTROL KILLSESS= can create a ghost session that cannot be removed any way other than with a reboot.”

Within a few days Vance had revised his script, adding “a ‘minus’ feature to the ABORTJ command file. The syntax is similar to the STORE/RESTORE commands. Any job/session matching a name to the right of the minus (dash) is skipped. The full ABORTJ syntax (all names can be wildcarded) is:
ABORTJ jobID... and/or userID... [- jobID... and/or [-] userID]
where:
jobID is [#]J|Snnnn userID is @J or @S or @ or [jobname,]user[.acct]

You can download Vance’s command file from CSY’s Jazz Web server at or send an e-mail to Vance at jvance@hp.com and he’ll mail you the script.

Copyright 1998, The 3000 NewsWire. All rights reserved.



		Click here for RAC Consulting sponsor message

		Net.digest summarizes helpful technical discussions on the HP 3000 Internet newsgroup. Advice here is offered on a best-effort, Good Samaritan basis. Test these concepts for yourself before applying them to your HP 3000s. It was a month of heavy traffic on the 3000-L Internet mailing list, traffic that felt even heavier as several posters felt compelled to pack messages with multi-megabyte attachments. Just the sort of behavior that makes people eager to avoid the Internet and find alternative summaries of it. As former net.digest editor John Burke noted after several T-shirt layouts jammed up hundreds of e-mail boxes and stalled the mail list server, don’t send attachments to mail lists. We’d go a step further and say don’t send any unrequested attachments in any e-mail. We think it’s like sending a beer truck and liquor set-ups to an AA meeting. Somebody’s might appreciate it, but it’s more gracious to check if that somebody is the recipient. With that attachment deleted from our in-box, let’s take a quick peek at helpful messages. With fewer people getting a chance to go to shows like HP World, 3000 sites are rolling up sleeves to learn out on the Internet. Tracking down users It was a question born to be answered on the Internet. David Ross wanted to know how he could get a nodename from a given IP address to track down a user’s logon with only the IP address as a clue. SIGSYSMAN chair Donna Garverick warned that “if you can, do use DNS – preferably hosted off of some other Unix box. This gets you out of the IP/host name maintenance business, and lets you focus on keeping your 3000s happy. I’d not recommend using the hosts file unless you don’t have DNS available. Setting your 3000 up to use DNS isn’t that hard – shoot, even I figured it out.” Neal Kazmi of Minisoft pointed out that “this can go one of two ways. Are you referring to the NSVT nodename, or the DNS/Internet nodename? The NSVT node name is sent by the emulator. The other node name is resolved by the DNS server or HOSTS file on a system.” Internet wizard Chris Bartram explained how to use nslookup, the MPE/iX software for the job: “You can pick up the ported nslookup from www.3kassociates.com. Enable DNS (resolution; you don’t need to be running a nameserver on your 3000 to resolve names) by setting up RESLVCNF.NET.SYS (see example file RSLVSAMP.NET.SYS). Just type an IP address in nslookup and by default it’ll resolve the name of the node for you.” Encypting to satisfy auditors Wilson Wong asked if there was a way to encrypt MPE logon passwords to keep his auditors satisfied that the HP 3000 was secure, “so that they cannot be easily read with the ;pass parameter (i.e. listuser xxx.yyy;pass)” The replies generated one of the longest threads of the month on the list. After mention of HP’s Security Monitor/iX, a tool in scant use, discussion moved to the more popular security aids available from Vesoft (Security/3000) and Monterrey Software. Tracy Johnson offered an opinion that “the answer to your auditors is not in encrypting passwords. The answer lies in restricting AM and SM capability to only those key personnel who can use the the “;pass” parameter within established policy. AM and SM capability also presumes the same capability to change another user’s password, and therefore also the ability to look it up.” Chris Boggs reported in a virtual testimonial that “Our auditors were not satisfied by even limiting SM and AM capabilities to only two individuals (both in our department). Since we had Vesoft already, I changed our regular logon ID’s to use the Vesoft password which is encrypted. There are other features in Vesoft security which are handy when dealing with auditors such as password obsolescence, password “history,” minimum password standards, inactivity logouts, day/time restrictions, automatic deactivation of logonID’s after a certain number of failed logon attempts, and probably a few others.” Bradmark’s Jerry Fochtman, who reported that he did a lot of security work on 3000s in the mid-80s, said some Interex Contributed Software Library routines can help: “I developed a routine to return the passwords for user/group/account (based upon caller’s capabilities) during this time. It also signaled if the password was encrypted, simply returning blanks in this case. There was another routine which given a password, would encrypt it based upon HP’s approach and tell the caller if the entered password matched the one in the system directory.” Fochtman also took note of the Vesoft abilities and added his humble opinion on the security solution from Monterrey: “SAFE/3000 also utilizes one-way encryption for its passwords. And in terms of strictly security, is a better tool in several areas, such as network security.” Michael Gueterman, whose company Easy Does It Technologies does pre-audits for 3000 sites, added notes on using only session-level passwords: “That’s fine for some things, but I still recommend keeping at least MPE Account passwords in place for all but the most “open” areas. For accounts with SM or PM, I also recommend MPE User passwords as well. Also, when at all possible, explicitly define what people are ALLOWED to access, instead of using generic wildcards. Wildcards make auditors unhappy, and an unhappy auditor is dangerous!” He also noted that setting up either the Monterrey product or the Vesoft solution to be gatekeeper for logons has a prerequisite: “The one caveat I have for people using either SAFE/3000 or Security/3000 in this manner is to retain your MPE passwords on your SM/PM users regardless. That is because both packages must have a background job started prior to this “pre-logon” process to take effect. That means that if that job doesn’t get started for some reason, your system would be vulnerable without MPE passwords as a backup.” “Both are great products, and each have their own strengths and weaknesses. SAFE/3000 (as the name applies “Security and Audit Facility”) allows you to restrict and audit access to the files once you’ve logged on, whereas Security/3000 brings the power of MPEX to a menuing system, and “smart” job streams.” Interactive ABORTJOB development Traffic on the 3000 news list often includes interactive development, sometimes from within HP’s labs. Last month CSY’s Jeff Vance developed a script to help in discovering “which job gets aborted when the “user.acct” form of the ABORTJOB command is used. The unfortunate answer is that it is not easily predictable and, worse, only the first matching job gets aborted. I wrote a simple script that fully supports wildcarded ABORTJOB’s (username, acctname and jobname can be wildcarded) and it also handles as list of candidate jobs to be aborted.” John Burke offered some insightful online tuning of Vance’s script, noting that “applying ABORTJOB instead of NSCONTROL KILLSESS= can create a ghost session that cannot be removed any way other than with a reboot.” Within a few days Vance had revised his script, adding “a ‘minus’ feature to the ABORTJ command file. The syntax is similar to the STORE/RESTORE commands. Any job/session matching a name to the right of the minus (dash) is skipped. The full ABORTJ syntax (all names can be wildcarded) is: `ABORTJ jobID... and/or userID... [- jobID... and/or [-] userID]` where: `jobID is [#]J\|Snnnn userID is @J or @S or @ or [jobname,]user[.acct]` You can download Vance’s command file from CSY’s Jazz Web server at or send an e-mail to Vance at jvance@hp.com and he’ll mail you the script.
		Copyright 1998, The 3000 NewsWire. All rights reserved.