Mailing List Archive

> -----Original Message-----
> From: Moritz Willers [mailto:Moritz.Willers@ubsw.com]
> Sent: Wednesday, August 14, 2002 9:35 AM
> To: toasters@mathworks.com
> Subject: secure filer access
>
>
> I'm trying to configure ssh/https admin access from any host
> to a filer,
> but no telnet, no http admin and rsh access from one host only (the
> admin host).
>


Use
"options telnet.access", "options rsh.access" and "options http.access"
commands to control telnet, rsh and http access.



> I can't find how I can control ssh/https access separately. Is this
> really not possible or am I missing something?
>


We don't have any commands to control the ssh/https access. We are
adding those in the next release.


Regards,
Sreenivasa Potakamuri
Network Appliance.




> how do others manage secure filer management via cli and gui?
>
> thanks - Moritz
>
>
> Visit our website at http://www.ubswarburg.com
>
> This message contains confidential information and is intended only
> for the individual named. If you are not the named addressee you
> should not disseminate, distribute or copy this e-mail. Please
> notify the sender immediately by e-mail if you have received this
> e-mail by mistake and delete this e-mail from your system.
>
> E-mail transmission cannot be guaranteed to be secure or error-free
> as information could be intercepted, corrupted, lost, destroyed,
> arrive late or incomplete, or contain viruses. The sender therefore
> does not accept liability for any errors or omissions in the contents
> of this message which arise as a result of e-mail transmission. If
> verification is required please request a hard-copy version. This
> message is provided for informational purposes and should not be
> construed as a solicitation or offer to buy or sell any securities or
> related financial instruments.
>

There is also options httpd.admin.access. You can read man page
na_protocolaccess(8) for more details. BTW, options http.access
is options httpd.access. The version on ONTAP is 6.2 or later.

- Rick -

> -----Original Message-----
> From: Potakamuri, Sreenivasa [mailto:Sreenivasa.Potakamuri@netapp.com]
> Sent: Wednesday, August 14, 2002 10:27 AM
> To: 'Moritz Willers'; toasters@mathworks.com
> Subject: RE: secure filer access
>
>
>
> > -----Original Message-----
> > From: Moritz Willers [mailto:Moritz.Willers@ubsw.com]
> > Sent: Wednesday, August 14, 2002 9:35 AM
> > To: toasters@mathworks.com
> > Subject: secure filer access
> >
> >
> > I'm trying to configure ssh/https admin access from any host
> > to a filer,
> > but no telnet, no http admin and rsh access from one host only (the
> > admin host).
> >
>
>
> Use
> "options telnet.access", "options rsh.access" and "options
> http.access"
> commands to control telnet, rsh and http access.
>
>
>
> > I can't find how I can control ssh/https access separately.
> Is this
> > really not possible or am I missing something?
> >
>
>
> We don't have any commands to control the ssh/https access. We are
> adding those in the next release.
>
>
> Regards,
> Sreenivasa Potakamuri
> Network Appliance.
>
>
>
>
> > how do others manage secure filer management via cli and gui?
> >
> > thanks - Moritz
> >
> >
> > Visit our website at http://www.ubswarburg.com
> >
> > This message contains confidential information and is intended only
> > for the individual named. If you are not the named addressee you
> > should not disseminate, distribute or copy this e-mail. Please
> > notify the sender immediately by e-mail if you have received this
> > e-mail by mistake and delete this e-mail from your system.
> >
> > E-mail transmission cannot be guaranteed to be secure or error-free
> > as information could be intercepted, corrupted, lost, destroyed,
> > arrive late or incomplete, or contain viruses. The sender
> therefore
> > does not accept liability for any errors or omissions in
> the contents
> > of this message which arise as a result of e-mail transmission. If
> > verification is required please request a hard-copy version. This
> > message is provided for informational purposes and should not be
> > construed as a solicitation or offer to buy or sell any
> securities or
> > related financial instruments.
> >
>

Also look at bug ID 49472 on now.netapp.com for
further details.

- Rick -

> -----Original Message-----
> From: Ehrhart, Rick [mailto:Rick.Ehrhart@netapp.com]
> Sent: Wednesday, August 14, 2002 11:08 AM
> To: Potakamuri, Sreenivasa; 'Moritz Willers'; toasters@mathworks.com
> Subject: RE: secure filer access
>
>
> There is also options httpd.admin.access. You can read man page
> na_protocolaccess(8) for more details. BTW, options http.access
> is options httpd.access. The version on ONTAP is 6.2 or later.
>
> - Rick -
>
> > -----Original Message-----
> > From: Potakamuri, Sreenivasa
> [mailto:Sreenivasa.Potakamuri@netapp.com]
> > Sent: Wednesday, August 14, 2002 10:27 AM
> > To: 'Moritz Willers'; toasters@mathworks.com
> > Subject: RE: secure filer access
> >
> >
> >
> > > -----Original Message-----
> > > From: Moritz Willers [mailto:Moritz.Willers@ubsw.com]
> > > Sent: Wednesday, August 14, 2002 9:35 AM
> > > To: toasters@mathworks.com
> > > Subject: secure filer access
> > >
> > >
> > > I'm trying to configure ssh/https admin access from any host
> > > to a filer,
> > > but no telnet, no http admin and rsh access from one host
> only (the
> > > admin host).
> > >
> >
> >
> > Use
> > "options telnet.access", "options rsh.access" and "options
> > http.access"
> > commands to control telnet, rsh and http access.
> >
> >
> >
> > > I can't find how I can control ssh/https access separately.
> > Is this
> > > really not possible or am I missing something?
> > >
> >
> >
> > We don't have any commands to control the ssh/https access. We are
> > adding those in the next release.
> >
> >
> > Regards,
> > Sreenivasa Potakamuri
> > Network Appliance.
> >
> >
> >
> >
> > > how do others manage secure filer management via cli and gui?
> > >
> > > thanks - Moritz
> > >
> > >
> > > Visit our website at http://www.ubswarburg.com
> > >
> > > This message contains confidential information and is
> intended only
> > > for the individual named. If you are not the named addressee you
> > > should not disseminate, distribute or copy this e-mail. Please
> > > notify the sender immediately by e-mail if you have received this
> > > e-mail by mistake and delete this e-mail from your system.
> > >
> > > E-mail transmission cannot be guaranteed to be secure or
> error-free
> > > as information could be intercepted, corrupted, lost, destroyed,
> > > arrive late or incomplete, or contain viruses. The sender
> > therefore
> > > does not accept liability for any errors or omissions in
> > the contents
> > > of this message which arise as a result of e-mail
> transmission. If
> > > verification is required please request a hard-copy
> version. This
> > > message is provided for informational purposes and should not be
> > > construed as a solicitation or offer to buy or sell any
> > securities or
> > > related financial instruments.
> > >
> >
>

On Wed, Aug 14, 2002 at 05:34:30PM +0100, Moritz Willers wrote:
> I'm trying to configure ssh/https admin access from any host to a filer,
> but no telnet, no http admin

You need to have SecureAdmin installed and then options:
ssh.enable on
ssl.enable on
httpd.enable off [1]
telnet.enable off

Plus perhaps trusted.hosts
> and rsh access from one host only (the admin host).

That I don't know, I use 'option rsh.enable off'

p.

[1] Hm, not sure if I still need these options:
httpd.access legacy
httpd.admin.access host=adm.ho.st.ip
httpd.admin.enable on

The 'options <protocol>.enable' command enables and disables
the <protocol>. With ONTAP 6.2, there is a new feature called
protocol access control which allows you to control access
to a particular protocol. Check out na_protocolaccess(8) for
more details; but the general syntax is:

'options <protocol>.access <access_spec> [[AND|OR <access_spec>] ... ]'
where <access_spec> is:

host [= | != ] <host_spec>
if [= | != ] <network interface spec>
legacy
none
all

<host_spec> is a comma-separated list of host names or IP addresses
<network interface spcec> is a comma-separated list of network
interface names.

The legacy keyword means use the old method for control. For
telnet and httpd.admin, it is telnet.hosts. However, if you
disable telnet, then trusted.hosts is not looked at. The same
goes for httpd.admin.

To answer the original question:

"I'm trying to configure ssh/https admin access from any
host to a filer, but no telnet, no http admin"

Try this:

options ssh.enable on
options ssl.enable on
options telent.enable off
options httpd.admin.enable off

The 'options http.enable off' command will disable http access,
not http admin access. You do need SecureAdmin installed as well.


> -----Original Message-----
> From: Piotr KUCHARSKI [mailto:chopin@sgh.waw.pl]
> Sent: Tuesday, August 20, 2002 11:17 AM
> To: toasters@mathworks.com
> Cc: Moritz Willers
> Subject: Re: secure filer access
>
>
> On Wed, Aug 14, 2002 at 05:34:30PM +0100, Moritz Willers wrote:
> > I'm trying to configure ssh/https admin access from any
> host to a filer,
> > but no telnet, no http admin
>
> You need to have SecureAdmin installed and then options:
> ssh.enable on
> ssl.enable on
> httpd.enable off [1]
> telnet.enable off
>
> Plus perhaps trusted.hosts
> > and rsh access from one host only (the admin host).
>
> That I don't know, I use 'option rsh.enable off'
>
> p.
>
> [1] Hm, not sure if I still need these options:
> httpd.access legacy
> httpd.admin.access host=adm.ho.st.ip
> httpd.admin.enable on


These options above state:

1. for the HTTP protocol, use legacy, which means access is
allowed for all users.
2. for administrative HTTP, only the host adm.ho.st.ip is
allowed access.

Hope this helps,

- Rick -