Hi T.Rob,
Thanks very much - as usual! I was poring through the Intercommunication manual so
much that I forgot all about the Clients one.
Ok - if the answer is NO then so be it and for Java, yes I know but it's only really
to stop people creating local versions of system accounts and connecting with those.
But I am still a little confused by some of this. In the MQ Clients manual it says:
For clients on UNIX systems, Windows 2000, Windows NT, and Windows
XP, the user ID that is passed to the server is the currently logged-on user ID
on the client. In addition, a client on Windows 2000, Windows NT, or
Windows XP passes the security ID of the currently logged-on user.
This suggests to me that something other than the userid alone is being passed somehow
for WinNT/2000/XP clients. If this is the SID then maybe I could use that (from
Unix???). Also from the Clients manual:
If the WebSphere MQ client is on Windows 2000, Windows NT, or Windows XP,
and the WebSphere MQ server is also on one of these platforms and has access to
the domain on which the client user ID is defined, WebSphere MQ supports user
IDs of up to 20 characters.
:
On all other platforms and configurations, the maximum length for user IDs is 12
characters.
Now if the Channel agent doesn't receive the Windows user's domain, how does it know
whether or not it has access to the client's domain to determine how many characters
the userid can be?
Cheers,
Paul
-----Original Message-----
From: MQSeries List [mailto:[EMAIL PROTECTED] Behalf Of Wyatt,
T Rob
Sent: 22 September 2004 17:22
To: [EMAIL PROTECTED]
Subject: Re: Full userid in channel exits
Paul,
Short answer...no. For the detailed answer, go here:
http://publibfp.boulder.ibm.com/epubs/html/csqzaf07/csqzaf071l.htm#Header_331
Basically, this section boils down to this - you can pass the ID as [EMAIL PROTECTED]
only by using environment variables. The hitch is that if a connection originates
from a Win2k, NT or XP client, IDs in this format are rejected. Presumably this is to
enforce validation by the OS on Win platforms where strong domain authentication is
supported.
Also, the ID does not necessarily need to be a local account or a locally logged on
user. The ID presented will be checked against the local SAM database, primary domain
or, lastly, any trusted domains. You just don't know which one is matched, if any.
And duplicate account names in different domains resolve on a first-matched basis so
you may get different results depending on which one matches.
Finally, it is possible for a Java client or one using environment variables to
present any arbitrary ID. So any scheme you come up with for validating IDs is easily
bypassed by an attacker. If your intent is to provide basic authorization among
trusted users, perhaps this is sufficient. If you are guarding against external
attacks, you may want to consider something stronger.
-- T.Rob
-----Original Message-----
From: MQSeries List [mailto:[EMAIL PROTECTED] Behalf Of Meekin,
Paul
Sent: Wednesday, September 22, 2004 9:37 AM
To: [EMAIL PROTECTED]
Subject: Full userid in channel exits
Hi all,
I am writing a channel security exit and would like to be able to determine the
Windows domain as well as the userid of an incoming Svrconn connection. Is this
possible? All of the fields I've seen only contain the userid itself - even the
'LongUserid' type fields.
If this isn't possible, it raises a question about MQ security. Under Windows, the OAM
stores principals in the form domain\userid. But does this mean it only checks the
userid part for client connections? This would seem to greatly reduce the usefulness
of storing the domain since it would only apply to users who are actually logged on
and connecting locally to the QMgr.
Any help or insight would, as ever, be greatly appreciated.
Cheers,
Paul
Instructions for managing your mailing list subscription are provided in
the Listserv General Users Guide available at http://www.lsoft.com
Archive: http://vm.akh-wien.ac.at/MQSeries.archive
Instructions for managing your mailing list subscription are provided in
the Listserv General Users Guide available at http://www.lsoft.com
Archive: http://vm.akh-wien.ac.at/MQSeries.archive
Instructions for managing your mailing list subscription are provided in
the Listserv General Users Guide available at http://www.lsoft.com
Archive: http://vm.akh-wien.ac.at/MQSeries.archive
