ADSM-L
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: client schedule security question

1997-04-03 15:01:17
Subject: Re: client schedule security question
From: "Paul L. Bradshaw" <paulb AT DATATOOLS DOT COM>
Date: Thu, 3 Apr 1997 12:01:17 -0800 
At client "signon" to the server, ADSM will create a session key (pulls it
out of the hat) and use the current password to encrypt this a few
different ways.  If after multiple exchanges between the client and the
server they can both decrypt and encrypt the messages correctly, they
become mutually authenticated to each other, and a session key is agreed to
that is only good for this session.  At the signon exchange the password
never flows over the wire, either in clear text or encrypted form (this is
for ADSM....if your telneting, etc., then that part of the wire is out of
ADSM's control!).  This holds true for backup/archive clients, admin
clients, etc..  You may wish to look at some of the Kerberos documentation
for similar mutual authentication or suspicion methods.

Now when passwords are changed (or created from an admin perspective), that
new password is always encrypted with the session key before it is sent
over the wire..  Since the session key never flows over the wire in clear
text this becomes very hard (never impossible) to corrupt.    Admin
datastreams are also encrypted in this way.

So, ADSM protects its sessions quite well, but other network connection
methods may not (telnet, X-sessions, remote logins, etc., all have control
info flowing over the wire, so beware!  Turn these facilities off if you
don't want them to be used!).  ADSM explains this in their customer
education material if you have attended a session in the past.

Paul L. Bradshaw                phone: (415) 842-9125
DataTools, Inc.                   fax: (415)-842-9162
3340 Hillview Ave.             mailto:paulb AT datatools DOT com
Palo Alto, CA 94304              http://www.datatools.com



----------
> From: Steven P Roder <tkssteve AT ACSU.BUFFALO DOT EDU>
> From: Steven P Roder <tkssteve AT ACSU.BUFFALO DOT EDU>
> To: ADSM-L AT VM.MARIST DOT EDU
> Subject: Re: client schedule security question
> Date: Thursday, April 03, 1997 10:59 AM
>
> On Thu, 3 Apr 1997, Tom Denier wrote:
> >
> > If the person running dsmadmc is using telnet or an X terminal to
> > connect to the system where dsmadmc actually runs, the password will
> > probably go from the desk top to dsmadmc in clear text (there are
> > telnet implementations with encryptation, but they are still relatively
> > uncommon). The password will be encrypted when it travels from dsmadmc
> > to the ADSM server.
>
> I think you are mistaken.  The clear text password never leaves the
server
> or the client.  Perhaps someone from ADSM development can jump in here
and
> clearly explain how the negotiation works.
>
> Steve (unVMix Systems Programmer/Dude) Roder
> (tkssteve AT ubvm.cc.buffalo DOT edu | tkssteve AT acsu.buffalo DOT edu | 
> (716)645-3564
,
>    | http://ubvm.cc.buffalo.edu/~tkssteve)
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Disaster test, Julie Phinney
Next by Date:  Re: CA-1/TMS original name, Floyd Davis
Previous by Thread:  Re: client schedule security question, Tom Denier
Next by Thread:  Re: client schedule security question, Steven P Roder
Indexes:  [Date] [Thread] [Top] [All Lists]