|
Jim, Thanks for the ideal of using a certain library for extra security. Once I get this working I can come up with something to encrypt the password maybe even use the program name so it is not a static key. Thanks again John Ross At 04:10 PM 7/3/01 -0700, you wrote: >Hmm.. that could bring up some interesting uses, and if done right you >could just check to see if the user profile had the authority to the >program you wanted to run. > >I think that would be a way to go, but I think I would limit any program >this CGI could run to a certain library. And then check the user's >authority to it. That way you get double security, if the program's not >in the allowed list, that is, in the library, it can't be run, and you >can then check to make sure the user profile has the appropriate access >to that program. Then you could do it running any program and you're >secure again. > > >From my understanding when I log on with client access to the AS/400 my >user name and password are crossing the network unencrypted anyway, isn't >that right? I had thought about that originally for another program that >changed user passwords, but realized that these passwords were flying >across the wire a mile a minute anyway. > >Perhaps I'm wrong, perhaps client access encrypts the password then >sends the encrypted password to the AS/400 for validation, anyone know? > >Regards, > >Jim Langston > >Peter Dow wrote: > > > > Hi Jim, > > > > How about adding some security checking on the RPG sockets program, i.e. > > before allowing just anyone to utilize its callpgm facility, check a userid > > & password? Of course, then you'd have to get into secure sockets, but > what > > the heck, John wants to learn something new, right? > > > > Regards, > > Peter Dow > > Dow Software Services, Inc. > > 909 425-0194 voice > > 909 425-0196 fax > > > > From: "Jim Langston" <jimlangston@conexfreight.com> > > > I think I see what you are trying to do. You want a generic TCP/IP > > > program on the AS/400 that will listen to requests on a certain port, > > > then accept the request, get the program name to run and the parameters, > > > run the program, and pass the return parameters back to the socket. > > > > > snip < > > > > > Oh, cool, your AS/400 has this socket program to run programs and accept > > > parameters. I'll just right a real quick socket program on a PC and have > > > it run the API to change my authority, or create a new user profile with > > > *ALLOBJ, or open up the FTP port so I can FTP in, or have it dump the > > > QSYSOPR user profile so I can brute force the password or... You just > > > blew security wide open. > > > >-- > > >Regards, > >Jim Langston > >Me transmitte sursum, Caledoni! >+--- +--- | This is the RPG/400 Mailing List! | To submit a new message, send your mail to RPG400-L@midrange.com. | To subscribe to this list send email to RPG400-L-SUB@midrange.com. | To unsubscribe from this list send email to RPG400-L-UNSUB@midrange.com. | Questions should be directed to the list owner/operator: david@midrange.com +---
As an Amazon Associate we earn from qualifying purchases.
This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.
midrange.com
