It seems like there are some inconsistencies:
REJECT * LOGON
ACCEPT userid LOGONBY
Logonby is rejected.
REJECT * LOGON
ACCEPT userid AUTOLOG (NOPASS
An autolog is accepted.
It would seem to me that all are rules governing how a logon attempt is
to be treated. If it makes sense to reject the LOGONBY, then it also
makes sense to reject the AUTOLOG. That is especially true since there
is AUTOONLY as a password that can be used to prevent someone from
logging on to the id. Since they all attempt to control some aspect of
the decision whether to accept or reject a log on, they all ought to be
considered when evaluating the rules.
It would have been more consistent to also say, "If you want to keep
that user from being logged on unless it is by AUTOLOG, use AUTOONLY."
Of course, I prefer the other road to consistency.
Regards,
Richard Schuh
________________________________
From: The IBM z/VM Operating System
[mailto:[email protected]] On Behalf Of Demeritt, Yvonne
Sent: Thursday, March 05, 2009 11:29 AM
To: [email protected]
Subject: Re: Using LBYONLY
Yep, Dennis is correct. The documentation shows a REJECT LINK
and ACCEPT LINK, same command.
LOGON and LOGONBY are evaluated separately.
What would work is:
REJECT * LOGONBY
ACCEPT someuser LOGONBY
If you want to keep that user from being logged on to unless it
is a logonby, use LBYONLY.
Yvonne
Yvonne DeMeritt
CA
[email protected]
From: The IBM z/VM Operating System
[mailto:[email protected]] On Behalf Of O'Brien, Dennis L
Sent: Wednesday, March 04, 2009 1:25 PM
To: [email protected]
Subject: Re: Using LBYONLY
Shimon,
What release of VM:Secure are you running? In r2.8 G0808, it
definitely doesn't work. I tested before I posted. You're assuming
that LOGON and LOGONBY rules are evaluated together to determine the
most specific rule. That's not how it works. LOGON rules are evaluated
first. If the userid cannot be logged onto, LOGONBY rules are
irrelevant.
Dennis
O'Brien
39,556
________________________________
From: The IBM z/VM Operating System
[mailto:[email protected]] On Behalf Of Shimon Lebowitz
Sent: Wednesday, March 04, 2009 02:14
To: [email protected]
Subject: Re: [IBMVM] Using LBYONLY
I am sorry, but that set of rules WILL work in VM:Secure.
To quote the Rules Manual:
<quote>
When two or more rules in a file govern a particular access
request,
VM:Secure establishes an order of preference based on how
precisely
the requester is specified.
In order of preference, a rule is chosen that indicates:
1.A specific user ID as requester
2.A specific group as requester
3.An asterisk (*) as requester; this indicates all user IDs
</quote>
So, when someone NOT mentioned in the specific ACCEPT
rule tries to logonby, the REJECT * LOGON catches them.
But if the user specified in the accept attempts it, the ACCEPT
rule is more specific and will allow the logonby.
In fact, the manual gives an example just like Richard's rules,
except that it is dealing with LINK requests:
REJECT * LINK 191 RR
ACCEPT FRAISERC LINK 191 RR
Shimon
> Richard Schuh wrote:
> >And with VM:Secure, you can accomplish the same effect by
using the
> Rules Facility. With >the following rules, the actual password
is
> immaterial:
> >
> > REJECT * LOGON
> > ACCEPT userx LOGONBY
>
> That doesn't work. The REJECT * LOGON rule takes precedence,
and you
> don't even get a chance to enter your password for LOGONBY.
Set the
> password to LBYONLY and create ACCEPT xxx LOGONBY rules for
the userids
> you want to log on. That's all you need. If you don't have
VM:Secure
> or another external security manager, then set the password to
LBYONLY
> and add LOGONBY statements to the directory.
>
> Dennis
O'Brien
>
> 39,556
--
************************************************************************
Shimon Lebowitz mailto:[email protected]
VM System Programmer .
Israel Police National HQ.
Jerusalem, Israel phone: +972 2 542-9877 fax:
542-9308
************************************************************************
