Location-based Security
When a user makes a connection, his or her location is identified by a Physical Location Identifier (PLId) which is a function of the method of connection used and the location of the user. The user can read, but not set, the PLId.
Note that when you use DDA for connection to another host, the current PLId is passed to the called host. If you use a character circuit, however, a new PLId is assigned.
PLid Format
A PLId can have any of the following formats:
CHAR-Address-Port
This form is used for character circuit connections. On OSI circuits, Address is the calling NSAP and Port is the calling TSAP. On TCP/IP circuits, Address is the calling IP address and Port is the calling port identifier.
Example: CHAR-49000100112233445501-0203
CHAR2-Address-Port
This form is used for character mode connections to a type 2 listening entry - that is, one that uses the called TSAP instead of the calling TSAP. Type 2 listening entries are used for connection via non-NEC terminal servers that do not associate a TSAP with each physical port.
On OSI circuits, Address is the calling NSAP and Port is the called TSAP. On TCP/IP circuits, Address is the calling IP address and Port is the called port identifier specified in the ROUTE-FILE listening entry.
Example: CHAR2-152.114.132.39-1100
INET-DecimalAddress-Port
This form is used for telnet connections that use location-based security. DecimalAddress is the IP address (in decimal) and Port is the port or session number.
Example: INET-152.114.132.39-1100
INET-HexAddress-Session
This form is used for DDA connections from PCs via TCP. HexAddress is the caller?s IP address (in hexadecimal) and Session is the PC session number.
Example: INET-98.72.0C.0C-2
A similar form is used for connections via the telnet LBS daemon.
MPS-Address-Port
This form is used for connections initiated from a Multi-protocol Server (MPS). Address is the Ethernet address of the server and Port is the port number on that server.
Example: MPS-001122334455-0005
NETX-Address
This form is used for connections through a NetworkX node configured to convert OSI transport class 3 to transport class 4, and to include the X.25 calling address in the call user data of the connect request. Address is the X.25 calling address in SPAG Y/13 format.
Example: NETX-1442987654
NT-SerialNo-Session
This form is used for telnet sessions to a Windows system. SerialNo is the called system’s serial number and Session is the session number.
Note that the session number is allocated dynamically at logon and may therefore be different each time a user logs on.
Example: NT-123456-6
PLAN-SerialNo-Port
This form is used for Series 18/19 PLAN connected terminals. SerialNo is the serial number of the Series 18/19 system and Port is the PLAN port number.
Example: PLAN-004000-0012
SLAN-Address-Port
This form is used for:
Connections via an S-LAN network. In this case, Port is the port number on the Series 19 system.
Example:
SLAN-56A9D3EE6B27-0426OSI connections from PCs. In this case, Port is the PC session number.
Example:
SLAN-0020AF49EA43-0001
In both cases, Address is the Ethernet address of the caller.
TNET-Location
This form is used for connections via the telnet LBS daemon.
TSRV-Address-Port
This form is used for connections initiated from a Multi-protocol Terminal Server (MPTS). Address is the Ethernet address of the server and Port is the port number on that server.
Example: TSRV-008023050587-0008
TYM-Node-Host-Port
This form is used for an incoming call from a TYMNET network. Node is the Tymnet node identifier, Host is the host number and Port is the port number.
Example: TYM-309951-0033-0078
UNET-SerialNo-Name
This form is used for Reality-initiated processes connected to a network terminal (that is, using START-NET-PRT [RealityX 3.1 only] or NET-LOGON). SerialNo is the calling system’s UNIX serial number and Name is the name of the ROUTE-FILE entry on that system.
Example: UNET-200433-support.port11
UNIX-SerialNo
This form is used for daemon processes which do not already have a PLId, if the environment variable UC_PROCPLID is not set or has the value 0. SerialNo is the calling system’s UNIX serial number.
If a unique PLId is required, the environment variable UC_PROCPLID can be set to 1; a PLId with the form UPROC-SerialNo-Process will then be generated.
Example: UNIX-123456
UNIX-SerialNo-Port
This form is used for directly connected terminals and telnet sessions connected via the standard telnet daemon. SerialNo is the called system’s UNIX serial number and Port is the tty port number.
Note that for telnet connections the tty port number is allocated dynamically at logon and may therefore be different each time a user logs on.
Example: UNIX-123456-tty06
UNIX-SerialNo-rtSsPp
This form is used for terminals connected via an annex terminal server using the proprietary call protocol. SerialNo is the calling system’s UNIX serial number, Ss denotes the terminal server number and Pp the port on the terminal server.
Example: UNIX-123456-rt0102
If the environment variable UC_PROCPLID has the value 1, daemon processes that do not already have a PLId (no REALPLID environment variable) will have PLIds in this format. SerialNo is the calling system’s UNIX serial number, and Process is the UNIX process id.
Example: UPROC-123456-3751
X25-Address
This form is used for X.25 PAD connections. Address is the X.121 address of the calling PAD.
Example: X25-03323674900234
User-defined PLId Format
This optional feature (enabled by software key) is intended for use when logging on to Reality via a port specified in the devices file using the OPEN keyword. The format is defined in the host environment variable REALPLIDFORMAT — this can contain literal text and the place-holder %d which, when used, is replaced by the port number. For example, if REALPLIDFORMAT is set to PORT-%d and a user logs onto port 35 (by using the reality command with the -t option), the PLId assigned will be PORT-35.
Note
The %d place-holder is a C language printf format string and can therefore accept flags, width, precision and length parameters. For example, to place the port number in a field five characters wide with leading zeros, use %05d. Refer to the C or C++ language documentation for details of the available options.
Telnet Security
The telnet location based security (LBS) daemon provides location-based security for telnet-connected users.
The telnet LBS daemon has six modes of operation:
Mode 0 Standard telnet operation - a PLId with the following format is assigned:
UNIX-SerialNo-Port
SerialNo is the called system's UNIX serial number and Port is the tty port number. Note that the tty port number is allocated dynamically at logon and may therefore be different each time a user logs on.
Example: UNIX-123456-tty06
Mode 1 The daemon requests that the caller (that is the remote host, PC or terminal server) performs a telnet SEND-LOCATION. If the caller supports this option, the connection is assigned a PLId based on the location string sent by the caller:
-
If the location string consists of an Ethernet address and a port or session number, a PLId is generated with the form:
TNET-Address-Port
where Address is the Ethernet address and Port is the port or session number.
-
If the location string consists of a hexadecimal IP address and a port or session number, a PLId is generated with the form:
INET-Address-Port
where Address is the IP address (in decimal) and Port is the port or session number.
- If the caller does not support the SEND-LOCATION option, the connection proceeds, but a Mode 0 PLId is assigned.
Mode 2 The PLId assigned to the connection takes the form:
INET-Address-Port
where Address is the caller's IP address and Port is the number of the TCP port to which the connection was made.
This mode should be used for connections via terminal servers that do not associate a port number with each physical port. One TCP port will be required for each terminal server port. Note, however, that because each terminal server is uniquely identified by its IP address, the actual number of TCP ports required is that of the number of ports on the largest terminal server. For example, if your largest terminal server has 16 ports, you will need 16 TCP ports, however many terminal servers you have.
Note
This is similar to the use of OSI Type 2 listening entries.
Mode 3 The daemon attempts to create a Mode 1 PLId but, if the caller does not support SEND-LOCATION, a Mode 2 PLId is assigned.
Mode 10 As for mode 2, except that the port number field of the PLId is the caller's TCP port number. This mode can be used for connections via terminal servers that generate a calling port id that is consistent and related to the physical port being used. It has the advantage that only one TCP port is needed.
Mode 11 As for mode 3, except that, if a Mode 2 PLId is assigned, the port number field of the PLId is the caller's TCP port number, as in Mode 10.
This mode gives the greatest flexibility, in that it can be used for both callers that support SEND-LOCATION, and terminal servers and other callers that do not. Note, however, that, as with Mode 10, a terminal server must generate a calling port id that is consistent and related to the physical port being used.
Any of the above modes can be modified by adding 4 to the mode number - this has the effect of disabling the normal 60-second login timeout.
Configuring Telnet LBS
The telnet LBS daemon must be assigned at least one port in the services file (/etc/services). The following is a typical entry:
telnet_lbs0 1400/tcp # telnet location based security
Notes:
-
The telnet LBS daemon is not currently supported on Linux systems with the SELinux security facility enabled. SELinux can be disabled in the in the file /etc/selinux/config by changing the line SELINUX=enforcing to SELINUX=disabled.
-
All service names must be unique.
-
If location-based security is to be provided for callers connecting to the standard telnet port (23), the standard telnet service must be replaced.
-
If you are using Mode 2, you will require a TCP port for each terminal server port.
Each new service added to the services file should have a corresponding entry in the inet daemon configuration file (/etc/inetd.conf). These additional entries should follow the format of the telnet service entry except for the fields listed in the following table:
|
Field |
Description |
Value |
|---|---|---|
|
1 |
Service name |
telnet_lbs0 * |
|
6 |
Executable path |
/usr/RCS/bin/telnetd_lbs |
|
7 |
Server-arguments |
telnetd_lbs |
|
8 |
-m1 * |
|
|
9 |
-k |
* Example values.
For example:
telnet_lbs0 stream tcp nowait root /usr/RCS/bin/telnetd_lbs telnetd_lbs -m11
-
Field 8 specifies the required mode, in the form:
-mMode
-
Field 9 is an optional parameter that disables TCP keep-alive. You should specify this option if the connection is likely to be via an ISDN network — a ‘quiet’ telnet circuit can increase the network charges significantly, because the keep-alive packets constantly force the ISDN circuit to be reconnected.
Note
-
All service names must be unique.
-
If you are using Mode 2, you will require an entry for each terminal server port.
Whenever you change either the /etc/services or /etc/inetd.conf files, the inet daemon must be re-initialised before the changes will take effect. To do this, ascertain the process id (pid) of the inet daemon by entering the following command:
ps -e | grep inetd | grep -v grep
The first field of the result contains the required process id. You can then re-initialise the daemon with the following command:
kill -1 pid