UNIX Remote Host Validation

Description

On UNIX, remote connections to BBjServices are validated via either by /etc/hosts.equiv or by the .rhosts file.

Using the /etc/hosts.equiv file, the system administrator can configure global settings for the machines that will be trusted by the BBjServices machine. If a machine should be globally trusted so that users on that machine are allowed to use BBjServices as the same account on the BBjServices machine, then add the line "+<machine>" to the /etc/hosts.equiv file. After adding this line, no .rhosts manipulation is necessary.

NOTE: BBj DS services performed a DNS lookup on every entry in the .rhosts and /etc/hosts.equiv files. Depending on system configuration, the DNS lookups can take an excessive amount of time, causing the connection attempt to time out and cause either a !ERROR=72 or a !ERROR=12 (depending on whether the client or server timed out first).


In order for remote users to connect using .rhosts, follow the steps listed below::

STEP 1) If BBjServices will be running as root, ensure that every remote user has an account on the machine.

STEP 2) If BBjServices will be running as root, modify each remote user's .rhosts file. If BBjServices will be running as any other user other than root, modify this user's .rhosts file.

The .rhosts file is found in the user's home directory. The .rhosts file(s) should include all remote machines and users that are connecting to BBjServices.

For example:

tiger csmith <==== machine tiger, remote user csmith will be allowed to connect

rider + <==== machine rider, all remote users from this box will be allowed to connect

STEP 3) Set the .rhosts file permissions to 644.

STEP 4) Ensure that the .rhosts file for each user is owned by that user. For example, the .rhosts file for root must be owned by root and the .rhosts file for the user BBj must be owned by the user BBj.

Filesystem User/Password Authentication

In a muti-tier BBj environment, some kind of user authentication will occur when an application attempts to open a file on a remote BBj Filesystem Server.  By default, BBj uses .rhosts authentication.  However, another option is to use simple user/password authentication.

Enabling user/password authentication on the BBj Filesystem Server switches the server to use a user and password instead of .rhosts to authenticate incoming remote connections.  The administrator must enable this for the Filesystem server and developers must include code at some point in the application to tell BBj the user and password used when it needs access to files on a remote BBj Filesystem Server.

Enable User/Password Authentication on the Server

Using the Enterprise Manager under BBjServices->Servers->Filesystem, enable the Password Auth for the Filesystem server.

Add BBj Application Code

When a Filesystem Server is configured to use user/password authentication, clients (and other remote BBjServices) connecting to that server must specify the user and password in order to connect.  To do this from a BBj program, use the !DSUDDB STBL:

dummy$ = STBL("!DSUDDB", "user=jdoe,passwd=mypassword")

Once set, subsequent file OPEN calls use the specified user and password to connect to the remote Filesystem Server when data server syntax is used.  For example:

OPEN(chan)"/<theremoteserver>/path/to/my/file.dat"




______________________________________________________________________________________

Copyright BASIS International Ltd. BBj®, Visual PRO/5®, PRO/5®, and BBx® are registered trademarks.