[Top] [All Lists]

Re: DCE and Net View Security

To: nv-l@lists.tivoli.com
Subject: Re: DCE and Net View Security
From: Chris Cowan <chris.cowan@2ND-WAVE.COM>
Date: Mon, 21 Jun 1999 12:00:54 -0700
Comments: RFC822 error: <W> TO field duplicated. Last occurrence was retained.
Organization: 2nd Wave
Reply-to: Discussion of IBM NetView and POLYCENTER Manager on NetView <NV-L@UCSBVM.UCSB.EDU>
Sender: Discussion of IBM NetView and POLYCENTER Manager on NetView <NV-L@UCSBVM.UCSB.EDU>
"Bacon, Benjamin" wrote:
> Hi,
> I was wondering if anyone has implemented a DCE security environment with
> Net View?  I am looking for the capability to use the same user and password
> for the actual AIX login and for Net View Security.  I would like to know
> the NV requirements for implementing DCE? Is three any documentation that I
> could be referred to?  How much configuration and maintenance is required
> for the DCE/NV environment?
> Thanks
> Benjamin Bacon

We did at IBM Austin, when I worked there.  It was NV V4.0.  Actually,
we were also running V3.0 of the Tivoli Framework, too.   (Just for
completeness it was the AIX 4.1.3 days with DCE 2.1).  Actually, we had
a setup where all non-admin users were going to both AFS/Kerb4 and DCE.
If you enable the DCE login, NetView (or any other application) should
not be able to distinguish it from using /etc/passwd, since it's hooked
at the system call level.

However, there are some caveats:
- You do not get ticket or token passing without going out and getting
replacements for the things like rsh, or rexec, and similar
- If DFS is involved there's an additional set of complications.

But most importantly, alot of applications like telnet, ftp, dtlogin,
Windows in general, and even Web Servers in general (that aren't using
SSL) will not protect your Kerberos password from clear text
transmission.  The problem in general is that alot of these applications
compromise Kerberos in exactly the area it was supposed to protect
against.   Primarily because the link between the input devices and the
Kerberos client is NOT secure.

If you're using DCE for the Single Sign-on aspect, OK.  But be careful,
if you're assuming you're getting the normal security of Kerberos
without doing a lot of additional work.

Attachment: chris.cowan.vcf
Description: Card for Chris Cowan

<Prev in Thread] Current Thread [Next in Thread>

Archive operated by Skills 1st Ltd

See also: The NetView Web