Trouble connecting to IDS 11.5 development server using SQuirrel SQL with IDS JDBC driver.
epsilon
I'm presently working a Debian Linux 5.0 development server with IDS
11.5 Developer Edition. My instance and database have successfully
been created and now I'm trying to connect to the Db using SQuirreL
SQL on a windows system. The Informix JDBC driver has been loaded to
the client and it looks okay there. The problem I am having is
connectivity to the database even when I have set up GRANT permission
on the database. "informix" user has been created on the Debian
server. Here is the syntax used for grant permissions.
> GRANT CONNECT TO PUBLIC;
> GRANT CONNECT TO informix;
> GRANT DBA TO informix;
I can connect locally with dbaccess, but unable to connect using
SQuirreL SQL. Do I need the IDS Client SDK even though I have the
Informix JDBC driver loaded and configured? What more do I need to
do? I have been working on this for a few days when time allows and
I'm stumped.
Here is some information about the SQuirrel SQL configuration.
jdbc:informix-sqli://localhost:53260/
morganscrossing:INFORMIXSERVER=vm_ids_115
Error:
vm-debian-5 (vm_ids_115:morganscrossing):
com.informix.asf.IfxASFException: Attempt to connect to database
server (vm_ids_115) failed.
Thank you,
Christopher
Art Kagel
Art
Art S. Kagel
Oninit (www.oninit.com)
IIUG Board of Directors (a...@iiug.org)
Disclaimer: Please keep in mind that my own opinions are my own opinions and do not reflect on my employer, Oninit, the IIUG, nor any other organization with which I am associated either explicitly or implicitly. Neither do those opinions reflect those of other individuals affiliated with any entity with which I am affiliated nor those of the entities themselves.
_______________________________________________
Informix-list mailing list
Inform...@iiug.org
http://www.iiug.org/mailman/listinfo/informix-list
VG
tried connecting to the server using a simple Java/JDBC program?
why do you have localhost and not the IP address or hostname for your
debian machine that you are trying to connect to in the JDBC URL.
Change that and that should probably take care of it.
jdbc:informix-sqli://<hostname of the debian LINUX BOX>:53260/
morganscrossing:INFORMIXSERVER=vm_ids_115
VG.
epsilon
The "localhost" entry is used because I'm port forwarding with "ssh"
and "localhost" is used instead of a hostname/ip when port forwarding.
Thanks for the suggestions.
Christopher
epsilon
contributed some time on this.
You all are great and thanks again.
If you all have more ideas, please send them over.
Thank you,
Christopher
Dirk Gunsth�vel
do you get a connect when you do a
telnet localhost 53260
?
If this connects it proves that at least the tcpip part
works... (my guess it that it doesnt)
If yes, are you sure vm_ids_115 is the correct instance
name? Sounds more like a machine name to me...
Cheers,
Dirk
--
--
-- Dipl.-Math. Dirk Gunsth�vel
-- -professional services-
--
-- Dirk Gunsth�vel IT Systemanalyse - GunCon
-- Hammer Str. 13
-- D-48153 Muenster
-- phone: +49 (0) 251 28446- 0
-- fax: +49 (0) 251 28446-55
-- web: http://www.GunCon.de
-- email: in...@GunCon.de
-- UStId: DE 189527667
--
-- 'One now understands why some animals eat their young.'
-- (Andrew in 'Bicentennial Man' 1999)
"epsilon" <ces...@gmail.com> schrieb im Newsbeitrag
news:2008e454-1945-429e...@l25g2000vba.googlegroups.com...
Fernando Nunes
Go to Global Preferences -> SQL -> Debug and select JDBC Debug to Output Stream
Then try the connect again. After failure click on the small monitor icon on
the bottom bar.
You should see an error like:
SQLState(08004) vendor code(-908)
If it says "-908" than you have a base tcp connection issue. Either you're not
specifying the correct ports or server name, or your tunneling is not working.
If it's another error than post it here.
JDBC driver is enough. You will not need any Client SDK stuff.
The informix JDBC driver is type 4 meaning it's fully independent:
http://java.sun.com/products/jdbc/driverdesc.html
Regards.
--
Fernando Nunes
Portugal
http://informix-technology.blogspot.com
My email works... but I don't check it frequently...
epsilon
Listed below shows that I do not have a connection. Hmm. The
database is running. Listed below is result of the telnet response.
Strange, I wonder what this means outside of communication.
$> telnet localhost 53260
Trying 127.0.0.1...
telnet: Unable to connect to remote host: Connection refused
Christopher
Fernando Nunes
From this and the test with telnet I believe it's safe to assume your port
forwarding is broken... right?
epsilon
Oops! A blasted operator error on my part with port forwarding. I
had a typo in the "ssh" port syntax I was trying to use. This has
been corrected as listed below, and now I see the -908 error you
mentioned as a possibility.
$> telnet localhost 53260
Trying 127.0.0.1...
Connected to BOOBOO.bcgssbd.doodles.com.
Escape character is '^]'.
Connection closed by foreign host.
Went to Global Preferences -> SQL -> Debug and select JDBC Debug to
Output Stream.
Then I tried to connect again. After the failure I clicked on the
small monitor icon at the bottom bar and saw the error:
SQLState(08004) vendor code(-908)
java.sql.SQLException: com.informix.asf.IfxASFException: Attempt to
connect to database server (vm_ids_115) failed.
http://www.oninit.com/errorcode/index.php (Oninit States)
-908 Attempt to connect to database server (servername) failed.
The program or application is trying to access another database server
but has failed. Note the server name in the current statement.
The desired database server is unavailable, or the network is down or
is congested. Ask your DBA and system administrator to verify that the
server and network are operational. If the network is congested, use
the environment variables INFORMIXCONTIME and INFORMIXCONRETRY to tune
connection timing. For information on setting these environment
variables, see the IBM Informix Guide to SQL: Reference.
-----
Linux ENV Settings
-----
INFORMIXCONRETRY=3
INFORMIXCONTIME=120
INFORMIXDIR=/opt/IBM/informix
INFORMIXSERVER=vm_ids_115
INFORMIXSQLHOSTS=/opt/IBM/informix/etc/sqlhosts.vm_ids_115
$ cat /opt/IBM/informix/etc/sqlhosts.vm_ids_115
#==============================================================
#DBSERVER PROTOCOL HOSTNAME SERVICE
#==============================================================
vm_ids_115 onsoctcp vm-debian-5 15260
vm_ids_115_drda drsoctcp vm-debian-5 15261
vm_ids_115_shm onipcshm vm-debian-5 dummy
vm_ids_115_str onipcstr vm-debian-5 dummy
Thank you,
Christopher
Fernando Nunes
Weird... Can you check the online.log of your instance at the time you did the
connect using telnet? Does it show any message like "invalid message received
from sqlexec"?
-908 is an error that happens when something is wrong at the lower layer (TCP).
It has nothing to do with permissions, grants, passwords etc.
I'm still not convinced your port forwarding is working ok... Can you confirm
the port numbers and host names? Also, can you confirm it didn't close the
tunnel when telnet exited?
VG
bypass ssh port forwarding and see if the direct connect works
(modifying the URL to use port 15260 instead)?
VG.
epsilon
I will try that idea and get back with you all.
Thank you,
Christopher
Ian Goddard
> VG
>
> Oops! A blasted operator error on my part with port forwarding. I
> had a typo in the "ssh" port syntax I was trying to use. This has
> been corrected as listed below, and now I see the -908 error you
> mentioned as a possibility.
>
> $> telnet localhost 53260
> Trying 127.0.0.1...
> Connected to BOOBOO.bcgssbd.doodles.com.
> Escape character is '^]'.
> Connection closed by foreign host.
>
> Went to Global Preferences -> SQL -> Debug and select JDBC Debug to
> Output Stream.
> Then I tried to connect again. After the failure I clicked on the
> small monitor icon at the bottom bar and saw the error:
>
> SQLState(08004) vendor code(-908)
> java.sql.SQLException: com.informix.asf.IfxASFException: Attempt to
> connect to database server (vm_ids_115) failed.
>
> http://www.oninit.com/errorcode/index.php (Oninit States)
>
> -908 Attempt to connect to database server (servername) failed.
>
I've seen 908 arise from the fact that the server couldn't verify the
client's address. Is you client obtaining its address by DHCP? If so
does the DHCP server provide a DNS service and does the database server
use that as a name server? If the client address is fixed does the
database server have it in /etc/hosts? If the client is using DHCP it
may be best to reserve the address on the DHCP server and then set this
up in the database server's host file.
--
Ian
Hotmail is for spammers. Real mail address is igoddard
at nildram co uk
epsilon
Thanks for the tip. I added the host entry to the ids server and the
results were the same as mentioned earlier. Our IDS DBA is out this
week and I'll chat with him since he has his SQuirreL Client working.
If/when I get this working, I'll update the forum.
Again, I want to thank everyone for their time and effort with this.
I know the answer is out there, I just need to keep hammering on it.
Thanks again,
Christopher
Fernando Nunes
Uhu? 908 because of a failed reverse DNS? Weird...
Nevertheless, it doesn't apply here... The "host" that IDS will see is the same
machine as the one running the engine, because of the port forwarding...
Nice way to connect without password and trusts :)
Ian Goddard
> Uhu? 908 because of a failed reverse DNS? Weird...
Yup. After switching from Centos (as per my earler thread) to Ubuntu
rsh prompted for a password despite setting up hosts.equiv *and* rhosts
and dbaccess returned 908 to a client obtaining its IP on DHCP. The
initial fix was to put a + in hosts.equiv instead of the client name -
in other words accept any host.
This makes sense when you think about it. The server receives a
connection attempt from an IP address - how does can it compare this
with a name in hosts.equiv? It needs to do a reverse lookup. If IDS is
using the same mechanism then it has the same problem.
Notwithstanding your tutorial on using PAM this is a badly documented
area. For instance Informix docs mention testing the connection with
rsh. Google reveals that if anyone failing to get rsh to work posts a
query on a forum they are almost invariably answered by a know-all
telling them to use ssh instead.
Ian Michael Gumby
> Date: Thu, 9 Apr 2009 08:15:51 +0100
> From: godd...@hotmail.co.uk
> Subject: Re: Trouble connecting to IDS 11.5 development server using SQuirrel SQL with IDS JDBC driver.
> To: inform...@iiug.org
>
> Fernando Nunes wrote:
> > Uhu? 908 because of a failed reverse DNS? Weird...
>
> Yup. After switching from Centos (as per my earler thread) to Ubuntu
> rsh prompted for a password despite setting up hosts.equiv *and* rhosts
> and dbaccess returned 908 to a client obtaining its IP on DHCP. The
> initial fix was to put a + in hosts.equiv instead of the client name -
> in other words accept any host.
>
With respect of putting a + or dynamic IP'd machine in any of your hosts.equiv entries... uhm very bad idea. If this was a production machine, your sysadmin would bitch slap you and probably demand that you get fired for gross incompetence. While it sounds like this is a test machine, you should still act like its a production machine.
With respect to your problem as stated above...
Let me get this straight. You have a client that gets its IP address from DHCP. Ok, so how then is the server supposed to know who the machine is? TRY SETTING UP THE CLIENT WITH A STATIC IP ADDRESS.
Oh and DO NOT USE .rhosts !!! Anyone who does this is a pathetic moron/git/imbicile/ brain dead idiot and should be fired for incompetence.
THIS IS WORSE THAN TRYING TO RUN INFORMIX CHUNKS ON A RAID 5 DISK ARRAY!
Look, here's the skinny. (Caveat, I'm going from memory so take it for what its worth...)
You have a machine name that is tied to a dynamic address. How does your server resolve that name to a *trusted* known machine? The answer is that it can't. Now there are companies that offer services where they'll let you dynamically update your IP address to resolve to a name, but thats a different beast.
You can't authenticate xxx.xxx.xxx.yyy as a specific machine.
In your hosts.equiv, you can enter either an ip address or a hostname.
If you're using dynamic IPs how do you expect your server to resolve the hostname to an IP, therefore your hosts.equiv will not work. You can input an IP address, however, because you're using dynamic IPs you don't have the guarantee that the IP in the file is going to match your pc.
As luck would have it, you could assign a static IP address to your pc and put the IP address in your hosts.equiv. However, I would really, really recommend that you don't do it. Is your PC equivelent to your server? ;-)
HTH
-Mikey
> This makes sense when you think about it. The server receives a
> connection attempt from an IP address - how does can it compare this
> with a name in hosts.equiv? It needs to do a reverse lookup. If IDS is
> using the same mechanism then it has the same problem.
>
> Notwithstanding your tutorial on using PAM this is a badly documented
> area. For instance Informix docs mention testing the connection with
> rsh. Google reveals that if anyone failing to get rsh to work posts a
> query on a forum they are almost invariably answered by a know-all
> telling them to use ssh instead.
>
> --
> Ian
>
> Hotmail is for spammers. Real mail address is igoddard
> at nildram co uk
> Informix-list mailing list
> Inform...@iiug.org
> http://www.iiug.org/mailman/listinfo/informix-list
Windows Live™: Keep your life in sync. Check it out.
Ian Goddard
>
>
> > Date: Thu, 9 Apr 2009 08:15:51 +0100
> > From: godd...@hotmail.co.uk
> > Subject: Re: Trouble connecting to IDS 11.5 development server using
> SQuirrel SQL with IDS JDBC driver.
> > To: inform...@iiug.org
> >
> > Fernando Nunes wrote:
> > > Uhu? 908 because of a failed reverse DNS? Weird...
> >
> > Yup. After switching from Centos (as per my earler thread) to Ubuntu
> > rsh prompted for a password despite setting up hosts.equiv *and* rhosts
> > and dbaccess returned 908 to a client obtaining its IP on DHCP. The
> > initial fix was to put a + in hosts.equiv instead of the client name -
> > in other words accept any host.
> >
>
> First, no duh! What you said above will never work!
This sounds rather like the bumblebee. According to theory the bee
cannot possibly fly. Unfortunately nobody told the bee and it flies
quite happily. And nobody told my setup it couldn't work either. But
read on.
> With respect of putting a + or dynamic IP'd machine in any of your
> hosts.equiv entries... uhm very bad idea. If this was a production
> machine, your sysadmin would bitch slap you and probably demand that you
> get fired for gross incompetence. While it sounds like this is a test
> machine, you should still act like its a production machine.
My words were "initial fix". This confirmed that reverse lookup was the
problem.
> With respect to your problem as stated above...
>
> Let me get this straight. You have a client that gets its IP address
> from DHCP. Ok, so how then is the server supposed to know who the
> machine is? TRY SETTING UP THE CLIENT WITH A STATIC IP ADDRESS.
And the longer term fix is to *reserve* an IP address on the DHCP
server. The client is a laptop and as laptops are liable to be used in
other locations a static IP address is not a good idea. A reserved
address on the DHCP server has the same effect, namely that the database
server can be given the appropriate name/IP pair.
> Oh and DO NOT USE .rhosts !!! Anyone who does this is a pathetic
> moron/git/imbicile/ brain dead idiot and should be fired for incompetence.
Well, that's Bill Joy told off; AFAIK the entire remote access stuff was
written by him. But what does he know?
Oh, by the way, the correct spelling is imbecile.
RedGrittyBrick
Ian Goddard wrote:
>
> This sounds rather like the bumblebee. According to theory the bee
> cannot possibly fly. Unfortunately nobody told the bee and it flies
> quite happily.
http://en.wikipedia.org/wiki/Bumblebee#Bumblebee_myths
--
RGB
Ian Michael Gumby
Back in the 80's when a lot of the .rhosts and host.equiv stuff came out, there wasn't a lot of thought to security risks. This was when the internet was mainly a couple of tech companies and most of the networks on the net were universities. If you were lucky, you might be able to piggy back via dialup UUCP to get mail and Usenet. You could easily get a full class C block assigned to you permenently, or two. Canter and Siegel were not even an issue yet, and most people on the 'net followed the rules of ettiquette.
Morris changed that when he borrowed some of his dad's work and launched his worm. One of the vectors that Morris used was to gain access to a compromised machine and then compromise machines that were in /etc/hosts.equiv and .rhosts files. Note: He had gained root access because of a buffer overflow attack that worked on Sun and I think Vaxen. I believe it was Gene Spafford at Purdue that set up CERT and lead the work on reverse engineering the worm. We were lucky that we had a different brand of servers acting as our gateway so they were immune to the attack. Unfortunately, the pharmacology department got hit. They were out of our control and since the network was segmented, we got lucky and shut them down while we backed up all of our servers just in case.
Lessons learned was that .rhosts were a bad thing. Its something that sysadmins can't control and its a possible attack vector for worms and potentially other malicious code.
/etc/hosts.equiv isn't inherently bad, but it is dangerous. It is controlled by root access so it limits some exposure.
If you use it properly, its a good thing when you want to implement ER. It's also a good thing if you've got a private network segment between your database server and your web server. Essentially if you've got a secondary network connection that is private to only machines in your machine room that you know you can trust.
With respect to DHCP... I'm no expert so I've never seen where you can reserve an IP address for a specific machine that isn't a static IP address. In one of my clients, I have a sales office where there are between 75 - 125 laptops (and growing) on and off the network each day. There are a handfull of desktop and act as 'servers' that are tethered via a gigabit switch. Everything else is wireless. So I use a static IP address for the desktop machines and I use a wide range of addresses under DHCP. Even here, when connecting to the office printer/fax/scanner machine, they are set up via TCP/IP address and not name. So you can mix static and non-static IP addresses in the office.
On some of the wireless set ups, I believe you can set up individual profiles on laptops so that when you connect to a different network, you can specify if you want to use a specific static address or dhcp.
I'm sure if you spoke with Bill Joy lately, he'll tell you that yes, don't use .rhosts and be careful of hosts.equiv because of the potential dangers.
I understand that the audience here is mainly DBAs but any sysadmin who's worth their weight in <insert your own precious metal here>, they will go ballistic if you tell them that you need to use .rhosts or /etc/host.equiv when it comes to pc's on your network.
If you want to see someone go ballistic, go up to Art Kagel and tell him that you're running your servers on Raid 5 and you recommend that to all of your clients. ;-)
What pisses me off is that Morris happened in '88 or so. It took 5+ years to fix their Sun-OS / Solaris operating system to close their buffer overflow problems. (SCO and others didn't fix it until much later.) Now you know why the letter 'n' is important in C. (strcopy()should be strncopy() ... ); We're now 20+ years later and people still don't understand the simple things they need to do to protect their machines. Its not rocket science and its a trivial fix.
> Date: Thu, 9 Apr 2009 15:31:53 +0100
> Informix-list mailing list
> Inform...@iiug.org
> http://www.iiug.org/mailman/listinfo/informix-list
Ian Michael Gumby
> Date: Thu, 9 Apr 2009 15:54:20 +0100
> From: RedGrit...@spamweary.invalid
> Subject: Re: Trouble connecting to IDS 11.5 development server using SQuirrel SQL with IDS JDBC driver.
> To: inform...@iiug.org
>
>
Its essentially like walking to the center of Time Square in NY dropping your pants, spreading your legs standing next to a sign saying "Bugger me! Please!"
Is that a graphic enough picture?
Seriously just because you can do it, doesn't mean you should.
Unfortunately, the Oracle DBAs are not much smarter. Here's a link to a blog post made this past February...
http://neworacledba.blogspot.com/2009/02/etchostsequiv-file-security-threat.html
(Hint: This has been a known security issue for the past 20+ years!!!)
Of course IBM still doesn't grok security. From an IDS 10 online manual:
http://publib.boulder.ibm.com/infocenter/idshelp/v10/index.jsp?topic=/com.ibm.admin.doc/admin151.htm
[HINT: THIS SHOULD BE UPDATED]
At least HP provides some better docs and some warnings. Gee I wonder why they would have a command parameter that limits the use of .rhosts to only root? You can read their man page here:
http://docs.hp.com/en/B9106-90011/hosts.equiv.4.html
I could go on ... and here are just two quick links to older user group forums where this topic has come up before:
http://www.dbforums.com/informix/1208113-security-client-server-connection-informix-10-without-rhosts-hosts-equiv.html
http://lists.samba.org/archive/samba/2003-August/071956.html
Oh and if you think that Apple gets it straight... :
http://www.juniper.net/security/auto/vulnerabilities/vuln31708.html
But hey! What do I know? ;-)
Obnoxio The Clown
>
> But hey! What do I know? ;-)
Sweet Fanny Adams?
--
Cheers,
Obnoxio The Clown
http://obotheclown.blogspot.com
The following is a disclaimer and a protest at the collection, retention
and sharing of my personal mail by the morally bankrupt state.
By adding a string of key words, it will guarantee that each and every
mail that I send will now need to be manually viewed as it is picked up
by the auto scan software. If every person in the UK does exactly the
same, then the entire system will quickly become so unmanageable, so
unwieldy that it will become unworkable.
Key words: bomb, assassinate, president, brown, Osama, Obama, Sarkozy,
Merkel, government, target, location, rocket, grenade, al-Qaeda,
Pakistan, India, Afghanistan, UK, America, guns, jets, bombs,
machine-gun, terrorists, MP's, pigs, troughs, France, Germany, Italy,
nuclear, Korea.
PPS If you are reading this because you've picked up the above keywords:
I hope your parents are proud of what you have become.
--
This message has been scanned for viruses and
dangerous content by OpenProtect(http://www.openprotect.com), and is
believed to be clean.
Fernando Nunes
doubts/topics...
I may miss some "dirty" details that only R&D can provide, but I'll do my best.
Fernando Nunes
> Quick access to your favorite MSN content and Windows Live with Internet
> Explorer 8. Download FREE now!
Once again I write...
The files are not the main issue. Just close the services...
If anyone wants to make a request for IDS stop using these files (like it'ts
already possible for HDR setup) I'll put myself on the head of the line...
But, again:
IDS DOES NOT need the "r" services running... it just looks at the files (and
not exactly the same way as the "r" commands).
Ian Goddard
> Sigh.
Sigh indeed
>
> /etc/hosts.equiv isn't inherently bad, but it is dangerous. It is
> controlled by root access so it limits some exposure.
Read this and see if you recognise it:
Informix requires a hosts.equiv file for its default authentication policy.
Read it again:
Informix requires a hosts.equiv file for its default authentication policy.
Was there any part of that you didn't understand?
Where does that come from?
It comes from p3.12 of the IDS 11.50 IDS administrator's guide.
Let's just say it again in case you missed it.
Informix requires a hosts.equiv file for its default authentication policy.
Ian Goddard
>
>
> > Date: Thu, 9 Apr 2009 15:54:20 +0100
> > From: RedGrit...@spamweary.invalid
> > Subject: Re: Trouble connecting to IDS 11.5 development server using
> SQuirrel SQL with IDS JDBC driver.
> > To: inform...@iiug.org
> >
> >
> > Ian Goddard wrote:
> > >
> > > This sounds rather like the bumblebee. According to theory the bee
> > > cannot possibly fly. Unfortunately nobody told the bee and it flies
> > > quite happily.
> >
> > http://en.wikipedia.org/wiki/Bumblebee#Bumblebee_myths
> >
>
> Well look at it this way... his fix is to essentially set up his server
> such that anyone can connect to it as a trusted machine.
Read my post again.
This time read it properly.
Find where I said that we're dealing with a box exposed to the internet.
Find where I said that hosts.equiv was left open.
You didn't find either did you?
If you have a problem connecting and opening hosts.equiv as a temporary
measure fixes it then you know you have a problem authenticating the
client. Having done that you can close hosts.equiv and look for the
source of your problem.
Fernando Nunes
> Ian Michael Gumby wrote:
>> Sigh.
>
> Sigh indeed
>
>>
>> /etc/hosts.equiv isn't inherently bad, but it is dangerous. It is
>> controlled by root access so it limits some exposure.
>
> Read this and see if you recognise it:
>
> Informix requires a hosts.equiv file for its default authentication policy.
>
> Read it again:
>
>
> Informix requires a hosts.equiv file for its default authentication policy.
>
> Was there any part of that you didn't understand?
>
> Where does that come from?
>
> It comes from p3.12 of the IDS 11.50 IDS administrator's guide.
>
> Let's just say it again in case you missed it.
>
> Informix requires a hosts.equiv file for its default authentication policy.
>
>
Please... whenever you say that, add that it DOESN'T need the "r" services
running. Also add that you can control if it checks /etc/hosts.equiv or .rhosts
or both or none. Also add that this happens ONLY if you want to use trusted
connections (you can use other ways of authentication). Also add that it is NOT
needed for distributed queries (just configure PAM).
(you can also add that this is a touchy subject for me, but I believe people
will not care about that ;) )
Ian Goddard
> Ian Goddard wrote:
>> Ian Michael Gumby wrote:
>>> Sigh.
>>
>> Sigh indeed
>>
>>>
>>> /etc/hosts.equiv isn't inherently bad, but it is dangerous. It is
>>> controlled by root access so it limits some exposure.
>>
>> Read this and see if you recognise it:
>>
>> Informix requires a hosts.equiv file for its default authentication
>> policy.
>>
>> Read it again:
>>
>>
>> Informix requires a hosts.equiv file for its default authentication
>> policy.
>>
>> Was there any part of that you didn't understand?
>>
>> Where does that come from?
>>
>> It comes from p3.12 of the IDS 11.50 IDS administrator's guide.
>>
>> Let's just say it again in case you missed it.
>>
>> Informix requires a hosts.equiv file for its default authentication
>> policy.
>>
>>
>
> Please... whenever you say that, add that it DOESN'T need the "r"
> services running.
You'll need to speak to the folks who write the manuals because it goes
on to suggest testing with rlogin
> Also add that you can control if it checks /etc/hosts.equiv or .rhosts or both or none.
I'm coming to the conclusion that Gumby can only take in small amounts
of information at a time and that might be overload.
Fernando Nunes
> Fernando Nunes wrote:
>> Ian Goddard wrote:
>>> Ian Michael Gumby wrote:
>>>> Sigh.
>>>
>>> Sigh indeed
>>>
>>>>
>>>> /etc/hosts.equiv isn't inherently bad, but it is dangerous. It is
>>>> controlled by root access so it limits some exposure.
>>>
>>> Read this and see if you recognise it:
>>>
>>> Informix requires a hosts.equiv file for its default authentication
>>> policy.
>>>
>>> Read it again:
>>>
>>>
>>> Informix requires a hosts.equiv file for its default authentication
>>> policy.
>>>
>>> Was there any part of that you didn't understand?
>>>
>>> Where does that come from?
>>>
>>> It comes from p3.12 of the IDS 11.50 IDS administrator's guide.
>>>
>>> Let's just say it again in case you missed it.
>>>
>>> Informix requires a hosts.equiv file for its default authentication
>>> policy.
>>>
>>>
>>
>> Please... whenever you say that, add that it DOESN'T need the "r"
>> services running.
>
> You'll need to speak to the folks who write the manuals because it goes
> on to suggest testing with rlogin
True... Of course, if it works with rlogin it should work with IDS ;)
That should be fixed. I agree.
> I'm coming to the conclusion that Gumby can only take in small amounts
> of information at a time and that might be overload.
>
Most probably that's also true :)
Well... I'll probably post something soon about this...
I'll try to take the opportunity to do it before xC4 comes out. Than I'll have
other subjects to cover ;)
Ian Michael Gumby
> Date: Thu, 9 Apr 2009 22:16:00 +0100
> From: godd...@hotmail.co.uk
> Subject: Re: Trouble connecting to IDS 11.5 development server using SQuirrel SQL with IDS JDBC driver.
> To: inform...@iiug.org
>
> > Sigh.
>
> Sigh indeed
>
> >
> > /etc/hosts.equiv isn't inherently bad, but it is dangerous. It is
> > controlled by root access so it limits some exposure.
>
> Read this and see if you recognise it:
>
> Informix requires a hosts.equiv file for its default authentication policy.
>
> Read it again:
>
>
> Informix requires a hosts.equiv file for its default authentication policy.
>
> Was there any part of that you didn't understand?
>
> Where does that come from?
>
> It comes from p3.12 of the IDS 11.50 IDS administrator's guide.
>
> Let's just say it again in case you missed it.
>
> Informix requires a hosts.equiv file for its default authentication policy.
>
>
Java?
Web apps?
.Net and ODBC?
Or just 4GL apps...
Which would mean that there's an issue with the csdk and Informix's cli.
I can understand that you would use /etc/hosts.equiv when you're setting up ER, but not for a client.
And btw, I don't have pcs set up in etc/hosts.equiv and I can connect java apps (swing), Web apps from glassfish both without a problem. I'd try esql/c but I don't have a c compiler on my pc because I'm too cheap to buy one and too lazy to download gnu's C compiler ....
I'll say it again and again. YOU DO NOT WANT TO USE .rhosts and be very careful with /etc/hosts.equiv.
Period, end of story.
As for Informix's connection authentication, it uses the underlying OS to authenticate users. If you have PAM or LDAP set up you can use that too.
Rediscover Hotmail®: Get e-mail storage that grows with you. Check it out.
Ian Michael Gumby
> From: domus...@gmail.com
> > Informix requires a hosts.equiv file for its default authentication policy.
> >
> >
>
> Please... whenever you say that, add that it DOESN'T need the "r" services
> running. Also add that you can control if it checks /etc/hosts.equiv or .rhosts
> or both or none. Also add that this happens ONLY if you want to use trusted
> connections (you can use other ways of authentication). Also add that it is NOT
> needed for distributed queries (just configure PAM).
>
> (you can also add that this is a touchy subject for me, but I believe people
> will not care about that ;) )
>
> Regards.
Ok, lets clear the air.
Are you talking about a *trusted* server that is running Informix so you can *do* distributed queries? If so, then your server should have a static IP address and you should use /etc/hosts.equiv, but never .rhosts.
You have PAM which is a little bit more than just for authentication services, and you could use LDAP which is an authentication service. I do agree that Informix's PAM documentation is a tad *lame* and back when 10.x was released, it was pretty much non-existent.
If you're talking about a client to host connection. /etc/hosts.equiv is not an issue.
If you're a bank/thrift and you're using .rhosts, you would probably fail an OTS IT audit. (Depending on the auditor.) If you use /etc/hosts.equiv, you'll have to document and justify why.
Informix has done some brain dead things in the past... (NewEra anyone?) so it doesn't come as a shock that they would screw something else up... But hey! Like I said, it took IBM, SUN, SCO, and a couple of other vendors many. many years to put a little letter n in their strcopy and memcopy function calls...
Ian Michael Gumby
> > Also add that you can control if it checks /etc/hosts.equiv or .rhosts or both or none.
>
> I'm coming to the conclusion that Gumby can only take in small amounts
> of information at a time and that might be overload.
>
> --
> Ian
>
I can take in a lot of information at a time.
It seems that you can't grasp the potential damage you can do if you use .rhosts and /etc/host.equiv improperly.
I'm not the one who can't get my connections to work, am I?
Ok, I *did* have trouble with getting IDS to work on Sun's glassfish and webservers using Netbean's wizards. But that wasn't my fault that the documentation provided by Sun was wrong. ;-) (Yeah, I'll admit I was brain dead because while I was scratching my head, I totally ignored the fact that I had the java docs for Informix's jdbc on my machine. But that's another friggin story.)
I will say this. Until you live through a firefight drill and spend 36 hours straight in panic mode, you don't appreciate how fixing a small thing can make your life easy. This is why I have tried to beat some sense in to you. Of course it doesn't help when the brain dead morons who wrote Informix's documentation don't grok proper sys admin security.
Rediscover Hotmail®: Now available on your iPhone or BlackBerry Check it out.
Clive Eisen
> With respect to DHCP... I'm no expert so I've never seen where you can
> reserve an IP address for a specific machine that isn't a static IP
> address. In one of my clients, I have a sales office where there are
> between 75 - 125 laptops (and growing) on and off the network each day.
> There are a handfull of desktop and act as 'servers' that are tethered
> via a gigabit switch. Everything else is wireless. So I use a static IP
> address for the desktop machines and I use a wide range of addresses
> under DHCP. Even here, when connecting to the office printer/fax/scanner
> machine, they are set up via TCP/IP address and not name. So you can mix
> static and non-static IP addresses in the office.
>
I can't believe you write such crap Gumby - and if this bit is crap how
much else of what you write is crap?
go look at the fine manuals for DHCP and see what something like
host slax-dev { hardware ethernet 00:0c:29:29:6c:d1; fixed-address
192.168.22.99; }
might do
Ian Michael Gumby
> Subject: Re: Trouble connecting to IDS 11.5 development server using SQuirrel SQL with IDS JDBC driver.
>
What you're doing is setting up a MAC address to a fixed IP address. But tell me how you can do this on the very simple web interface that most of these cheap wireless routers ship with?
Some of the older wireless routers didn't let you specify the range. Now you can specify the range. Then you can use static IP addresses outside of the range.
You can say RFTM, but go check out Linksys and see what you can and cant do. So please go check you attitude at the door.
-G
Rediscover Hotmail®: Get quick friend updates right in your inbox. Check it out.
Mark Townsend
>
> I can't believe you write such crap Gumby - and if this bit is crap how
> much else of what you write is crap?
>
You know those bits at the end where he says
"But Hey, what do I know ..."
Everything except those bits. Sometimes.
Ian Michael Gumby
Still mad cause I made fun of Oracles pitiful excuse of a 'temp' table that wasn't really a temp table?
naw that can't be it.
How about calling larry e a pussy for not stepping up to the plate and making a real offer for Sun?
Naw that can't be it. Larry doesn't want any hardware and doesn't want to piss off his new best buds at HP.
Or how about how I'm questioning the pricing used in the new TPC-C benchmark Oracle did on HP w the cost of $5,800 to run Oracle on a dual socket, quad core xeon machine (8 cores)?
Naw, that can't be it either.
Oh there's so much more, but I guess cause I've outed Alyse and Inhi as being incompetent that I'm in the dog house.
But what I haven't said is anything about IBM's last chat w the labs regarding Solid and IDS.
I wonder how they are positioning it in the financial marketplace when Solid doesn't support Time Series.
There's more to this, but this is also an uphill battle. (It goes in to the architecture of solutions and the relevancy of the database in electronic trading
systems.
Of course we can put that argument aside since IBM's new 'next great thing' is to stream data from multiple sources in real time. Here time series could be important, however, I don't believe that besides Solid not supporting timeseries, neither does DB2. (Of course if I'm wrong and DB2 does support timeseries, I believe Serge will be one of the first to jump on that fact and condemn all of my posts. Something Mark loves to do since I once wondered if he was a poofter. Seems a Rem 7 was a bit too much gun for him to handle. ;-)
But hey! What do I know?
-G
> From: markbt...@sbcglobal.net
> Subject: Re: Trouble connecting to IDS 11.5 development server using SQuirrel SQL with IDS JDBC driver.
> Informix-list mailing list
> Inform...@iiug.org
> http://www.iiug.org/mailman/listinfo/informix-list
Ian Goddard
Go to
kbserver.netgear.com/pdf/dg834_dg834b_ref_manual_03Jun05.pdf
and check out p 6-6. And check /your/ attitude at the door.
Ian Goddard
Exactly what part of the phrase "p3.12 of the IDS 11.50 IDS
administrator's guide" did you not understand?
Ian Michael Gumby
I suggest you go back and check your attitude at the door.
Did I say I had a netgear router? Nope. Did I say my client has a netgear router?
Nope.
Did I say how old the routers were? Nope.
The point, junior is that the routers may allow for DHCP, but from their web interface, they KEEP IT SIMPLE STUPID, because these are the 'home' versions and not the commercial grade routers. I'd love for my client to replace his two el-cheapo routers with a single commercial grade Cisco unit that has both a/g capabilities, was even thinking about n, but none of their laptops come with n yet so there's a way to save a couple of hundred bucks. Then they could have multiple authentications. WPA/WPA2 and still allow 128K wep along with a white mac list. Of course if they don't broadcast their SSID, I guess that could hide the wep too.... But its not my office and my client doesn't want to spend money that they don't have to, and I don't want to spend a couple of hours on the phone with their ISP's tech support trying to get their router's client side IP address ... (but I said that already...)
And of course we've gotten off topic.
You come here trying to do something that is totally brain dead. Meaning using .rhosts and /etc/hosts.equiv.
I've given you a handful of links that were pretty easy to find via google as to why you don't want to use .rhosts and why you have to be *VERY* *VERY* *CAREFUL* when using /ect/hosts.equiv.
Putting a (+) is the most brain dead thing that you can do. If I ever audited any system where this was done, it would mean termination of the sysadmin on the spot.
Essentially you can forget your firewall because you've just shaved your ass, tatoo'ed 'PLEASE FUCK ME' on your backside and you've lubed up your asshole just waiting to be fucked.
Now, I have't touched 4GL since '96. Really I stopped programming in 4GL since '93 but I still played with it . 4GL wasn't really designed as a 'client/server' paradigm. That was an after thought. 4GL was mainly used on 'green screen' terminals that were connected to the server via a serial connection. (You do remember those, right?)
When it went 'client/server', the internet was relatively young and security wasn't the first thing anyone thought about. After all, you'd be client server on your own domain and behind a nice set of fire walls with a DMZ zone and your app wouldn't be out beyond the interior firewall.
I would have believed that 4GL would have grown up along the way. But what do I know? I switched to Objective-C / Java work for client server and laughed at Informix's 'New Error' because those who wrote it didn't know jack about language theory.
Yet I digress.
The point is that if you use a (+) you've now set up your machine to treat anyone within your subnet as a 'trusted' host. So if I were a 'disgruntled' employee, or an industrial spy, I'd just bring in a small USB stick pre-loaded with Linux. I would then log in as root on my machine and now I can connect as root on to your server. Do I need to go on, or do you get the drift?
Like I said. If you do what you want to do, you've just dropped your shorts and have just lubed your ass.
But hey!
Its your machines not mine.
-G
> Date: Tue, 14 Apr 2009 08:40:08 +0100
> From: godd...@hotmail.co.uk
> Subject: Re: Trouble connecting to IDS 11.5 development server using SQuirrel SQL with IDS JDBC driver.
Ian Michael Gumby
> Date: Tue, 14 Apr 2009 08:43:07 +0100
> From: godd...@hotmail.co.uk
> Subject: Re: Trouble connecting to IDS 11.5 development server using SQuirrel SQL with IDS JDBC driver.
>
> administrator's guide" did you not understand?
>
Or did you mean the basic information that starts on 3.11 talking about Network Security Files?
And if you bothered to read, they're giving you a basic understanding of how Linux/Unix security is set up. They are not giving you a system administrator's look at the security risks around using these files.
I *can* read, can you?
Also in reading the subject line, we're talking about JDBC which has nothing to do with this because you don't need to use /etc/hosts.equiv with JDBC.
Obnoxio The Clown
>
> I *can* read
But there is one thing that you absolutely can NOT do.
Which is to ever, EVER shut the fuck up.
Ian Michael Gumby
What don't you understand?
That following IBM's Informix IDS admin manual's limited description of Unix security files will screw up your site's security?
Oh yes, lets put a (+) in the .rhosts file so that anyone can attach as me, or better yet, put it in the /etc/hosts.equiv file so anyone can connect as anyone from any machine.
And to be fair, the Informix manual doesn't say that. Its just something some moronic DBA who doesn't live in a paranoid world of sysadmins doesn't grok the dangers of using .rhosts or /etc/hosts.equiv. But because its in IBM's Informix manual, it means it must be OK. (Don't get me started on gun safety analogies here ...)
I could go on, but this is definitely one horse that you can't beat to death. I mean hell. Its been 20+ years since Morris launched his worm, several years in to all of the major data thefts that have been exposed.
I guess we should be thankful TJX was running Oracle and not Informix.
Sorry but security should be your first thought when setting up any environment, or do you like walking down the street with your pants down around your ankles and a 'bugger me please!' sign attached to your back?
-G
> Date: Tue, 14 Apr 2009 14:03:32 +0100
> From: obn...@serendipita.com
> CC: inform...@iiug.org
> Subject: Re: Trouble connecting to IDS 11.5 development server using SQuirrel SQL with IDS JDBC driver.
>
> Informix-list mailing list
> Inform...@iiug.org
> http://www.iiug.org/mailman/listinfo/informix-list
Obnoxio The Clown
> Poor Clown.
>
> What don't you understand?
Why you won't just shut the fuck up, ever.
Ian Michael Gumby
> Ian Michael Gumby wrote:
> > Poor Clown.
>
> > What don't you understand?
>
> Why you won't just shut the fuck up, ever.
>
> --
> Cheers,
> Obnoxio The Clown
>
Actually that's the best answer I can give a misguided clown who
thinks adding a bunch of keywords at a bottom of a post will actually
accomplish anything that will get past a filter and in front of a
human.
jack.p...@verizon.net
j.
Ian Michael Gumby wrote:
> Poor Clown.
>
> What don't you understand?
Why you won't just shut the fuck up, ever.
--
Cheers,
Obnoxio The Clown
http://obotheclown.blogspot.com
The following is a disclaimer and a protest at the collection, retention
and sharing of my personal mail by the morally bankrupt state.
By adding a string of key words, it will guarantee that each and every
mail that I send will now need to be manually viewed as it is picked up
by the auto scan software. If every person in the UK does exactly the
same, then the entire system will quickly become so unmanageable, so
unwieldy that it will become unworkable.
Key words: bomb, assassinate, president, brown, Osama, Obama, Sarkozy,
Merkel, government, target, location, rocket, grenade, al-Qaeda,
Pakistan, India, Afghanistan, UK, America, guns, jets, bombs,
machine-gun, terrorists, MP's, pigs, troughs, France, Germany, Italy,
nuclear, Korea.
PPS If you are reading this because you've picked up the above keywords:
I hope your parents are proud of what you have become.
--
This message has been scanned for viruses and
dangerous content by OpenProtect(http://www.openprotect.com), and is
believed to be clean.
Fernando Nunes
> Rediscover Hotmail®: Get e-mail storage that grows with you. Check it
> out.
It would be nice to see a post from you with the following sentence:
"I fully understand that I don't need to be running the "r" services for
Informix trusted connections to work. As such, all my security concerns which
are right, don't relate to Informix authentication"
It would mean that not only you could read, but also you could understand. ;)
Fernando Nunes
> I've given you a handful of links that were pretty easy to find via
> google as to why you don't want to use .rhosts and why you have to be
> *VERY* *VERY* *CAREFUL* when using /ect/hosts.equiv.
With, or without the "r" services running?
> Now, I have't touched 4GL since '96. Really I stopped programming in 4GL
> since '93 but I still played with it . 4GL wasn't really designed as a
> 'client/server' paradigm. That was an after thought. 4GL was mainly used
> on 'green screen' terminals that were connected to the server via a
> serial connection. (You do remember those, right?)
>
> When it went 'client/server', the internet was relatively young and
> security wasn't the first thing anyone thought about. After all, you'd
> be client server on your own domain and behind a nice set of fire walls
> with a DMZ zone and your app wouldn't be out beyond the interior firewall.
>
> I would have believed that 4GL would have grown up along the way. But
> what do I know? I switched to Objective-C / Java work for client server
> and laughed at Informix's 'New Error' because those who wrote it didn't
> know jack about language theory.
4GL is perfectly able to make the usual user/password connection.
I would believe this to be a usual method for client/server.
I personally haven't done it (yet), but it should be able to connect to a
DBSERVERALIAS configured with PAM, which makes it very flexible.
So, I don't really understand what is the problem with 4GL...
But hey... ;)
>
> Yet I digress.
>
> The point is that if you use a (+) you've now set up your machine to
> treat anyone within your subnet as a 'trusted' host. So if I were a
> 'disgruntled' employee, or an industrial spy, I'd just bring in a small
> USB stick pre-loaded with Linux. I would then log in as root on my
> machine and now I can connect as root on to your server. Do I need to
> go on, or do you get the drift?
You'd only login as root if you put a + on the ~root/.rhosts. On the
/etc/hosts.equiv is does not allow root access. You should check the man for
ruserok:
"The ruserok() and iuserok() functions take a remote host's name or IP address,
as returned by gethostbyname(), two user names, and a flag indicating whether
the local user's name is that of the super-user. Then, if the user is not the
super-user, it checks the ROOTDIR/etc/hosts.equiv file. If that lookup is not
done, or is unsuccessful, the .rhosts file in the local user's home directory
is checked to see if the request for service is allowed. "
And all this of course, and again, only makes sense if you have the "r"
services running... And I don't know why someone with security concerns would
have these services running...
Ian Michael Gumby
> 4GL is perfectly able to make the usual user/password connection.
> I would believe this to be a usual method for client/server.
> I personally haven't done it (yet), but it should be able to connect to a
> DBSERVERALIAS configured with PAM, which makes it very flexible.
>
> So, I don't really understand what is the problem with 4GL...
> But hey... ;)
>
>
>
There are a lot of problems with 4GL. Its a legacy application that
hasn't been really able to make the paradigm shift from the green
screen to the multiple windows client. Unfortunately / Fortunately,
you have IDEs that you can do a drag and drop and create Swing apps
fairly quickly. If you don't like Java or are on a Mac, you can use
Interface Builder (Objective-C) that was created by NeXT. There you
again have the ability to create drag and drop of visual elements and
then using object delegation, tie the screen objects to either
controller or business objects. Now I'm dating myself because the java
spring framework uses a different term than delegation and my memory
is drawing a blank right now... ;-)
If you want to look at web based apps, then you can look at Java /
JSTL / add your favorite AJAX library like dojo as a way to build
apps...
But to your point, yes PAM is a bit more interesting. With PAM you can
potentially do a lot of things in terms of security and flexibility
that didn't exist back in the days of Bill Joy. (.rhosts and /etc/
hosts.equiv)
The nice thing about PAM is that it is controlled by the sysadmin and
has a lot more controls around it. The bad thing about PAM is the lack
of adequate documentation. Especially when it comes to using it with
Informix. I think things are better than they were 2 years ago when I
started looking at PAM and IDS 10.0 (or was it 3 years ago? )
And yes, this is why I get peeved about people who still feel that
they have to use /etc/hosts.equiv or .rhosts. You don't.
Don't get me wrong. If you've got a second nic card and a separate
subnet connecting your database servers and you want to make it easy
to connect two servers for HDR, then by all means use /etc/hosts.equiv
to connect those two machines on the private subnet. But that's the
limit.
Fernando Nunes
_______________________________________________
Informix-list mailing list
Inform...@iiug.org
http://www.iiug.org/mailman/listinfo/informix-list
I really enjoy some of your posts as food for thought, but your capacity of dribbling the logic is terrible. The only person as bad as you has not come here for a long time...
First, all your rhetoric about 4GL limitations completely ignores the focal point: you can use user and password with 4GL. It's perfectly documented and easy to do. I won't dispute most applications don't do it, but that is not 4GL fault. Obviously 4GL if far from being "modern", but that's not the point.
As for the PAM documentation I believe now there is some good stuff, but I admit I'm suspicious to make an opinion on that ;)
If you have doubts, feel free to post them here. I'll do my best to help and it would be a good pretext to update the article.
And again, you miss completely the point with you example on HDR. The only situation where you can configure Informix trusted relations without using the /etc/hosts.equiv or ~.rhosts is precisely when you're establishing the HDR trusts. Please check the "s=6" option in SQL hosts...
You have a lot of experience and we all know a lot about everything. But are you sure you've been keeping up to date with Informix in the last years? Your posts reveal you haven't, which is up to you, but it does look bad on your posts, and worse, can induce some people in error...
This is the main reason why I keep answering you... You're too dangerous in spreading wrong technical information about IDS...
epsilon
Back to the origin of this thread and the promise that I would report
back my findings after hours of frustration, I finally found the
solution to "ssh" port forwarding on my Debian development server and
the SQuirreL SQL client connection. Listed below is configuration I
had to use with "onconfig" and "sqlhosts". It seems that Informix
passes a the exact listing for the hostname and translation is not an
option.
SERVER:
$> vi onconfig
#======================================================================
#DBSERVERALIAS PROTOCOL HOSTNAME
SERVICE
#======================================================================
vm_ids_115 onsoctcp vm-debian-5 15260
vm_ids_115_tcp onsoctcp localhost 15260
vm_ids_115 drsoctcp vm-debian-5 15261
vm_ids_115 onipcshm vm-debian-5 dummy
vm_ids_115 onipcstr vm-debian-5
dummy
$> vi sqlhosts
DBSERVERALIASES vm_ids_115,vm_ids_115_tcp
CLIENT:
telnet localhost 1526
Thank you again for all the great suggestions.
Christopher