× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.



Performance is not really a concern, since we're talking about editing scripts. This isn't runtime for end users.

We have to have NetServer running anyway, for production applications. Very easy for me to add and secure another share to edit scripts.

Our users log in via telnet and run a program that displays a menu. They do not have command line access. The telnet server enforces the limit capabilities parameter on the user profile. I think support for that in FTP is better (or maybe fully fixed) now. Obviously plain FTP uses a plain text password, while I regularly use telnet with SSL.

OK, on to ssh, since I mentioned plain text passwords that are not relevant to ssh. It has a concern that exists on FTP as well. With a user that is *ENABLED with initial program *SIGNOFF and limit capabilities *YES, I can still sign on via ftp and ssh. I cannot sign on via telnet. Once signed on in FTP, I have access to anything I can find, based on object authority. Via telnet, I cannot get to anything. Via shared folders, I have only what has been set up as shared. SSH is even scarier there, since it puts a user profile that should not sign on into the PASE environment able to run all sorts of programs.

Our users (in general) don't have query access and cannot download files with data transfer. I'm not authorized to run the db2 command, and cat on a database file give me garbage, but I still suspect there is some way through ssh to get to data or do other "bad" things that our users currently can't do. I just don't want to open another interface that presents new security challenges.
--
Sean Porterfield



-----Original Message-----
From: Mike Pavlak


Sean,

OK, I realize that you may not be the person making the policy decision, but the implication you have made here is that Netserver is "more secure" than SSH. I would be curious what the "security reasons" might be that led to such a decision. Especially when you consider the IBM i's object level security is enforced in both in all three of those models.

I have been to many customer sites where NetServer is running and no one has a clue as to why or how it runs. Also, I have seen NetServer performance go all over the charts, from blazingly fast to painfully slow. So far (knocking wood) I have not seen such inconsistency with SSH.

Not trying to start a flame war here, but would really like to get a better understanding of the realities.

Regards,

Mike

mike.p@xxxxxxxx Cell: (408)679-1011 Office: (815)722-3454


-----Original Message-----
From: Porterfield, Sean

I'm a bit late to this party, but you can also use netserver and map a drive to the i. For security reasons, we do not run FTP or SSHD, so mapped drive was the only real option.
--
Sean Porterfield

This email is confidential, intended only for the named recipient(s) above and may contain information that is privileged. If you have received this message in error or are not the named recipient(s), please notify the sender immediately and delete this email message from your computer as any and all unauthorized distribution or use of this message is strictly prohibited. Thank you.

As an Amazon Associate we earn from qualifying purchases.

This thread ...

Replies:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.