HP might want to consider finishing SSH for MPE

SOX is already having an impact that is leaking through the 3000’s security. Is it hopeless to think that HP won’t finish up the SSH security tool that could help thousands of HP 3000 shops? Donna Garverick, who’s on the OpenMPE board of directors, wishes it weren’t so obvious that HP won’t fix a hole in the 3000’s Internet capability. “If this were a different time, I’d be pushing HP real hard to fully support SSH on MPE,” she said. “Thanks to Sarbanes-Oxley, a lot of us are running into this. Clearly, we’ve got a security issue on MPE.” SSH has limited support on the 3000, but it hasn’t made it into HP’s standard release of MPE/iX — it’s a freeware add-on.

Garverick said that FTP on the 3000 really doesn’t fill the security gap with its current feature set, either. “The topic has come up for FTP,” she said. “For us, the preferred solution is to do secure FTP... but anonymous FTP is (barely) acceptable. The problem with MPE’s anonymous FTP is that it’s really meant for pick-up only. (I’ll put a file somewhere in /FTPguest/ for you to come pick up.) However, if you put a file into /FTPguest/, unless I am user.FTPguest (unlikely) or an SM user (not), I’ll not have access to this file. In a multi-server, multi-OS environment, non-privileged production users have to be able to get these files.”

Garverick, who works with 3000s at Long’s Drugs’ California HQ, has opened a Service Request with HP requesting ‘site chmod’ support in FTP, which could serve as a workaround for SSH. The number is SR/jagaf55353. “If you’re in a similar situation, please call HP and let them know you want ‘site chmod’ support,” she said.