HP30003k Associates LogoHP3000/HP 3000 FAQ

Last Updated: Thursday, February 01, 2007 02:38 PM

HP3000 FAQ
MPE/V

HPe3000 FAQ
MPE/XL

HP 3000 FAQ
MPE/iX


File Transfer Protocol (FTP) and the HP3000

4.5.2. File Transfer Protocol (FTP)

For a long time FTP had to be purchased as part of the "Arpa Services/3000" package; but as of MPE/iX 5.0 both the client and server are bundled in the operating system. FTP allows you to send and receive files between systems over a network. HP3000's FTP has some extensions to allow the preservation of HP3000 file attributes, but it usually takes some manual specification on the client side.


4.5.2.1. Security issues related to FTP

CR2

There are some serious security issues with FTP (File Transfer Protocol) and the HP3000, especially for those who rely on Security/3000.

What is FTP?

FTP is a protocol defining how files are transferred from one computer to another. FTP is also the name of a program used to move files that uses the File Transfer Protocol. With the FTP program you can copy files from your PC to a HP3000 or from a HP3000 to a UNIX host. This is the same FTP you use on the Internet.

FTP facts:

1).  MPE/iX 5.0 gives you all the services needed to run FTP.
2).  Out-bound FTP can be run by executing the FTP program.
3).  In-bound FTP can be run only if a "monitor" job is running for FTP.
4).  A valid logon name (MGR.Pnnn, etc.) must be known.

In-bound (FTP'ing to a HP3000) Security Issues:

1). If in-bound FTP is enabled, any user on the Internet can access your system without entering passwords if you do not take precautions. In-bound FTP does not execute logon UDCs. Any user that does not have either a MPE user or account password (LISTUSER @.@;PASS) can be used to gain FTP access to the HP3000 without entering a password. Security/3000 passwords are not used since these are executed with a logon UDC. **See FTP PASSWORD=ON info below.

2). Once a user has gained FTP access, they can not only retrieve (get) files, they can also replace (put) files. They can not retrieve or replace databases or KSAM files. They can replace some executable programs, UDCs and other files.

In-bound FTP precautions:

1). Don't enable in-bound FTP. In-bound FTP is not automatically enabled. It will only go into action if you enable it. (STREAMX JFTPSTRT.ARPA.SYS).

2). If you enable it, modify the job so that any in-bound FTP access will require a MPE user and/or account password. Modify line 37 of JFTPSTRT.ARPA.SYS to read:

RUN ftpmon;info="password"

You should also add SF capability to the user FTP.SYS

This obviously is more secure than no password, but by enabling in-bound FTP you still give the opportunity for someone to access your system by entering a correct password.

3). Enabling in-bound FTP is not necessary as you can use out-bound FTP and "get".

Minisoft's Network File Transfer

Security issues also exist with Minisoft's Network File Transfer (FTJOB.NFT.MINISOFT). If you are using this, any Minisoft NFT user can gain FTP access to your HP3000 without entering a password. It appears that regular FTP users can not access your HP3000 as Minisoft's NFT is using a different port number. However, if they know to use this port number, they will have access.

Minisoft has not yet addressed the security issue with their NFT.

Do I need in-bound FTP?

No, you do not need in-bound FTP on your HP3000.

JH ***Updated information as of 09/2004***:

> Also recently added (7.0 ?) to the FTP server is the option to enforce the user/account passwords to be entered.

This option was available in 1993 on MPE/iX 4.0 as a run parameter in the JFTPSTRT.arpa.sys job as FTPMON;INFO="PASSWORD". This feature was broken when the INETD/FTPSRVR was implemented. This function was re-introduced as an option in 6.0 in the SETPARMS.arpa.sys in patches FTPFDY9 6.0, FTPGD01 6.5, FTPGD49, 7.0 and included in 7.5.

*******************************************************FTPDOC.ARPA.SYS**

The "PASSWORD = ON" SETPARMS.ARPA.SYS configuration option is a security enhancement added to the FTP Server "FTPSRVR" to support the ability to restrict the establishment of FTP connections to MPE USER.ACCOUNT's where at least "one" password (a "USER" password or an "ACCOUNT" password) must exist.

The system default for this enhancement is "PASSWORD = OFF". This option can be enabled by adding the line "PASSWORD = ON" to the file SETPARMS.ARPA.SYS with a supported text EDITOR.

When the SETPARMS.ARPA.SYS file is configured with the "PASSWORD = ON" option, the FTP Server "FTPSRVR" will reject any attempt to establish an inbound FTP client connection to the HP e3000 for MPE USER.ACCOUNT's which do not have at least one MPE logon password.

The FTP Client will see the following error message:

530 User log on unsuccessful

If FTP Console Logging is enabled, the FTP Server will generate the following error message to the console:

0:40/#J93/62/FTP INVALID PASSWORD For: "USER.ACCOUNT,PUB" IP=127.0.0.1

*******************************************************FTPDOC.ARPA.SYS**

> In earlier versions of MPE, FTP used to be nicely integrated with security/3000 so you could have session based password security on your FTP sessions.

As far as I know as per my communications with other customers, security/3000 is *still* interfaced to FTP/iX. The VESOFT security product *broke* when FTPMON and the server creation with RPMCREATE was eliminated and replaced by INETD forking FTPSRVR with calls to AIFCHANGELOGON.

2 changes needed to be made...

1) VESOFT had to hook into new INETD and FTPSRVR code which did a fork and AIFCHANGELOGON of FTPSRVR from INETD rather than the old RPMCREATE from FTPMON.

2) VESOFT was relying on a feature that a non-existent in MPE session-id password would be ignored in the parsing of the hello logon string by RPMCREATE but found out that it was not ignored by the new call to AIFCHANGELOGON. In the logon string:

"sessid/sesspass,manager/mgrpass.sys/syspass,group"

....VESOFT was relying on the command parser not catching a password being added to the sessid. RPMCREATE did not catch this, but with INETD and the fork of FTPSRVR we perform an AIFCHANGELOGON to assure the correct file system access. At this point AIFCHANGELOGON did catch this non-existent field in the logon string and fail the logon.

Syntax of valid MPE logon: [session,]user[/userpass].account[/acctpass][,group[/grppass]]

Note: MPE logon sequence does not allow for a session password.

This required a fix to FTP/iX to strip the "sesspass" from the logon string prior to our call to AIFCHANGELOGON and a second associated repair.

5003458612 fixed in FTPFDH3 6.0 fixed in 6.5 and beyond.

8606109983 fixed in FTPFDP3 6.0, FTPFDP2 6.5, fixed in 7.0 and beyond.

These fixes were implemented in patches in 2000 and this solution also required a VESOFT SECURITY patch be installed.

Don't forget: The file FTPDOC.arpa.sys (on your system) is the bible to features of FTP/iX which are beyond the FTP RFC specification (features are documented here which are not present in the reference manual set). I recommend that you install the above noted General Release patch and then look at the updated FTPDOC.arpa.sys file for new features.

 


4.5.2.2. Changing default settings for FTP server

KS

The file BLDPARMS.ARPA.SYS contains the default parameters for inbound FTP transfers to the 3000. The first three lines of the file look like this (the file has more, but the rest is comment; only first three lines are read). Note that default for ASCII files is an 80-byte record like you are ending up with.

;REC=-80,,F,ASCII;DISC=204800
;REC=-256,,V,BINARY;DISC=204800
;REC=,,B;DISC=16384000

As long as you don't violate limits of the MPE BUILD command, you can change these defaults as you wish (at least I think the BUILD command limits are the only ones you have to be concerned about).

You can also make local copies of this file and point at that by doing:

FILE BLDPARMS.ARPA.SYS=myfile

Back to FAQ Index Back to 3k Home Page
 
HP3000-L FAQ Collection (c) 3k Associates, Inc. 1996-2006