Using Proxy Logins definesthe concept of proxy logins. You can authorize proxy access whenyou encounter situations where users either on different nodes orin different groups want to share files on your system and you arereluctant to give out passwords or to set the directory and fileprotection to W:RWE. With proxy logins, there is no need to embedpasswords in commands to copy a file across the network. There isalso no need to allow world read access to a file for file transfers.The user enters the following form of the DCL command COPY to adefault proxy account: COPY remotenode::file-spec file-spec
To copy a file over the network using proxy access from anaccount other than the default, the user includes the name of theproxy account in the access control string of the DCL command, asfollows: COPY remotenode"proxyacct"::file-spec file-spec
Special SecurityMeasures with Proxy Access Proxy access is a selective merging of the authorization databasesof the affected systems. Therefore, the security is only as goodas the security of the least secure node.
Although proxy access eliminates passwords going over thenetwork, it is possible for a personal computer to bypass the proxylogin mechanism by impersonating one of the authorized nodes. Forthis reason, implement the following procedures:
Do not enable incoming proxy accessto sensitive data.
Set up nonprivileged proxy accounts. If an accountdoes need privilege, be sure those privileges cannot damage yoursystem. (This practice provides a shield between systems in a networkif one node is penetrated. The fact that proxy logins provide admittanceonly to nonprivileged accounts at other nodes may help contain theextent of damage if one system in the network is penetrated.) Ifyour site has high security requirements, do not grant network orremote access to privileged user names.
Extend proxy access only to nodes that are alwaysor almost always on the network. (It is easier for an intruder toimpersonate a node when it is off the network.) You must createa balance between using proxies and having access control stringswith passwords traveling over the network. A workstation or personalcomputer on the network that is capable of impersonating a nodeis also capable of monitoring network messages and thus capturingpasswords. Ultimately, you must ensure that all nodes connectedto your local network have some level of trustworthiness.
Exercise caution when authorizing users. Ideally,you should receive a formal authorization request from the securityadministrator at the remote site.
Examine any login command procedures for a proxyaccount. Make certain that they follow the recommendations in Guidelines for Captive Command Procedures for login commandprocedures in captive accounts. Login command procedures shouldreside in a well-protected directory owned by a user other thanthe owner of the proxy account. They should prohibit write accessfor those who use the account.
Setting Up a Proxy Database If a remote user's connection request does not contain accesscontrol information, the following conditions must be met for proxyaccess to be approved:
The proxy database on the target nodemust contain a source node's node synonym and source user name combinationthat matches the remote source node's node synonym and source username. In Sample Proxy Account, forexample, the security administrator adds a proxy for KMahogany.KMahogany must access the proxy accoun from node Birch.
The target node's user authorization file must containa source user name that matches the proxy database entry's targetsource user name. Sample Proxy Account assumesthat the SYSUAF.DAT file on node Birch has a user authorizationrecord for KMahogany.
Outgoing proxy must be enabled on the originatingnode for the node itself and for all applications that expect touse proxy.
You can control the use of proxy logins at the local node.Use AUTHORIZE to create and modify the permanent proxy database.
The default network proxy authorization file is NET$PROXY.DAT.However, AUTHORIZE maintains the file NETPROXY.DAT for compatibility,for support of many layered products, and for translation of DECnetfor OpenVMS (Phase IV) node names.
Each network proxy entry can map a single remote user to multipleproxy user names on the local node (one default proxy user nameand up to fifteen additional proxy user names). If you are goingto have access to more than one proxy account from the same nodeand login name, indicate which proxy account should be the default.The proxy database entry identifies the user in the form of nodename::username or nodename::[group,member].
For example, to create a proxy file at a local node and adda default proxy entry mapping user Martin on remote node Bostonto user Allen at the local node, enter the following commands:
$ SET DEFAULT SYS$SYSTEM$ RUN AUTHORIZEUAF> CREATE/PROXYUAF> ADD/PROXY BOSTON::MARTIN ALLEN/DEFAULTUAF> EXIT
Similarly, the system manager at a remote node can createand maintain a proxy database of network users having proxy accessto specific accounts on that node. AUTHORIZE Commands for Managing Network Proxy Access summarizes AUTHORIZE commands used to manage theproxy database.
Table 1 AUTHORIZE Commands for Managing Network Proxy Access
Command
Argument
Description
ADD/PROXY
node::remoteuserlocaluser[,...]
Adds proxy access for thespecified user.
CREATE/PROXY
Creates a network proxy authorizationfile.
LIST/PROXY
Creates a listing file ofall proxy accounts and all remote users with proxy access to theaccounts.
MODIFY/PROXY
node::remoteuser
Modifies proxy access forthe specified user.
REMOVE/PROXY
Deletes proxy access forthe specified user.
SHOW/PROXY
* node::remoteuser
Displays proxy access allowed for the specifieduser.
Enabling and Disabling Incoming Proxy Access You can control proxy access to your node and to particularapplications.
To accept proxy connections to your node, set the incomingproxy attribute in the executor database in the following way:
NCP>SET EXECUTOR INCOMING PROXY ENABLE
To deny proxy connections to your node, set the outgoing proxyattribute in the following way:
NCP>SET EXECUTOR INCOMING PROXY DISABLE
If proxy access to the node is disabled, the system ignoresany proxy connection request.
A comparable set of steps is necessary on the originatingnode so that proxy data is transmitted in the connect request message.Set proxy attributes for both the node and for all applicationsthat expect to use proxy, for example:
NCP>SET EXECUTOR OUTGOING PROXY ENABLENCP>SET OBJECT MAIL PROXY BOTHNCP>SET OBJECT MAIL PROXY INCOMINGNCP>SET OBJECT MAIL PROXY OUTGOING
In general, enabling outgoing proxy is a good idea, even ifthe target node does not enable proxy for the object, because enablingoutgoing proxy puts the originating user name in the connect message.Thus the user name is available for accounting and audit logs onthe target node. Be aware that a small number of DECnet applicationsdepend on the nonproxy form of the connect message (for example,some use the connect message space for application information ratherthan user names) and do not function if outgoing proxy is enabled.
To allow proxy access to a particular application, you mustenable the proxy access for both the node and the application. Inaddition, specify the name of the application in the SET OBJECTcommand. For example, the following enables proxy access to theapplication NML:
To disable proxy access to an application, identify the applicationin the SET OBJECT command, and set the incoming proxy attributeto disable. For example, the following disables proxy access tothe application FAL:
NCP>SET OBJECT FAL INCOMING PROXY DISABLE
If incoming proxy is enabled for the application but the proxyaccess for the node is disabled, the system in effect ignores anyproxy access request to the application.
Removing Proxy Access Removeproxy access to the system when it is no longer needed. Invoke AUTHORIZE,and enter the following command to remove proxy access:
UAF> REMOVE/PROXY BOSTON::MARTIN
Procedure for Creating a Proxy Account When you want to set up a proxy account on your node for useby one or more users at other nodes, you must perform the followingsteps. Refer to the security guidelines listed in Special Security Measures with Proxy Access as you createthe account.
Define the purposeof the account, its name, and which network users will be admitted.
Create the local account, if necessary, with AUTHORIZE;if the account already exists, make sure it is restricted and definedas /NOINTERACTIVE, /NOBATCH, /NETWORK.
Review the privileges on the account. Generallyavoid granting privileges to proxy login accounts.
Create the network proxy authorization file, ifnecessary, with the AUTHORIZE command CREATE/PROXY. (The systemusually creates it automatically.)
Allow as many remote users as necessary access tothe proxy account with the AUTHORIZE command ADD/PROXY.
Check the default protection on the directory, andcustomize it as necessary.
Examine any login command procedure specified bythe /LGICMD qualifier to the ADD command. In captive accounts, makecertain that the login command procedure follows the recommendationsin Guidelines for Captive Command Procedures. Itshould reside in a well-protected directory owned by a user otherthan the owner of the proxy account. It should prohibit write accessfor those who use the account.
Notify the security administrator at the remotenode about which users from that node have been authorized for accessto your node.
Example of a Proxy Account In Sample Proxy Account, thesecurity administrator at the node WALNUT wants to create a generalaccess account called GENACCESS. At the same time the administratorwants to take steps to allow proxy logins by three users from thenode BIRCH: KMahogany, PSumac, and WPine, as well as two users fromthe node WILLOW: RDogwood and WCherry. No network proxy authorizationfile currently exists.
Example 1 Sample Proxy Account
$ SET DEFAULT SYS$SYSTEM$ RUN AUTHORIZEUAF> ADD GENACCESS /PASSWORD=WHYNADGUM/UIC=[236,043] -_UAF> /DEVICE=STAFFDEV/DIRECTORY=[GENACCESS] -_UAF> /OWNER="Security Mgmt"/ACCOUNT=SEC -_UAF> /FLAGS=(DISWELCOME,DISNEWMAIL,GENPWD,DISMAIL) -_UAF> /NOBATCH/NOINTERACTIVE/MAXDETACH=8 -_UAF> /LGICMD=LOGIN/MAXACCTJOBS=10%UAF-I-ADDMSG, user record successfully added%UAF-I-RDBADDMSGU, identifier GENACCESS value [000236,000043]added to rights database%UAF-I-RDBADDMSGU, identifier SEC value [000236,177777] added torights databaseUAF> CREATE/PROXYUAF> ADD/PROXY BIRCH::KMAHOGANY GENACCESS/DEFAULT%UAF-I-NAFADDMSG, proxy from OMNI:.BOSTON.BIRCH::KMAHOGANY toGENACCESS addedUAF> ADD/PROXY BIRCH::PSUMAC GENACCESS/DEFAULT%UAF-I-NAFADDMSG, proxy from OMNI:.BOSTON.BIRCH::PSUMAC toGENACCESS addedUAF> ADD/PROXY BIRCH::WPINE GENACCESS/DEFAULT%UAF-I-NAFADDMSG, proxy from OMNI:.BOSTON.BIRCH::WPINE toGENACCESS addedUAF> ADD/PROXY WILLOW::RDOGWOOD GENACCESS/DEFAULT%UAF-I-NAFADDMSG, proxy from OMNI:.BOSTON.WILLOW::RDOGWOOD toGENACCESS addedUAF> ADD/PROXY WILLOW::WCHERRY GENACCESS/DEFAULT%UAF-I-NAFADDMSG, proxy from OMNI:.BOSTON.WILLOW::WCHERRY toGENACCESS addedUAF> SHOW/PROXY *::* Default proxies are flagged with a (D) OMNI:.BOSTON.BIRCH::KMAHOGANY GENACCESS (D) OMNI:.BOSTON.BIRCH ::PSUMAC GENACCESS (D) OMNI:.BOSTON.BIRCH ::WPINE GENACCESS (D) OMNI:.BOSTON.WILLOW ::RDOGWOOD GENACCESS (D) OMNI:.BOSTON.WILLOW ::WCHERRY GENACCESS (D) UAF> EXIT{messages}$ DIRECTORY/SECURITY SYS$STAFF:[000000]GENACCESS.DIR$ DIRECTORY/SECURITY SYS$STAFF:[GENACCESS]LOGIN.COM
HP OpenVMS Guide to System Security
Security for the System Administrator
