From:	CRDGW2::CRDGW2::MRGATE::"SMTP::CRVAX.SRI.COM::RELAY-INFO-VAX"  2-NOV-1989 12:59
To:	MRGATE::"ARISIA::EVERHART"
Subj:	RE: 4 DECnet security questions

Received: From LBL.GOV by CRVAX.SRI.COM with TCP; Thu,  2 NOV 89 06:36:44 PDT
Received: from warner.hepnet by LBL.Gov with VMSmail ;
	Thu, 2 Nov 89 06:35:07 PST
Date:    Thu, 2 Nov 89 06:35:08 PST
From: nagy%warner.hepnet@LBL.Gov (Frank J. Nagy:VAX Guru,Wizard&Loose Cannon)
Message-Id: <891102063508.26602b44@LBL.Gov>
Subject: RE: 4 DECnet security questions
To: Info-VAX@sri.com
X-St-Vmsmail-To: INFO_VAX

>>1) What good does it do to have a non-standard password on the decnet
>>nonpriviledged account? Assuming the only access to the account is
>>NETWORK,  I can't see that having a known password on DECNET lets you do
>>anything that you can't do without it, so long as there IS a nonpriv
>>decnet account that has a workable password (ie, it's correct in ncp
>>exec database).

The DECNET account is setup to provide a default for network access to
your system by users who (a) do not specify a specific username and
password in their network access (see below) and (b) do not have proxy
access to your system.  Accordingly, you want to control how and where
the DECNET account is used.  We have a DECNET account but have given it
a nonstandard, nonpublished and (hopefully) secure password.  It keeps
the hackers and worms out at least.  Since we use the TASK objects a
lot, we have used NCP to enable incoming and outgoing proxy access for
TASK.  To keep the worms away, we set the username to DECNET on the TASK
object BUT we set the password on the TASK object to a string DIFFERENT
from the real DECNET password.  This lets our users use TASK objects via
their proxy accounts but fails all use of the TASK object by the DECNET
account.
 
>>2) How do you use a password on the TASK object? I can find no way of
>>specifying a password in the TYPE NODENAME::"TASK=x" syntax. I don't
>>mean an account password, I mean the password you set with NCP SET
>>OBJECT TASK PASSWORD. I figure there's a way with task-to-task
>>programming, but I'd like to require a password for the dcl command
>>above.

You can do something like TYPE NODENAME"user password"::"TASK=xxxx"
so use a specific username and password for the network access.
 
>>3) Is there a dcl syntax I can use, akin to NODENAME::"TASK=x", to
>>specify an arbitrary task that I have defined in ncp? Or are these
>>tasks only accessible with programming?

If you define an object of name X with number 0 using NCP and give
that object a FILE to execute (.COM file), then any user can access
these objects via "TASK=X".  In this case a common .COM procedure is
used by all users.  If a user references "TASK=Y" and there is no
object Y in the network object database, then the system will look
for and execute Y.COM in the login area of the account (DECNET account
unless the user has a proxy account; in this case its in the login area
of the proxy account).

= Dr. Frank J. Nagy   "VAX Guru & Wizard"
= Fermilab Research Division/Electrical and Electronics Dept/Controls Group
= HEPnet/SPAN: WARNER::NAGY (43198::NAGY) or FNAL::NAGY (43009::NAGY)
= BitNet: NAGY@FNAL        = Internet: NAGY%WARNER.DNET@FNGATE.FNAL.GOV
= USnail: Fermilab POB 500 MS/220 Batavia, IL 60510