cheever@sumax.UUCP (Richard L. Cheever) (02/06/90)
Senerio:
student logs in, through switch, through annex, to Encore
finishes session
logs out of Encore
locks annex port
goes to class
switch times out after 30 min and frees port
professor logs in, through switch, to annex
gets a locked annex port
I get flammed
Can I disable the annex lock command?
------------------------------------------------------------------------------
Richard L. Cheever cheever%sumax.UUCP@beaver.cs.washington.edu
(206) 296 5550
Seattle University, CIS 6th Floor Engineering, Seattle WA 98102
------------------------------------------------------------------------------loverso@Xylogics.COM (John Robert LoVerso) (02/06/90)
In article <1226@sumax.UUCP> cheever@sumax.UUCP (Richard L. Cheever) writes: > student logs in, through switch, through annex, to Encore > finishes session > logs out of Encore > locks annex port > goes to class > switch times out after 30 min and frees port > professor logs in, through switch, to annex > gets a locked annex port > I get flammed > > Can I disable the annex lock command? Enable security and change the default command mask to not include the lock command on those ports. However, that is not really your problem. You need to use modem control between the switch and the Annex. This way, when the switch frees the port, it drops DCD and the Annex resets its own port. Without this, you are leaving yourself with a big security hole; to wit: professor leaves his terminal for 30 minutes the switch times out student connects to port student reads all of professors' final exams If you cannot possibly get the switch to perform some means of modem control, then a secondary (but less trustworthy way) to accomplish this is to set the inactivity time on the Annex to match that of the swtich; thus, both timers should expire at about the same time and close the window of vulnerability. I stress that I would only recommend this as backup if you cannot get the switch to perform some means of modem control. (Personally, I'd just suggest that you replace the outdated switch completely with Annexes, but...) A final scenario, on why disabling the Annex CLI lock command isn't really helpful. A user logs in to switch, attaches to an Annex, disables the break key ("stty -break -lbreak"), logs into a host, runs his own version of /usr/ucb/lock with no timeout or master password, and goes away. Same effect. In your case, this could be worse, since your switch may not have the ability to pass a break through to the Annex at all. John -- John Robert LoVerso Xylogics, Inc. 617/272-8140x284 loverso@Xylogics.COM Annex Terminal Server Development Group