Re: (ASCEND) Secure TServ Access via Telnet?

[Mike Jackson <mhjack@tscnet.com>]

On Thu, 7 Jan 1999, T. Burress wrote:

> We're running 7.0.1, and would like to set up a security profile (or some
> other mechanism) that would allow our support group to access a Max and
> use TServ commands like "show users" over a local telnet connection.
> 
> The trouble is that there doesn't seem to be a very secure way of limiting
> them to just these functions. Setting up a security profile with
> everything turned off except "Operations" and "Sys Diag" allows them to
> get at the terminal server, but they also have access to "Sys Reset" and
> "Upd Rem Cfg," which don't sound like very good ideas. They also get "Use
> MIF," and I have no idea what trouble that would allow them to get into.
> 
> So... is there another way to give only a selected group of people access
> to the TServ commands?
> 

I use expect scripts.  I make an expect script that opens a telnet session
to the box, logs in as a user with sufficient permissions and then
executes the desired command.  I then capture the output using a regular
expression and reformat it as required.

The trick to making this secure is to make to expect script owned by a
special user on my unix machine [-rwx------], and then make a C wrapper
that calls the script (passing any arguments).  The C wrapper is then run
suid the special user.

This works nicely for technical support utilities, web based utilities,
modem graphs, and the like..

If you would like a sample of some of these, send me E-mail and I'll send
you some.  You have to be running Unix with tcl and expect to use them.
Even if you are not a unix shop, you could get a linux box for doing that
type of stuff...

					Mike Jackson
					TSCNet


++ Ascend Users Mailing List ++
To unsubscribe:	send unsubscribe to ascend-users-request@bungi.com
To get FAQ'd:	<http://www.nealis.net/ascend/faq>