> Scary is right!  From an auditor's viewpoint, the generally
recommended best
> practice setting is *FRCSIGNON.

*FRCSIGNON has it's own risks, and I don't believe that this is a
blanket recommendation from Auditors who understand OS400.  If you
require every user who connects to your iSeries to go through the DDS
signon screen (QDSIGNON) every time they connect, then you guarantee
that OS/400 passwords will be sent across your network in clear text.
The Client Access signon server will encrypt passwords and compare
encrypted values.  DDS will likely never be smart enough to do that.

That being said, even if you allow bypass signon you may still be
sending clear text passwords if you are using the OS/400 System value
QINACTITV to time out inactive sessions.  Usually, once you time out a
session, you cause the QDSIGNON screen to display once again and run
the risk of an plain text password transmission.


John Earl                              johnearl@powertechgroup.com
The Powertech Group          www.powertechgroup.com
Kent, Washington, USA       +1 253-872-7788

This thread ...


Return to Archive home page | Return to MIDRANGE.COM home page