Appendix A: Installing SCP

SCP provides a standardized interface between the Net Express UNIX Option and the UNIX operating system and COBOL product, and is included in your Server Express installation.

Samba enables you to share UNIX files and printers with PCs using standard PC-style networking. It is required to export applications from the PC to the UNIX machine.

Configuring SCP

The SCP program is executed by the Net Express UNIX Option using the UNIX Remote Shell (RSH) protocol by default. Since nearly all UNIX systems have the RSH server program enabled by default, you do not need to install or configure any other special server software. However, to use the UNIX Option you must ensure that the RSH security configuration enables you to execute the SCP program from your PC. An alternative method is to use SCP as a daemon - see the section Alternative Security Mechanism: SCP Daemon Method later on in this chapter.

Quickstart:

You need to ensure that you have a file called .rhosts in the home directory of the user ID on the UNIX system to which you want to publish applications. This file must contain the official name of the PC from which you want to Publish.

The RSH Security Mechanism

The RSH security mechanism works by establishing "user equivalence" based on configuration files on the UNIX system. If users are equivalent, the UNIX system grants access to the requested program without requiring a password. The .rhosts and hosts.equiv files are used to control this equivalence; these two files are known as the rhosts files.

The rhosts files originated in the original Berkeley UNIX distribution but have since spread to all UNIX versions. In the process, several different versions have emerged -most notably SUN's extensions to support NIS (formerly Yellow Pages) - although these have also spread to different UNIX variants.

When the UNIX Option contacts the UNIX system, it supplies the user ID that you entered in the Server Settings dialog. The UNIX system determines the official name of your PC - based on its IP address - by using a technique called reverse lookup. It then uses your official machine name and user ID in the following way to determine whether you should be allowed access:

It checks for the presence of /etc/hosts.equiv. If the file exists, it is a text file in the following format:
```
 Machine-Name [User-ID] [#Comments]
```
If no user ID is specified next to the machine name, then all users are considered valid, and access is granted
If your PC machine name and user ID matches any of the lines in the hosts.equiv file, then access is granted.
If no machine name and user ID in /etc/hosts.equiv matches your PC machine name or user ID, the server checks for the presence of a file called .rhosts in the HOME directory of the user ID specified in the request. The .rhosts file has the same format as the hosts.equiv file.

Warning: The .rhosts file must be owned by the user ID that owns the directory and must not be writable by either group or world ( that is, it must have "rw-r--r--" permissions). Also, it cannot be a symbolic link.

If the PC machine name matches any of the lines in the .rhosts file, then access is granted.
If access was not granted by any of the above steps, access is denied at this point.

The presence of a user name field in the .rhosts file is designed for UNIX users who might be logged in as one user on one system but want to use a remote shell on, or perform a remote copy to, another system as a different user. This is not needed for the UNIX Option as it will always supply the user ID of the HOME directory that it is trying to access.

The major SUN extension to the RSH security is the addition of the plus symbol (+) to the list of valid machines in the rhosts files. This is designed to be used in NIS setups with the meaning "all valid machines"; however, in non-NIS setups it means "all machines". Generally, you should avoid using this symbol as it compomises system security.

In most cases, you should set up the rhosts files for the UNIX Option as follows:

The hosts.equiv file is generally only changed by the systems administrator to declare that all users on a remote system are equivalent. This is not recommended with PC client systems since you can specify any user ID you want on the PC, and the UNIX system will accept it. This would allow a malicious PC user unrestricted access to any user account on the system (except root).
The $HOME/.rhosts file for your user ID should contain the machine names of the PCs you are using to publish. Your user ID is not needed.
If your server supports the SUN extensions, you might want to add a + to the .rhosts file to disable machine name checking for that user ID. (Check your UNIX man page for rhosts to see if it supports this)

Determining the Official Machine Name For the .rhosts File

The machine name of your PC that you enter into the .rhosts file must be your official machine name as determined by the UNIX server. It does not matter what the PC thinks it is called; the name is determined by the UNIX server based on the IP address of the connection. For most installations, the server determined name and the client name should be the same.

The first step in determining your system's official name is to determine the IP address of your PC.

Note: The configuration dialogs differ between Windows 95 and Windows NT; these dialogs have also been updated in various service packs; therefore, the dialogs you need to use might be slightly different. These instructions were created using Windows NT V4.0 with Service Pack 3, and Internet Explorer V4.01 installed.

Click Start, then select Settings.
Click Control Panel, then click Network

Note: The Computer Name field on the Identification tab is a NetBIOS name that has no relevance to your TCP/IP name.

On Windows NT, click the Protocols tab, click TCP/IP Protocol, then click the Properties button.
On Windows 95, in the list box showing installed network components, select the TCP/IP protocol and click the Properties button
If the Obtain IP address from DHCP server button is checked, then you have a dynamically assigned IP address and should skip to the section Dynamically Assigned IP Addresses.
If the Specify IP address button is checked, note the value shown in the IP Address entry field and proceed.

Now log in to your UNIX machine. There are three primary methods used by UNIX systems to cross-reference IP addresses to machine names:

Hosts files. These are simple text files containing IP addresses and machine names (one per line). They are usually located at /etc/hosts
DNS (Domain Name System). This is the system used by the Internet. It consists of special servers located all around the world that communicate with each other to resolve names and addresses. This is growing to be the most popular current method.
NIS (Network Information System). NIS (previously called Yellow Pages) is a distributed database of host files, passwords, groups, aliases, services, and so on.

In order to determine your official host name you need to determine which name resolution method is being used on your UNIX system and then use that method to lookup the name based on your PC's IP address.

You might be able to ask your systems administrator, who will be able to tell you what to enter in your .rhosts file.

How to Check if NIS is Configured:

Check for the presence of a file called /etc/nsswitch.conf. If it exists, look for a line starting with "hosts:" It will look something like one of the following lines:

hosts: xfn nisplus dns [NOTFOUND=return] files 
hosts: xfn nis [NOTFOUND=return] files 
hosts: files

This statement determines the order in which hostnames are resolved using NIS, DNS and the files in /etc/hosts.

Follow the name resolution order defined in nsswitch.conf to determine your official name.

How to Check if DNS is Configured:

Check for the presence of a file called /etc/resolv.conf; if it exists, DNS is configured. The contents of this file are not important here.

Determining the Official Name Using NIS

You can determine the official name using NIS with the ypcat command. For example, if your PC's IP address is 204.160.128.10, type:

ypcat hosts | grep 204.160.128.10

If there are multiple names associated with the IP address, then the first one is the official name.

Determining the Official Name Using DNS

You can determine the official name using DNS with the nslookup command. This command provides a standard way to interrogate DNS servers. For example, if your PC's IP address is 204.160.128.10, type:

nslookup 204.160.128.10

This displays the name and IP address of the DNS server from which the information was obtained, followed by the name and address of the IP address you entered. The name returned is always the official name.

Determining the Official Name Using /etc/hosts

Since the hosts file is a simple text file, you can just examine it directly. For example:

grep 204.160.128.10 /etc/hosts

If there are multiple names associated with the IP address, the the first one is the official name.

If you cannot determine your official machine name, it is possible that your PC does not have an official name. If this is the case then you could try adding your IP addresses (in dotted decimal) directly into the .rhosts file; while this might it is highly machine specific. It would be better to have your systems administrator add an official name for you PC into your company's master machine name table.

Dynamically Assigned IP Addresses

The .rhosts access mechanism does not support dynamically assigned IP addresses. The entire security mechanism assumes - and has always done so - that machine names (and IP addresses) are constant and defined.

If your network uses DHCP (or any other dynamic IP scheme such as BOOTP), check with you network administrator whether you can be assigned a static IP address. If you can get a static IP address, do so, and configure your .rhosts in the normal way.

Note: If you're dialing up via a serial line, you are probably using PPP or SLIP, in which case you will almost certainly have a dynamically assigned IP address.

For the UNIX Option to work with a dynamic IP address, you need to have your current machine name listed in the rhosts files. You can do this in several ways, each of which have some trade-offs regarding convenience and security:

Option 1: Disable machine name checking
If you are not concerned about security and your server supports the SUN + extension to the rhosts files, then adding this to the .rhosts file enables any host trying to Publish using that user ID to succeed. This is the least secure method but requires the least effort.
Option 2: Allow all dynamic IP addresses access to the user directory
You can add the machine names for all of the dynamically assigned IP addresses that exist on your subnet to the .rhosts file. For example, your network might have the IP addresses from x.x.x.100 to x.x.x.120 assigned for dynamic IP mapping and have named them dhcp100 through dhcp120.

If you add all the dhcp100 through dhcp120 names to your .rhosts file, you can publish when you have any of these addresses assigned to you. Anyone else with a dynamically assigned IP address on the same subnet would have exactly the same permissions as you.

You will probably have to contact your local IT department to determine what the dynamically assigned addresses are
Option 3: Modify the .rhosts file dynamically
This is the most secure method; however, it is also the most inconvenient. Whenever you dial-up using PPP or reboot your PC (DHCP), it is possible that a new IP address will be assigned. You therefore edit the .rhosts file to remove the old machine name and replace it by your new one each time you reboot or dialup.

Note: DHCP can actually change your IP address without a reboot, but, in most circumstances it's highly unlikely that it would do so.

To use this option, perform the following steps:

Telnet to the UNIX system using PowerTerm.
Determine your current Windows IP addresses.
- On Windows 95, you can use the winipcfg.exe program that is provided by Microsoft in your windows directory.
- On Windows NT systems, you need to use the ipconfig.exe program in winnnt\system32.
On the UNIX system, you need to determine what machine name the UNIX system thinks your current Windows IP address actually is. (See the section Determining the Official Machine Name For the .rhosts File above, for more details)
- If your system is configured for DNS (the file /etc/resolv.conf exists), then you can determine the name using the nslookup command. Type nslookup followed by your current Windows IP address (in dotted decimal), and the machine name corresponding to that IP address is displayed.
- If you use hosts files, you will need to edit the hosts file or use grep to fnd your Windows IP address.
Edit the .rhosts file and remove the old dynamic IP address name. Add the new name and save the file.
You should now be able to publish.

Alternative Security Mechanism: SCP Daemon Method

Owing to security concerns and problems with dynamic IP addresses, the Net Express UNIX Option provides an alternative to the RSH security mechanism. You must configure the UNIX Publisher to use this alternative method, which involves using SCP as a daemon. See the chapter Publisher Set-up for more details.

Configuring the Server

You need to take the following steps to configure the server. Note that these commands need to be executed with superuser privileges.

Link the SCP program to scpd. For example,
```
ln /cobol_install_dir/bin/cobscp /usr/local/etc/scpd 
```
where cobol_install_dir is the location of your Server Express installation.

Note that the directory is not important.
Choose the network port to listen on.
When executed, the SCP daemon listens on a special network port. By default this is 696. If this port is already being used on your system or you want to use a different port, you can override the SCP daemon port with the -p argument. For example:
```
scpd -p 900
```
Errors, such as port busy, are reported to the standard system syslog facility. You can check /etc/syslog.conf to see which file receives the syslog output.
Choose the daemon mode.
The SCP daemon can be started either from the command line / shell script or via the inetd server.

When starting from the command line, make sure that you start the server as part of the system startup process. System startup files vary from system to system: most SVR4 systems look in /etc/rc2.d.

When starting via the inetd server, the configuration is somewhat more complex. However, the system will automatically start the daemon when necessary and close it down when finished. To use this method:
1. Add the port number the SCP daemon will be listening on to the services files, /etc/services. This should look something like:
```
mf-scpd         696/tcp              # Micro Focus SCP Daemon
```
2. Add a line to the inetd configuration file, /etc/inetd.conf. The configuration varies slightly from system to system, but it should look something like:
```
mf-scpd stream  tcp     nowait  root    /usr/local/etc/scpd     scpd
```
  Note: If you are using Red Hat Linux, you need to create a file called mf-scpd in /etc/xinetd.d containing the following:
```
service mf-scpd
{
            socket_type      = stream
            wait             = no
            user             = root
            server           = /usr/local/etc/scpd
            disable          = no
}
```
3. Send a SIGHUP signal to tell the inetd process to re-load its configuration file. To do this, first find the process ID, for example:
```
ps -eaf | grep inet
```
  then
```
kill -1 processid
```
Choose whether to allow r-command access to the server.
To restrict r-command access to UNIX Publish, remove or rename the SCP program.

Using the Security Extensions

After you have enabled the security settings, whenever the UNIX Option initiates a connection with a server, a dialog box is displayed asking for your password on the server. If you do not enter the correct password, the Publish fails.

The SCP daemon needs to understand the UNIX authentication scheme being used on the UNIX server. The following are supported:

Traditional UNIX password files (/etc/passwd).
Shadow password files (/etc/shadow).
SecureWare

The following are not supported:

AFS
DCE
Kerberos