suppressing username and password prompts in dbaccess

Hi,

Our site is running Informix Dynamic Server 11 on Linux. Currently,
when connecting to a server using dbaccess the user is prompted for
his user name and password. What options are available so providing a
user name and password is unnecessary, as the username and password is
the same one as they used to log into their machine.

Thanks,
Steve

On 19/12/2007, skurlander (AT) yahoo (DOT) com <skurlander (AT) yahoo (DOT) com> wrote:

Quote:

Hi,

Our site is running Informix Dynamic Server 11 on Linux. Currently,
when connecting to a server using dbaccess the user is prompted for
his user name and password. What options are available so providing a
user name and password is unnecessary, as the username and password is
the same one as they used to log into their machine.

Thanks,
Steve
_______________________________________________
Informix-list mailing list
Informix-list (AT) iiug (DOT) org
http://www.iiug.org/mailman/listinfo/informix-list

Steve

You need a trusted relationship between the two servers, look at a
..rhosts file or hosts.equiv.

Keith

NO!!!

NEVER USE .rhosts and or hosts.equiv.

Ok, so that may be an overkill.

As a systems administrator, I routinely sweep my systems for users who use ..rhosts. This is a big security no no.

With respect to hosts.equiv, you need to be careful and limit this to machines that are behind your firewall and are really equivalent hosts. For example, if you have two systems that you're doing HA type work.

Quote:

Date: Wed, 19 Dec 2007 15:57:12 +0000
From: smiley73 (AT) googlemail (DOT) com
To: informix-list (AT) iiug (DOT) org
Subject: Re: suppressing username and password prompts in dbaccess

On 19/12/2007, skurlander (AT) yahoo (DOT) com <skurlander (AT) yahoo (DOT) com> wrote:
Hi,

Our site is running Informix Dynamic Server 11 on Linux. Currently,
when connecting to a server using dbaccess the user is prompted for
his user name and password. What options are available so providing a
user name and password is unnecessary, as the username and password is
the same one as they used to log into their machine.

Thanks,
Steve
_______________________________________________
Informix-list mailing list
Informix-list (AT) iiug (DOT) org
http://www.iiug.org/mailman/listinfo/informix-list

Steve

You need a trusted relationship between the two servers, look at a
.rhosts file or hosts.equiv.

Keith
_______________________________________________
Informix-list mailing list
Informix-list (AT) iiug (DOT) org
http://www.iiug.org/mailman/listinfo/informix-list

__________________________________________________ _______________
The best games are on Xbox 360. Click here for a special offer on an Xbox 360 Console.
http://www.xbox.com/en-US/hardware/wheretobuy/

Do not use .rhosts ever.
This is a major security no no. But then again, most of you young whipper snappers don't remember the fallout from the Morris Worm.

Host.equiv should be used sparingly. Only for hosts that truly are equivalent.

We live in a dangerous world. You really do need to be more paranoid. People really are out to get you.

But hey! What do I know? I got to blow off a midterm because I spent 24 hours locking down and backing up the EE computers because of the Morris Worm.


-G

Quote:

From: skurlander (AT) yahoo (DOT) com
Subject: suppressing username and password prompts in dbaccess
Date: Wed, 19 Dec 2007 06:47:08 -0800
To: informix-list (AT) iiug (DOT) org
CC: skurlander (AT) yahoo (DOT) com

Hi,

Our site is running Informix Dynamic Server 11 on Linux. Currently,
when connecting to a server using dbaccess the user is prompted for
his user name and password. What options are available so providing a
user name and password is unnecessary, as the username and password is
the same one as they used to log into their machine.

Thanks,
Steve
_______________________________________________
Informix-list mailing list
Informix-list (AT) iiug (DOT) org
http://www.iiug.org/mailman/listinfo/informix-list

__________________________________________________ _______________
Don't get caught with egg on your face. Play Chicktionary!
http://club.live.com/chicktionary.as...mtextlink1_dec

Geez!

How many times does it take before the message sinks in.

..rhosts BAD. VERY BAD.
BAD IDEA FROM THE START.

You should NEVER, EVER LET YOUR USERS use .rhosts since it effectively allows them to say that Machine A is a safe and trustworthy machine.

Not a problem if Machine A is sitting next to your server in the machine room.
BIG PROBLEM if Machine A is sitting somewhere well outside your firewall and outside of your control.

Since most DBAs are NOT system administrators, talk to your system administrators and see what they say.

Hosts.equiv is controlled by your system administrator (root access). You should use this only for machines that are truly equivalent.
(Like machine A load balances for machine B ...)

Think of this as being much worse than running your IDS engine on a RAID 5 system.

If I were your system administrator and you did this on one of my systems? I'd consider it a terminating offense. One where the use of a firing squad is a form of mercy.
Please be paranoid. We don't want to see another TJX situation on an IDS platform now do we? (TJX was running Oracle. ;-)

-G
PS. Yes, I was at one time a BOFH ;-)

Quote:

From: dcruncher4 (AT) aim (DOT) com
Subject: Re: suppressing username and password prompts in dbaccess
Date: Wed, 19 Dec 2007 10:48:15 -0800
To: informix-list (AT) iiug (DOT) org

In article <e89947bf-d9fc-4f33-9ef4-dacf60193a7a (AT) v4g2000hsf (DOT) googlegroups.com>,
skurlander (AT) yahoo (DOT) com says...

Hi,

Our site is running Informix Dynamic Server 11 on Linux. Currently,
when connecting to a server using dbaccess the user is prompted for
his user name and password. What options are available so providing a
user name and password is unnecessary, as the username and password is
the same one as they used to log into their machine.

One the server machine (where IDS 11 is running), in that user's home
directory you have to create a file .rhosts in which you mention the
name of the client machine from where the users will connect.

Also I am not sure how dbaccess is prompting for user name/password.
AFAIK dbaccess does not prompt. You will get error from the database
if you don't have appropriate permission.

try this
create a file test.sql with some dummy statement
like
database sysmaster;
select 1 from systables where tabid = 1 ;

run it
$ dbaccess - test

dbaccess should not prompt for password. It will fail unless you
create the trust relationship between the client and the server
via that .rhosts file I described above.

_______________________________________________
Informix-list mailing list
Informix-list (AT) iiug (DOT) org
http://www.iiug.org/mailman/listinfo/informix-list

__________________________________________________ _______________
Get the power of Windows + Web with the new Windows Live.
http://www.windowslive.com?ocid=TXT_... ndows_122007

Look at the "trusted host" facility of Linux.

--
Neil Truby t:01932 724027
Director m:07798 811708
Ardenta Limited e:neil.truby (AT) ardenta (DOT) com


<skurlander (AT) yahoo (DOT) com> wrote

Quote:

Hi,

Our site is running Informix Dynamic Server 11 on Linux. Currently,
when connecting to a server using dbaccess the user is prompted for
his user name and password. What options are available so providing a
user name and password is unnecessary, as the username and password is
the same one as they used to log into their machine.

Thanks,
Steve

First .rhosts is user controlled and you as a system administrator lose control of securing your system.

As to having the same password, you could have a central authentication system like OLAP since the Unix/Linux systems support PAM, you can us a commonauthentication system.

You don't see the danger cause you're not a sysadmin. But as a DBA you do see the dangers of IDS on raid 5 right?

This is worst because is a potential security hole.

An additional way to authenticate IDS is to use PAM to have the engine authenticate via a look back at IDS. So you can create virtual accounts.
But thats a different story... ;-)

Quote:

Date: Wed, 19 Dec 2007 19:43:24 -0500> From: dcruncher4 (AT) aim (DOT) com> To: im_gumby (AT) hotmail (DOT) com> CC: informix-list (AT) iiug (DOT) org> Subject: Re: suppressing username and password prompts in dbaccess> > My reply was to how to get dbaccess working without password.> We don't even know whether he is asking about dev or production> machine.> > Also how smart is to keep the same password in the client> and the server machine. I don't see it as any less of a threat> than creating .rhosts file.> > > Ian Michael Gumby wrote:> > Geez!> > >> How many times does it take before the message sinks in.> > > > .rhosts BAD. VERY BAD.> > BAD IDEA FROM THE START.> > > > You should NEVER, EVER LET YOUR USERS use .rhosts since it effectively > > allows them to say that Machine A is a safe and trustworthy machine.> > > > Not a problem if MachineA is sitting next to your server in the machine > > room.> > BIG PROBLEM if Machine A is sitting somewhere well outside your firewall > > and outsideof your control.> > > > Since most DBAs are NOT system administrators, talk to your system > > administrators and see what they say.> > > > Hosts.equiv is controlled by your system administrator (root access). > > You shoulduse this only for machines that are truly equivalent.> > (Like machine A load balances for machine B ...)> > > > Think of this as being much worse than running your IDS engine on a RAID > > 5 system.> > > > If I were your system administrator and you did this on one of my > > systems? I'd consider it a terminating offense. One where the use of a > > firing squad is a formof mercy.> > Please be paranoid. We don't want to see another TJX situation on an IDS > > platform now do we? (TJX was running Oracle. ;-)> > > > -G>> PS. Yes, I was at one time a BOFH ;-)> > > > > > > From: dcruncher4 (AT) aim (DOT) com> > > Subject: Re: suppressing username and password prompts in dbaccess> > > Date: Wed, 19 Dec 2007 10:48:15 -0800> > > To: informix-list (AT) iiug (DOT) org> > >> > > In article > > <e89947bf-d9fc-4f33-9ef4-dacf60193a7a (AT) v4g2000hsf (DOT) googlegroups.com>,> > > skurlander (AT) yahoo (DOT) com says...> > > >> > > >Hi,> > > >> > > >Our site is running Informix Dynamic Server 11 on Linux. Currently,> > > >when connecting to a server using dbaccess the user is prompted for>> > >his user name and password. What options are available so providing a> > > >user name and password is unnecessary, as the username and password is> > > >the same one as they used to log into their machine.> > >> > > Onethe server machine (where IDS 11 is running), in that user's home> > > directory you have to create a file .rhosts in which you mention the> > > nameof the client machine from where the users will connect.> > >> > > Also I am not sure how dbaccess is prompting for user name/password.> > > AFAIK dbaccess does not prompt. You will get error from the database> > > if you don't have appropriate permission.> > >> > > try this> > > create a file test..sql with some dummy statement> > > like> > > database sysmaster;> > > select 1 from systables where tabid = 1 ;> > >> > > run it> > > $ dbaccess - test> > >> > > dbaccess should not prompt for password. It will fail unlessyou> > > create the trust relationship between the client and the server> > > via that .rhosts file I described above.> > >> > > _______________________________________________> > > Informix-list mailing list> > > Informix-list (AT) iiug (DOT) org> > > http://www.iiug.org/mailman/listinfo/informix-list> > > >------------------------------------------------------------------------> > Get the power of Windows + Web with the new Windows Live. Get it now! > ><http://www.windowslive.com?ocid=TXT_TAGHM_Wave2_powerofwi ndows_122007>=
__________________________________________________ _______________

Don't get caught with egg on your face. Play Chicktionary!
http://club.live.com/chicktionary.as...mtextlink1_dec

On 19 ÄÅË, 16:47, skurlan... (AT) yahoo (DOT) com wrote:

Quote:

Hi,

Our site is running Informix Dynamic Server 11 on Linux. šCurrently,
when connecting to a server using dbaccess the user is prompted for
his user name and password. šWhat options are available so providing a
user name and password is unnecessary, as the username and password is
the same one as they used to log into their machine.

It may be interesting for you information from Informix docs (dbacces
guide).

===========
You can use the CONNECT... USER syntax in SQL statements that you
issue in
interactive mode. However, DB-Access does not support the USER clause
of
the CONNECT statement when you connect to a default database server.

- Connecting in Interactive Non-Menu Mode
When you include the USER 'user identifier' clause in a CONNECT
statement in
interactive mode, DB-Access prompts you to enter a password. You can
either
enter a user identifier or press the RETURN key. If you enter a user
identifier,
follow the syntax guidelines described in IBM Informix Guide to SQL:
Syntax.
If you enter a password, it does not appear on the screen.
The following two command examples show how to connect to a database
server in interactive mode. The first example uses the CONNECT
statement
without specifying a user identifier.

dbaccess - -

Quote:

connect to '@starfish';
Connected.

If you include the USER clause in a CONNECT statement, as the second
example shows, DB-Access uses echo suppression to prompt you for a
password:

Quote:

connect to '@starfish' user 'marae';
ENTER PASSWORD:

Connected.

- Connecting with a File or Shell File in Background Mode
You can execute the USER clause of a CONNECT statement in a DB-Access
file
that includes the USER clause. The following example uses a command
file
that contains a CONNECT statement with a USING clause to connect to a
database server:

dbaccess - connfile.sql

Important: An SQL command file that contains the statement
CONNECT USER user_id USING password
should be protected from access by anyone other than the user_id that
the USER clause identifies.

The following example uses a shell file to connect to a database
server.
DB-Access prompts you for a password.
dbaccess - - <<\!
connect to '@starfish' user 'marae';
!
ENTER PASSWORD:
================
Basil