Operating System - OpenVMS
1827460 Members
3839 Online
109965 Solutions
New Discussion

how to hide passwd while copy between server.

 
shiva27
Frequent Advisor

how to hide passwd while copy between server.

Can you suggest.

How can hide password on below command while copying the files between two servers.I tried to define the symbol for password string but saying syntax not correct.

OS:OpenVMS8.3/7.3-2

$copy a.txt node2"account password"::disk:[dir]
19 REPLIES 19
Ian Miller.
Honored Contributor

Re: how to hide passwd while copy between server.

create a proxy on node2

____________________
Purely Personal Opinion
Wim Van den Wyngaert
Honored Contributor

Re: how to hide passwd while copy between server.

Define "hide".

1) set nover before the copy and the password will not show in log files
2) put password in symbol and use "account ''symbol'":: in the command procedure.

Wim
Wim
Hakan Zanderau ( Anders
Trusted Contributor

Re: how to hide passwd while copy between server.

I don't think there is a way to hide the password.......( sticking my neck out here )

But....

Instead of passing username and password, you can setup a proxy in node2 for the specific user.

$ MCR AUTHORIZE
UAF> ADD/PROXY remodenode::remote_user local_user /DEFAULT

$ MCR AUTHORIZE HELP ADD/PROXY ( for additional help )

Hakan Zanderau
Don't make it worse by guessing.........
Karl Rohwedder
Honored Contributor

Re: how to hide passwd while copy between server.

To hide it from being displayed on the terminal you may define a logical name:

$ assign "SYSTEM""USER PWD""::" REMOTE

and the do e.g.:

$ dir REMOTE:

regards Kalle
Robert Gezelter
Honored Contributor

Re: how to hide passwd while copy between server.

Shiva,

There is hiding and there is hiding.

DECnet is unencrypted (unless you are using DECnet over IP, and that over an enciphered channel, either directly or using a tunnel such as SSL).

To prevent the password from showing, one can use a logical name, to wit:

$ assign "" ""::" remote_node
$ directory remote_node:

The output of DIRECTORY will now not show the command. Of course, a SHOW LOGICAL command will display the logical name (as will ANALYZE/SYSTEM). For this type of purpose, it is worthwhile to make logical name user mode. However, the password WILL be in the clear on the network.

Using a Proxy, as has been suggested, requires trust between the two machines, which is a whole other hazard.

Perhaps it would be helpful to clarify from whom we are securing the password and for what purpose.

- Bob Gezelter, http://www.rlgsc.com
Hoff
Honored Contributor

Re: how to hide passwd while copy between server.

Who is your expected attacker here? Who (or what) are you defending against?

You're using classic text-based passwords and DECnet, so you're already somewhere between comparatively and completely insecure. You could use DECnet proxies and such here, but that's not particularly secure.

Switch to sftp and public key encryption, if you're serious.

shiva27
Frequent Advisor

Re: how to hide passwd while copy between server.

can you please suggest how to define symbol e.g 'tt'' for passwd string only so instead putting the passwd i will put symbol as 'tt'.

I want to follow as,

$copy a.txt node2"account 'tt''"::disk:[dir]

Steven Schweda
Honored Contributor

Re: how to hide passwd while copy between server.

> $copy a.txt node2"account 'tt''"::disk:[dir]

Where are those apostrophes?

node2"account ''tt'":: ?

To avoid confusion with the logical name
"TT", I'd avoid using a symbol "tt".

Robert Gezelter
Honored Contributor

Re: how to hide passwd while copy between server.

Shiva,

My post from yesterday has a typographical error.

The ASSIGN command should read:

$ ASSIGN/USER_MODE """ ""::" remote_node

The , , and should be replaced with the destination nodename, username, and password.

My apologies if the typographical errors caused any difficulty.

- Bob Gezelter, http://www.rlgsc.com
Hein van den Heuvel
Honored Contributor

Re: how to hide passwd while copy between server.


Shiva,

Wim gave the rigth advice earlier, but you had the single quotes wrong, and you must not have verification in effect: $SET NOVERI.

If somehow you feel you must have verification active, and can not even disable it just around the command, then you have to tell DCL to POSTPONE the symbol substitution until the last moment.
You'll need the FULL filespec in the symbol.

Example using '0' as node name:

$set veri
$pass="secret"
$remote = "0""hein " + pass + """::*.COM;"
$show symb remote
$!REMOTE = "0"hein secret"::*.COM;"
$dir &remote

Logical names are a viable option as pointed out, but where does it get its value string from? How to hide that?
Similar as per above, but we have to throw in even more double quotes... but no longer need the full file spec.

$set veri
$pass="secret"
$remote = "0""""""hein " + pass + """""""::"
$show symb remote
$! REMOTE = "0"""hein secret"""::"
$define remote &remote
$show logical remote
$! "REMOTE" = "0"hein secret"::"
$dir remote:*.com;

:

Yes, that's 6 double quotes after the node name, and 7 before the '::'.

Hein.
Hoff
Honored Contributor

Re: how to hide passwd while copy between server.

Or you can...

UAF> ADD /PROXY [/DEFAULT] [from-spec] [to-spec]

within the UAF on the target host, and you're done. With this, no password is then needed; the specified user on the specified host can access the specified username on the specified remote host.

Or you can get (rather more) serious about system security, and reduce your dependence on (insecure) DECnet and on user-specified text passwords. The available ssh and sftp widgets support no-password logins and various passphrase-based and policy-based logins using public key encryption. Far more secure.

shiva27
Frequent Advisor

Re: how to hide passwd while copy between server.

This is one time job so no need to define proxy account here.
In our work enviornment our session log monitor by review team so what is my requirement is ,without displaying password on session, i want to copy the file between server.
I tried as,
$set term/noecho
$pass=="welcome"
$set term/echo
$copy test.txt remser"shiva pass"::disk:[dir]/log

I experience below error message after executing above cmd,

%COPY-E-OPENOUT, error opening remser"shiva pass"::disk:[dir]/log as output
-RMS-E-CRE, ACP file create failed
-SYSTEM-F-INVLOGIN, login information invalid at remote node %COPY-W-NOTCOPIED.
Karl Rohwedder
Honored Contributor

Re: how to hide passwd while copy between server.

If you want the symbol to get evaluated try:

set term/noecho
$pass=="welcome"
$set term/echo
$copy test.txt remser"shiva ''pass'"::disk:[dir]/log

(these are single quotes around PASS).

regards Kalle
Steven Schweda
Honored Contributor

Re: how to hide passwd while copy between server.

> If you want the symbol to get evaluated try:
> [...]

You know, like this:

node2"account ''tt'"::

(Jan 6, 2009 05:25:59 GMT)
John Gillings
Honored Contributor

Re: how to hide passwd while copy between server.

shiva,

>In our work enviornment our session log
>monitor by review team so what is my
>requirement is ,without displaying
>password on session, i want to copy the
>file between server.

Now that we understand the real issue, it's possible to post a solution.

Here's a short command procedure that will define a logical name containing an access control string, prompting for the password with no echo. You can then use the logical name for your remote access. The password won't be displayed on the screen, or in the session log. You may wish to DEASSIGN the logical name after use for some semblence of security.

DEFINE_ACCESS.COM
$ logname=p1
$ node=p2
$ user=p3
$ pass=p4
$ IF logname.EQS."" THEN READ/PROMPT="Logical name: " SYS$COMMAND logname
$ IF logname.EQS."" THEN EXIT
$ IF node.EQS."" THEN READ/PROMPT="Node: " SYS$COMMAND node
$ IF node.EQS."" THEN node="0"
$ IF user.EQS."" THEN READ/PROMPT="Username: " SYS$COMMAND user
$ IF user.EQS."" THEN user=F$GETJPI("","USERNAME")
$ IF pass.EQS.""
$ THEN
$ SET NOON
$ SET TERMINAL/NOECHO
$ READ/PROMPT="Password: " SYS$COMMAND pass
$ SET TERMINAL/ECHO
$ ENDIF
$ DEFINE/NOLOG 'logname' "''node'""''user' ''pass'""::"

(unfortunately there's no easy way in DCL to do a nice, modular, error proof no-echo prompt)

I've also attached it as a text file, in case your browser breaks the inline text.

To use the procedure, give it a logical name, node name and username. It will prompt for any missing parameters. The password is prompted with no echo.

For example:

$ @DEFINE_ACCESS REMNODE NODE2 SHIVA
Password: (enter password, not echoed)
$ COPY a.txt REMNODE::disk:[dir]
$ DEASSIGN REMNODE

Note for the sharp eyed... although the logical name already contains a "::" node delimiter, it's necessary to use "::" in the file specification to allow a device and directory to be included in the file specification. You could say:

$ COPY a.txt REMNODE:b.txt

to copy the file into the default directory for the target user, but if you want to include a device and directory specification you need "::".


I thought the RCP command would prompt for a password if you said:

$ RCP/USER=user/PASS a.txt node2:

(ie, without specifying a password on the command line), but it doesn't. Maybe it was SSH?
A crucible of informative mistakes
shiva27
Frequent Advisor

Re: how to hide passwd while copy between server.

Failed below cmd,

$tt=="welcome"
$sh sym tt
TT == "welcome"
$copy a.txt node2"shive ''tt''"::disk:[dir]
-SYSTEM-F-INVLOGIN, login information invalid at remote node

$copy a.txt node2"shive "tt""::disk:[dir]
%DCL-W-INVNOD, invalid node name specification; respecify \node2"shive "TT""::\

Am i doing any mistake here.. please suggest.
Karl Rohwedder
Honored Contributor

Re: how to hide passwd while copy between server.

Shiva27,

I think you put 2 quotes before and after the TT symbol, it's 2 before and one after, so

"user ' ' pass ' "

These are the 'normal' DCL substitution rules.

regards Kalle
shiva27
Frequent Advisor

Re: how to hide passwd while copy between server.

Thanks Karl and All,

it's thru.I'm able to copy now. :)
Kumar_Sanjay
Regular Advisor

Re: how to hide passwd while copy between server.

You enable to opcom Message in 2nd node...you will able to get clear error..

cheers...