[Info-vax] What would you miss if DECnet got the chop? Was: "bad select 38" (OpenSSL on VMS)

[Scott Dorsey]

Kerry Main <kemain.nospam at gmail.com> wrote:
>I was doing large DC migration last year where the mission
>critical OS was Solaris (some Windows, Linux). They had a huge
>amount of batch jobs (thousands per day) using a commercial
>scheduler (forget which one). 
>
>They were constantly transferring files all over the place
>internally for maint, archiving, reporting and likely a host of
>other reasons via sftp. The sftp pwds were maintained inside the
>batch jobs. There was a number of different application support
>groups so changes had to be coordinated between groups.
>
>They had security policies in place which stated pwds needed to
>change something like every 120 days. It was a horrendous mess as
>they had to go into all of their batch jobs to fix passwords and
>then coordinate with impacted groups on other systems.

This is incredibly boneheaded.  sftp has public key stuff built into it
to allow this sort of thing to be done transparently without any need to
have passwords in a file.

The people responsible for this should be taken out and shot.   This 
violates so many common sense security rules it's not funny, and in
the end it makes things less convenient rather than more.

>While I am sure there must be cleaner ways to do this, there was
>just so many jobs and different groups, that even today, this is
>their reality using TCPIP internally.

Sounds to me like your customer needs to hire someone who actually
knows about TCP/IP, and fast.  Before they get compromised, hopefully.

>Point being is that even if it is internal use only, the DECnet
>proxy access is not something to be simply thrown away.

I assure you that the same incompetent morons who put passwords in files
for sftp would be doing it for decnet as well..
--scott
-- 
"C'est un Nagra. C'est suisse, et tres, tres precis."