Re: Why does dsm think I am root?

     I've mentioned this before in great detail so I'll try to keep it
     short here....  I'm not sure about the how's & why's BUT adsm is doing
     more than we think... (and maybe more than IBM knows) security wise...
     In early rollout & testing I had a netframe node running netware 4.x
     with 2 fddi cards. Naturally these two cards had two different IP
     addresses... only one ip address had an associated name in the name
     server and was for user access to the box... the other was on a
     different subnet and mainly for backups (and faster access from a
     different area/campus/office/location than where the machine was
     located... ANYWAY what ever we did in setting things up caused the
     server to know the node by the general public DNS entry name and IP
     address but the adsm code on the box would go out the 2nd less known
     card... when the first scheduled event kicked off it contacted the
     node, initial communications were performed and then the server
     REJECTED the connection... (over and over again) as wierd as this
     sounds ALL I DID WAS DISCONNECT THE 10BaseT LINE that was used mainly
     for DNS access, and ADSM accepted the connection.  I never have gone
     back to investigate things and never heard back anything from this
     list or IBM when I told the initial story but ADSM is doing some
     remembering, checking, and rechecking...
     I'm just guessing that there is not much in the way of documentation
     because they don't want anyone hacking through what they do have for
     security.... I've had one other server act this way and to fix it I
     just deleted the entry and readded it... then when the initial contact
     was made by the client everything worked out on the server... heck
     maybe it does something with the SR# in the communication card and if
     it changes it double checks/alternately checks IP addresses against
     name entries
     I DON'T KNOW... and never heard anything back when I was trying to
     find out.... all I know is GOOD LUCK getting  info out of a server if
     you haven't given another node (like the server) access to your
     files...  well, wait, I take that back... I believe it could perform
     some operations but could not create any new backups... I guess
     protecting from other nodes trying to roll off good backups...
     GOD my brain isn't ready for this much thought process today....
     later
          Dwight



______________________________ Reply Separator _________________________________
Subject: Re: Why does dsm think I am root?
Author:  ADSM-L (ADSM-L AT VM.MARIST DOT EDU) at unix,mime
Date:    1/2/97 10:21 AM


Andy Raibeck wrote:
>
> I agree that it is not clear at all that you can use the SERVERNAME
> option to point to the same ADSM server, but with different settings
> (like NODENAME). And in general, the security issues associated with
> the ADSM UNIX clients need to be documented better, too. I will look
> into this.

The security issues raised by ADSM go beyond client operations as such.
There are a variety of concerns about hostile parties eavesdropping on
data in transit, altering data in transit, posing as a server to trick
client software into taking inappropriate actions, or posing as a client
to trick server software into taking inappropriate actions. I don't
think our ADSM installation could pass any sort of serious security
audit. I don't know whether its inability to pass such an audit is a
result of inadequate security or adequate but undocumented security.
The one piece of relevant information I have is not encouraging: IBM
doesn't think the matter important enough to warrant any discussion in
the ADSM manuals.