Re: [foxboro] disabling sets

• From: Corey R Clingo <corey.clingo@xxxxxxxx>
• To: foxboro@xxxxxxxxxxxxx
• Date: Mon, 29 Mar 2010 18:21:22 -0500

With OpenSSH, you can enforce running only a single command on login on 
the *server* side; this is what we have done to prevent people from 
getting any kind of shell access.  The good part about this is that you, 
as a DCS admin, can control this irrespective of any IT anything.  We did 
have to get a patch from Hummingbird/Opentext to make this work with 
Exceed on Demand, as EoD by default insisted on running some kind of 
command -- which the OpenSSH server, when configured this way, rightly 
rejected.

I'm not sure if you can pass arguments to said command; we don't need to 
in our installation.


We disable omsets in the /usr/fox/wp/data/[wp51|am]_cmds files based on 
criteria determined by logic in the login script.


However, anyone with graphics building access and sufficient knowledge can 
create a back door.  If you build all the graphics, you control that too, 
but it's something to think about.


Corey Clingo
BASF Corp.





"Brown, Stanley" <stan.brown@xxxxxxxxxxxxxxxxx> 
Sent by: foxboro-bounce@xxxxxxxxxxxxx
03/29/2010 08:06 AM
Please respond to
foxboro@xxxxxxxxxxxxx


To
"foxboro@xxxxxxxxxxxxx" <foxboro@xxxxxxxxxxxxx>
cc

Subject
Re: [foxboro] disabling sets






Good point.

What I am planning to do is have the IT supplied terminal server connect 
using ssh running a specific script. This is the direct analog of "rsh 
script". I do not expect the user to ever see a prompt for this. Once this 
script has been run, then the terminal server will run VNC to connect to 
the appropriate connection. One of the reasons for this is because, since 
the connection is from a terminal serve, all the connections come from the 
same IP address.

The person working on this from the IT side assures me he can pass as an 
argument to this script, what I will call, a session number. Thus I can 
have VNC run on the appropriate point.

So, it looks like I can just have this script run the appropriate shell 
command to disable omsets, right?


 



 
 
_______________________________________________________________________
This mailing list is neither sponsored nor endorsed by Invensys Process
Systems (formerly The Foxboro Company). Use the info you obtain here at
your own risks. Read http://www.thecassandraproject.org/disclaimer.html
 
foxboro mailing list:             //www.freelists.org/list/foxboro
to subscribe:         mailto:foxboro-request@xxxxxxxxxxxxx?subject=join
to unsubscribe:      mailto:foxboro-request@xxxxxxxxxxxxx?subject=leave
 

• References:
  • Re: [foxboro] disabling sets
    • From: Brown, Stanley

Other related posts:

• » Re: [foxboro] disabling sets- Terry Doucet
• » Re: [foxboro] disabling sets- Brown, Stanley
• » Re: [foxboro] disabling sets- Terry Doucet
• » Re: [foxboro] disabling sets- Brown, Stanley
• » Re: [foxboro] disabling sets- Terry Doucet
• » Re: [foxboro] disabling sets- Brown, Stanley
• » Re: [foxboro] disabling sets- Terry Doucet
• » Re: [foxboro] disabling sets- Brown, Stanley
• » Re: [foxboro] disabling sets- mdaatje
• » Re: [foxboro] disabling sets- Johnson, Alex P (IOM)
• » Re: [foxboro] disabling sets - Corey R Clingo

1. Home
2. foxboro
3. Archive
4. 03-2010

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---