× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. MIDRANGE-L
  3. November 2003

Re: iSeries passwords

Hi, Adam

There has been some confusion here, I think. I do not believe that anything is stored in an unencrypted form. I may be wrong, so someone please correct this.

The issue about passwords in the clear began with Al's post on the exit program that is specified in the system value, QPWDVLDPGM. One bit of confusion here is, this is NOT an exit point registered with WRKREGINF, it's a program called by the CHGPWD command or the QSYCHGPW API, if specified in the system value. The problem is, nonetheless, that the user had to enter his/her old password and the new one, in order to change it. These 2 values are in the clear in the parameters to the password validation program.

Then questions came up about passwords in the clear from remote clients, which generally obfuscated the whole discussion as originally posited, if I read these things correctly.

We really have fun here, don't we? I love tangents. ;-)

So, is it the case that 128-character passwords are not encrypted? I sincerely hope not.

It would appear that, starting in V5R2, you can make it impossible to change password-related system values. This is cool - not even QSECOFR can change them. So a good (note, "good"), well-controlled security plan can allow you to have a validation program, I think. It'd mean, at the extreme, that this program is owned by QSECOFR, no one but QSECOFR has *ALLOBJ authorization, nothing that adopts from QSECOFR can get a command line, and only one person in the world knows the QSECOFR password - or something like that. That may not even be enough to make it almost impossible to change the program specified in the system value to something that is malware.

Vern

At 12:26 PM 11/19/2003 +1100, you wrote:
Hi,

Thanks to Rob and everyone else that responded. And Rob, yes you are
correct, the issue is forcing a mix of upper and lower case, not just
accepting it. Reading the IBM documentation it seems to be that the
underlying validation engine (or whatever it's called) will treat passwords
as upper case only regardless of what you do with a validation program. In
any case, the need to change the system value so passowrds are no longer
stored in an encrypted format is something we contemplate with a shudder.

Our answer to the client is that even if possible, the risks far outweigh
the benefits.

Thanks

Adam Driver
Technical Consultant
Kaz Technology Services
Level 7
66 Wentworth Ave
Sydney NSW 2010
Australia
Phone: +61 2 9844 0386
Fax: +61 2 9844 0333

A division of Kaz Group Limited - visit our website at www.kaz.com.au



date: Tue, 18 Nov 2003 08:12:39 -0500
from: rob@xxxxxxxxx
subject: Re: iSeries passwords

WRKSYSVAL QPWDVLDPGM
http://publib.boulder.ibm.com/iseries/v5r2/ic2924/info/rzakz/rzakzpassword11bridge.htm


- OR -

The password validation exit program
http://publib.boulder.ibm.com/iseries/v5r2/ic2924/info/apis/xsyvlphr.htm

Rob Berendt
--
"They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety."
Benjamin Franklin




Adam.Driver@xxxxxxxxxxxxx
Sent by: midrange-l-bounces+rob=dekko.com@xxxxxxxxxxxx
11/17/2003 10:12 PM
Please respond to
Midrange Systems Technical Discussion <midrange-l@xxxxxxxxxxxx>


To
midrange-l@xxxxxxxxxxxx
cc

Subject
iSeries passwords






Hi Everyone,

We have a customer that wants us to force a mixture of upper and lower
case
and special characters in user passwords. Has anyone ever heard of a way
of
doing this? Exit programs perhaps, or a utility anyone may have written?

Thanks

Adam Driver
Technical Consultant
Kaz Technology Services
Level 7
66 Wentworth Ave
Sydney NSW 2010
Australia
Phone: +61 2 9844 0386
Fax: +61 2 9844 0333

A division of Kaz Group Limited - visit our website at www.kaz.com.au


_______________________________________________
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/midrange-l.



As an Amazon Associate we earn from qualifying purchases.

This thread ...
Replies:
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.