customize user types (allowed sessions , etc..) from the SU01 transaction , or/and ....

try this code:

REPORT YSESSCHK NO STANDARD PAGE HEADING.

* This porgram limits the number of login sessions of a given user
* in a certain client
* It runs from user exit SUSR0001
* n-1 is the number of concurrent sessions allowed

TABLES: UINFO.
DATA: N TYPE I VALUE 2.                   "Upper limit of login sessions
DATA: OPCODE TYPE X VALUE 2, I TYPE I, A(60).

DATA: BEGIN OF BDC_TAB1 OCCURS 5.
        INCLUDE STRUCTURE BDCDATA.
DATA: END OF BDC_TAB1.

DATA: BEGIN OF USR_TABL OCCURS 10.
        INCLUDE STRUCTURE UINFO.
DATA: END OF USR_TABL.

CALL 'ThUsrInfo' ID 'OPCODE' FIELD OPCODE
  ID 'TAB' FIELD USR_TABL-*SYS*.

LOOP AT USR_TABL.
  IF SY-UNAME = USR_TABL-BNAME AND SY-MANDT = USR_TABL-MANDT.
    I = I + 1.
  ENDIF.
ENDLOOP.


IF I >= N.

A = 'You have already '.
A+17(2) = I - 1.
A+19(25) = 'login sessions in client '.
A+44(4) = SY-MANDT.

  CALL FUNCTION 'POPUP_TO_INFORM'
       EXPORTING
            TITEL = 'UNSUCCESSFUL LOGIN'
            TXT1  = A
            TXT2  = 'You are not allowed to log in'.

  MOVE: 'SAPMSSY0' TO BDC_TAB1-PROGRAM,
          '120' TO BDC_TAB1-DYNPRO,
          'X' TO BDC_TAB1-DYNBEGIN.
  APPEND BDC_TAB1.CLEAR BDC_TAB1.
  MOVE: 'BDC_OKCODE' TO BDC_TAB1-FNAM,
         '/nex' TO BDC_TAB1-FVAL.
  APPEND BDC_TAB1.CLEAR BDC_TAB1.

  CALL TRANSACTION 'SM04' USING BDC_TAB1 MODE 'N'.

ENDIF.

Michele

-

Michele Berardi

System Developer

<removed_by_moderator>

http://berardimichele.interfree.it

Edited by: Julius Bussche on Sep 17, 2008 12:36 AM

mine was a sort of "quick workaround" around this SAP "security hole!?" , ..

but others security issues still persist and are restricted to the way sap manage the input fields

(often sap lacks about security or needs a lot of work about user privileges... ) ...

try to write your own POPUP_TO_GET_VALUE function module

(customize the input field , blocking some "strange" user things..;-D)

we must work also on user privileges ...

michele

just thinking ...

Instead of using POPUP_TO_GET_VALUE

If i remember the yubicokey copies the otp to clipboard ...

Why donu2019t grab otp from clipboard

and use a simple POPUP_TO_CONFIRM (or similar f. modules) ?

DATA: BEGIN OF myclipboard_table OCCURS 0,
        line(172) TYPE c,
      END OF myclipboard_table.

DATA:
      myclipboard_length TYPE i.

* Read ClipBoard into an internal table
CALL METHOD cl_gui_frontend_services=>clipboard_import
  IMPORTING
    data   = myclipboard_table[]
    length = myclipboard_length.

IF sy-subrc NE 0.
  WRITE: / `Unable to read ClipBoard`.
  WRITE: / `Exiting program`.
ENDIF.

Than check the clipboard via abap u2026

"

You can still manage

user allowed sessions and other restrictions

via sap administrative transactions.

"

And also Why donu2019tu2026:

- save otp to file and upload it to sap as..

- create a f. module with a u201Crestrictedu201D onscreen keyboard..

Michele

Hi Gregor and Michele,

I have been thinking about this, also because I felt a bit bad - this is a community project and I didn't help with a solution (yet). So I have some ideas...

1st idea :

The problem (should it be one) is not a "security hole" in my opinion. It is a security feature to prevent lockouts from OTP-type code (which is not protected, like the 1st one is). AFAIK this is intentional.

My understanding is that:

- The 1st logon procedure is completed before the GUI is attached.

- In that lies "the problem" because GUI behaviour and user (session management) is already attached as well.

- Additionally, the exit you are using only fires on a SAPGUI based logon.

So given these restraints, how can we turn them to our advantage...?

=> You need a 3rd login, which is identical to the 1st.

- User logs in and the exit fires.

- Exit calls a bespoke RFC with your code in it which logs the user back off again (immediately) without closing the session and presenting ONLY the OTP dialog in the popup.

- If the OTP is correct, the RFC executes via a "current user only" ABAP RFC destination => a popup appears requesting reauthentication in the ABAP system (expected behaviour for a user who is not logged on).

- If the OTP is not correct, kill the GUI without calling the RFC via the destination.

> we must work also on user privileges ...

In addition, adding using authority-checks in the correct places is the key. You should not check any user priviledges in this own RFC, because the user will not be logged on anymore when the OTP is requested. They only need to have been (briefly) authorized to call the OTP (if the first call requires any internal authority at all...) ... and only the "button " logon should perform the call, if the OTP is correct.

Worth a thought and hopefully it helps you further with "the problem"...

Cheers,

Julius

Disclaimer: I do not guarantee that the above is 100% bullet-proof either. Perhaps we can play around with it a bit at TechEd?

2nd idea:

As a slightly better variant of the above, create a 2nd RFC and destination for it with a SERVICE user in it which is only authorized to call it's own RFC without the OTP check.

When the user logs on, the exit calls this service, logs the calling user back off again and asks for the OTP of the caller.

- If correct, it calls the "current user only" destination and closes the connection to the service.

- If incorrect, it closes the connection to the service without caling the "current user only" destination.

This way you can add checks to the service RFC to ensure that only the service user can call it.

You should also restrict the RFC authority of the dialog user to only enter the system via this "current user RFC" which checks that the OTP has been correct.

That way, whether the user enters via SAPGUI Logon or RFC, it does not matter as they experience the same 3 x login requirement.

As the service user's authority would be restricted to just 1 RFC (group or even module as of 7.10 + any application authority-checks in the function module itself), this should also be safe against debugging even if the dialog calling user is authorized to debug.

Cheers,

Julius

@Julius Bussche

thanks for your suggestions .

@ Wolfgang Janzen / All:

what i consider a "possible security hole" or better a "a gentle SAP passpartout"

is for example ...

let the user enter/execute "commands" in an abap function module

"input box" ... this is insecure if allowed also to restricted users ...

don't tell me this is intentional .. (lockouts prevention .!?!?!) ....

i would prefere "offline" admin interventions ...

finally:

as i wrote in the introductory notes the sap user-exit OTP "trick" offers

an example of a second check after a standard (successful) sap logon

not a full otp infrastructure ....

p.s.

thanks for suggestions and the "Principle of explosion" lesson ........

Michele

i never passed my "suggestion" (user exit..) as a complete solution (read topic.. "a quick introduction"...)

mean that i use what the poor sap / abap implementation offers...

it will be usefull to prevent a new session opening or block also users putting commands in the popup ...

as the limits of this "example" (not a full implementation ..) lacks (or if you prefere the word "fails" .) ...

don't know if sap offers a feature / setting that prevent users to open multiple sessions

(limitation that i had clear from the beginning , the main reason behind my post.. hoping more

experienced users could help me..)

or stop allowing users to run commands in the popup ...

as reported in the yubikey abap implementation blog (from the author):

"

The user can open another session from within the OTP popup. Also it is possible to start the debugger by drag and drop a /h shortcut to the popup. The debugging is a developer authorization and can be restricted. But I don't know a way how to restrict users to open another session.

"

sap don't offer a way to limit user sessions and run commands from the popup inputbox?

hope your experience could help us ....

Michele

Hi Michele,

I am working on a 3rd idea which a very reliable source told me "might work, but..." ... but we first need to clarify something here:

> Michele Berardi wrote:

> i never passed my "suggestion" (user exit..) as a complete solution (read topic.. "a quick introduction"...)

> mean that i use what the poor sap / abap implementation offers...

I interpreted this to be a "quick introduction" to a community project which should be complete enough that security aspects are also considered. After all, this is about logon and authentication and authorization....

> it will be usefull to prevent a new session opening or block also users putting commands in the popup ...

> as the limits of this "example" (not a full implementation ..) lacks (or if you prefere the word "fails" .) ...

If the user has fully authenticated and has a session which they can fully control, then that it what you get for it.

That is what I stated in my original comment to the blog and Wolfgang has confirmed.

> don't know if sap offers a feature / setting that prevent users to open multiple sessions

> (limitation that i had clear from the beginning , the main reason behind my post.. hoping more

> experienced users could help me..)

Perhaps you should also have stated this original concern then, so that "more experienced users" could comment.

This is an open source community project right? Sooner or later you will face these challenges - so rather now.

I think that my ideas could help and beyond any doubt comments from Wolfgang (see his Business Card) are worth gold for such a project.

In particular see the suggestion about SNC to add additional authentication strength...

> or stop allowing users to run commands in the popup ...

Commands are also subject to some checks. You can prevent the debugging as suggested by Gregor ("/h") and in higher releases the checks are further improved...

> as reported in the yubikey abap implementation blog (from the author):

>

> "

> The user can open another session from within the OTP popup. Also it is possible to start the debugger by drag and drop a /h shortcut to the popup. The debugging is a developer authorization and can be restricted. But I don't know a way how to restrict users to open another session.

> "

There is no bullet-proof way and this is known / intentional AFAIK. You need to restrict the access of the user at that point and that is why I thought of the service context. Yes, they could still create a new session but what could they do with it (e.g. with a forced user menu).

I still have some doubts about my 1st, 2nd and also 3rd idea, but we need to be sure that the "community resources" are correctly considered where they are relevant aspects.

As I originally commented and Wolfgang has confirmed, you have over-estimated the intention of this exit.

Cheers,

Julius

PS: If you would like me to move this to the Security Forum, then let me know. There are more gurus there as well and the discussions are often quite lively as well...

@julius

first of all ...

thanks to you and Wolfgang for any kinds of help ...

than .. a "quick" (i love this word ;-D ) clarification:

"

my "quick introduction to otp" isn''t related to any community projects

(the only link to youbikoabap project is the user-exit implementation and nothing more ...)

mean that security axpects weren't keeped in consideration in a full and real contest , the purpose of my post

as the word "quick"suggests was to "shot a stone in the lake.." and wait for comments / improovements

and better solutions too ... ;-D

"

and ..... of course if you would like to move my post to the Security Forum do it , could only be helpfull 😄

thanks

Michele

Moved from ABAP Enhancements & Modifications to the NetWeaver Security Forum....

ps: I also removed the telephone numbers... ("the rules")... you can use your Business Card for that..

@ Wolfgang

ok i overstimated the user exit feature but ...

SAP AG will never admit that execute an user directive (you prefere commands ?! transactions !? function module or other exotics sap terms (reinvent and change the name to the wheel and do the same thinghs..) )??!!

in a simple popup-input box (as developer i would like to offer a modal window asking a simple input string to users and nothing more!!!)

isn't a good approach ....

don't have a strong knowledge of sap (and sap isn't my principal business ...) but as software architect i disagree about some sap implementation choices i discovered day by day ...

once again thanks wolfgang for your help ...

and that's all folks.

Michele

Hi Michele,

> don't have a strong knowledge of sap (and sap isn't my principal business ...) but as software architect i disagree about some sap implementation choices i discovered day by day ...

Then I am curious to know where you have the "workaround" coding from (above)?

Obviously a very important requirement for such an exit if it was to be made secure is that the coding must be very robust and stable => otherwise "lockout" for all dialog capable users...

You have called a function without an ABAP object type. If you place your cursor on such a CALL statement and hit F1, then you will also see it's (released) specification and a warning about changes without warning, etc.

Do not be surprised at logon if the lights dim, or the coffee machine starts spinning around...

Cheers,

Julius

http://www.sapnet.ru/viewtopic.php?t=892

It wouldn't pass a good QA check nor a Code Inspector (transaction SCI) check.

Nastrovje,

Julius

>

But I guess that you'd hesitate to do so for a rented car or for your company car (if you have one).

Surely it's common knowledge that the fastest cars (and therefore most abused) are company cars and hired cars Hertz Mustangs even had their engines stolen.......Though I doubt someone would want to steal an app server over a weekend

@ julius

You have called a function without an ABAP object type. If you place your cursor on such a CALL statement and hit F1, then you will also see it's (released) specification and a warning about changes without warning, etc.

exactly where....?!!?

if you read the code the "workaround" is referring to a sort of sap asynchronous function call execution (i declared the

right data types and used them following the sap specifications) .. .....

the EXAMPLE (one last time ... it's not a full implementation which instead requires ALWAYS code revision and a strong security check ... )

follows another path instead of using the popup input box , a simple upload from the presentation server where the real otp engine

(client side) manages the otp generation , due to the "speed" of login phase , the user can't joke with input boxes , menu

etc...

http://www.sapnet.ru/viewtopic.php?t=892

the same method i suggest / tryed days ago to gregor's blog

(another "incorrect" way is clipboard grab instead of

input popup ...) , see here:

i used also guixt to add an extra input box on the login page and

manage the otp , anyway the SNC implementation still offers

the right path ....

Do not be surprised at logon if the lights dim, or the coffee machine starts spinning around... 

did you really think that i implement a solution without hiring an hamsters test team or switch off the coffee machine before

(now you understand why ... i submited my code to sap forum ;-D ??!?) ?

;-D

Michele

> exactly where....?!!?

Did you try F1 on CALL cfunct ?

> CALL - Call a System Function:

>

> Note

> This statement is for internal use only.

> It cannot be used in application programs.

>

> Note

> As of Release 6.20, you should use Kernel Methods instead of system functions.

and further on...

> SYSTEM-CALL

>

> Note

> -

> This statement is only for

>

> !!! Internal use in SAP Basis development !!!

>

> Even within SAP Basis, it may only be used in programs within the ABAP+GUI development group.

>

> Its use is subject to various restrictions, not all of which may be listed in the documentation. This documentation is intended for internal SAP use within the Basis development group ABAP+GUI.

>

> Changes and further development, which may be incompatible, may occur at any time, without warning or notice!

...

Some kernel routines are "clever" as well and check the call stack of the calling program, and then react pretty badly if they find that sy-cprog doesn't match what is expected.

But the documentation is still pretty clear and the warning is unmistakable.

> (now you understand why ... i submited my code to sap forum ;-D ??!?) ?

Ahh... so you got what you expected? Nobody expects the inquisition... ))

Cheers,

Julius

@ Julius

 
Some kernel routines are "clever" as well and check the call stack of the calling program, and then react pretty badly if they find that sy-cprog doesn't match what is expected.

good .. for example?

 
Ahh... so you got what you expected? Nobody expects the inquisition... ))

inquisition.!?!?. nooo .. you are my favourite "hamster" (doooh!) ;-D

thanks again

Michele

> good .. for example?

Like the ones for passwords for example, which lock the ID of the caller and kick them out the system if another program pretends to be a SAP system program...

See SAP Note 301894.

Cheers,

Julius

@ Gregor Wolf / All

hi Greg,

hope the informations provided on previous posts will open the right path for your opensource "yubiko-abap" project:

http://code.google.com/p/yubico-abap/

which deserve all the help and efforts form SAP forum members.

thanks to all actual and future contributors.

Michele Berardi

Thanks for closing the thread.

I took the liberty of setting the status to Answered and will lock it again.

Cheers and thanks,

Julius

Did you see that? He took points off you and gave them to me now... What's that? Feeding Hamsters?? )))

I am going to lock this thread now before even bigger mistakes are made ...

A nice weekend to all none-the-less,

Julius

Edited by: Julius Bussche on Sep 21, 2008 9:42 AM