It would be valuable as it allows for a non-fatal validation mechanism,
similar to what the login-mechanism allows for in Unix and Windows.
Originally the Unix login mechanism just allowed you to try again. It was
found that adding more and more delays for each failed attempt gave the
desired compromise between being allowed to ask again and not being allowed
to attempt a billion times.
Having a mechanism that allows any malicious person to within 30 seconds
disable several peoples accounts is in my mind more unsafe than safe.
Additionally there are so many security holes in the AS/400 platform (oh,
you can log in with FTP, nice, now you can run any command) that it even
surprised me :)
You might find this an interesting read:
http://www.blackhat.com/presentations/bh-europe-06/bh-eu-06-Carmel/bh-eu-06-
Carmel.pdf
/Thorbjørn
-----Original Message-----
From: java400-l-bounces@xxxxxxxxxxxx [mailto:java400-l-bounces@xxxxxxxxxxxx]
On Behalf Of CRPence
Sent: 15. juni 2010 20:29
To: java400-l@xxxxxxxxxxxx
Subject: Re: Prompting for iseries user ID and password on a web application
On 14-Jun-2010 07:31, Thorbjørn Ravn Andersen wrote:
<<SNIP>>
Is there ANY way to validate an AS400 login which does not count
in the way down to disabling the account?
<<SNIP>>
Why would that be valuable? The whole point in failures leading
to disabling, is to protect the system. Would not eliminating the
effect, just open the system to attack.?
A similar effect could be achieved by use of the request to
CHGSYSVAL QMAXSIGN *NOMAX; albeit highly discouraged, for the same
reason alluded in the above questions. In so doing, although the
number of failures is tracked, no amount of invalid requests would
ever have the account\*USRPRF becoming disabled due to the failed
attempts to validate. There is no equivalent MAXSIGN() parameter
associated with each *USRPRF object to effect any granularity :-(
nor to members of a group\*GRPPRF.
Regards, Chuck
midrange.com
