• Subject: Re: Password Validation API
  • From: Mel Rothman <melrothman@xxxxxxxx>
  • Date: Thu, 04 Jan 2001 17:08:16 -0600

A problem with Get Profile Handle is that if the password is incorrect, the
incorrect password count is increased.

A kludge that might work would be to have a temporary user ID with a known
password for the purpose of validating passwords.  Logic would be:

Use QSYCHGPW (Change User Password) to change the temporary user's password to
the password being validated.

Use QSYRUPWD (Retrieve Encrypted Password) twice to retrieve both the temporary
user's and the targeted user's encrypted passwords.

If the two encrypted passwords match, the password is valid; else, it is
invalid.

Use QSYCHGPW to change the temporary user's password back to a known value.

If there is a risk that multiple instances of this logic will be hitting the
temporary user ID concurrently, each instance could create and destroy its own
temporary user profile.


Mel Rothman


fdenoncourt@harcourt.com wrote:
> 
> Ed,
> Thanks for the help. No, we are not going to store the password. I just
> need to
> verify the supervisor's password for that one time entry into the menu
> option.
> I don't think I want to swap the user profile (adopt authority) unless it
> is for
> this particular menu option only. But, you see, anyone could know another's
> user
> profile ID therefore, I really need the supervisor (or imposter) to key in
> that password.
> Sounds like Get Profile Handle is the ticket. I will also check into the
> Release Profile Handle API. We really are trying to beef up security.
> Thanks for your help.
> Fran
> 
> >The Get Profile Handle API will take a user-ID and a password, verify the
> >password and then return a profile handle. The handle can be used to swap
> >the user profile of the job.
> 
> >>The reasoning is that a supervisor could assign a task to a user who does
> not have authority to that particular menu option. The supervisor would
> then enter his own operator/password combination. When the user leaves the
> menu option, the authority is removed.<<
> 
> >This sounds to me like you are planning to store the supervisors password
> >and then verify it at a later time. It is never a good idea for a normal
> >application to store a password. If you need to swap user profile of the
> >job to the supervisor then it may be better to use a program that uses
> >adopted authority. A program that adopts the supervisors authority can use
> >the Get Profile Handle API to get a profile handle for the supervisor
> >without needing to use the supervisors password. You can then use that
> >handle to swap the user profile of the job.
> 
> >Ed Fishel,
> >edfishel@US.IBM.COM
+---
| This is the Midrange System Mailing List!
| To submit a new message, send your mail to MIDRANGE-L@midrange.com.
| To subscribe to this list send email to MIDRANGE-L-SUB@midrange.com.
| To unsubscribe from this list send email to MIDRANGE-L-UNSUB@midrange.com.
| Questions should be directed to the list owner/operator: david@midrange.com
+---

This thread ...

Follow-Ups:
Replies:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2019 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].