|
Once again, travel over what wire? The iSeries server executes the QPWDVLDPGM on the box as where the passwords are stored. Wouldn't this all be in main memory or some such thing? I fail to see where this would hit your network. Rob Berendt -- "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." Benjamin Franklin "John Earl" <john.earl@xxxxxxxxxxxxxxxxxx> Sent by: midrange-l-bounces@xxxxxxxxxxxx 11/18/2003 03:05 PM Please respond to Midrange Systems Technical Discussion <midrange-l@xxxxxxxxxxxx> To "'Midrange Systems Technical Discussion'" <midrange-l@xxxxxxxxxxxx> cc Subject RE: iSeries passwords Rob, When you sign on to the iSeries using iSeriesNavigator or CA (or whatever it's called now) your password is encrypted on the PC before it is sent over the wire. This is because the stored password on the iSeries is never unencrypted - there is no facility on the iSeries to unencrypt passwords (and if there was, it would be a big potential exposure! Everyone would target that program). Rather, the submitted password is encrypted using the same algorithm, and then the submitted encrypted password is compared to the stored encrypted password. An exact match is a good password, anything else is a failed signon attempt. However, when you do a CHGPWD type function, the QPWDVLDPGM exit program must receive the old password and the new password in clear text in order to allow the program to operate on them. So, regardless of the interface (iSeriesNav, Green Screen, etc,) If the passwords are submitted to the QPWDVLDPGM in clear text, they must travel over the wire in clear text (because, again, passwords are never unencrypted by the system). HTH, the -- John Earl | Chief Technology Officer The PowerTech Group 19426 68th Ave. S Seattle, WA 98032 (253) 872-7788 ext. 302 john.earl@xxxxxxxxxxxxxxxxxx www.powertech.com This email message and any attachments are intended only for the use of the intended recipients and may contain information that is privileged and confidential. If you are not the intended recipient, any dissemination, distribution, or copying is strictly prohibited. If you received this email message in error, please immediately notify the sender by replying to this email message, or by telephone, and delete the message from your email system. -- > -----Original Message----- > From: midrange-l-bounces@xxxxxxxxxxxx [mailto:midrange-l- > bounces@xxxxxxxxxxxx] On Behalf Of rob@xxxxxxxxx > Sent: Tuesday, November 18, 2003 11:36 AM > To: Midrange Systems Technical Discussion > Subject: RE: iSeries passwords > > Why would this exit point require that your password be > sent in the clear? > > Remember, iSeries Navigator prompts you for the new > password. That > prompting might be done with some sort of security. Then > it would > validate this on your iSeries. And how it validates this > on your iSeries, > I don't know, but if they can make a secure 5250 client > that doesn't send > passwords in the clear I am sure that someone can make an > iSeries > Navigator method for doing so also. Now, once it is on > the server and > calls this exit point program it's not on your network. > Thus who cares if > it is in the clear? It never leaves the bus. > > Rob Berendt > -- > "They that can give up essential liberty to obtain a > little temporary > safety deserve neither liberty nor safety." > Benjamin Franklin > > > > > "McGivern, Tom" <Tom.McGivern@xxxxxxx> > Sent by: midrange-l-bounces@xxxxxxxxxxxx > 11/18/2003 02:18 PM > Please respond to > Midrange Systems Technical Discussion <midrange- > l@xxxxxxxxxxxx> > > > To > "Midrange Systems Technical Discussion" <midrange- > l@xxxxxxxxxxxx> > cc > > Subject > RE: iSeries passwords > > > > > > > The problem is, how do you change your password over the > network. This > exit would require that your password be sent in clear > text across the > network, so it could validate the content, if it were > already encrypted, > then it doesn't know what the input was. > > That's why ops-nav doesn't have it (IMO).. > > -----Original Message----- > From: midrange-l-bounces@xxxxxxxxxxxx > [mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of Andy > Nolen-Parkhouse > Sent: Tuesday, November 18, 2003 10:43 AM > To: 'Midrange Systems Technical Discussion' > Subject: RE: iSeries passwords > > > Rob, > > I agree that you're probably right. But this exit program > is a > user-written program which receives the old and new > passwords as clear > parameters and could do what it wants with them, including > writing them > to a database. While adding an exit point requires a > little more > sophistication to implement than just changing a system > value, it > requires the same level of authority (*ALLOBJ and *SECADM) > as changing > the QPWDVLDPGM system value. > > What am I missing? > > Andy > > > > I bet this: > > > > The password validation exit program > > > http://publib.boulder.ibm.com/iseries/v5r2/ic2924/info/api > s/xsyvlphr.h > > tm > > > > Rob Berendt > > > > > _______________________________________________ > This is the Midrange Systems Technical Discussion > (MIDRANGE-L) mailing > list To post a message email: MIDRANGE-L@xxxxxxxxxxxx To > subscribe, > unsubscribe, or change list options, > visit: > http://lists.midrange.com/mailman/listinfo/midrange-l > or email: MIDRANGE-L-request@xxxxxxxxxxxx > Before posting, please take a moment to review the > archives > at http://archive.midrange.com/midrange-l. > > > > This communication is confidential and may be legally > privileged. If you > are not the intended recipient, (i) please do not read or > disclose to > others, (ii) please notify the sender by reply mail, and > (iii) please > delete this communication from your system. Failure to > follow this > process may be unlawful. Thank you for your cooperation. > > _______________________________________________ > This is the Midrange Systems Technical Discussion > (MIDRANGE-L) mailing > list > To post a message email: MIDRANGE-L@xxxxxxxxxxxx > To subscribe, unsubscribe, or change list options, > visit: > http://lists.midrange.com/mailman/listinfo/midrange-l > or email: MIDRANGE-L-request@xxxxxxxxxxxx > Before posting, please take a moment to review the > archives > at http://archive.midrange.com/midrange-l. > > > _______________________________________________ > This is the Midrange Systems Technical Discussion > (MIDRANGE-L) mailing list > To post a message email: MIDRANGE-L@xxxxxxxxxxxx > To subscribe, unsubscribe, or change list options, > visit: > http://lists.midrange.com/mailman/listinfo/midrange-l > or email: MIDRANGE-L-request@xxxxxxxxxxxx > Before posting, please take a moment to review the > archives > at http://archive.midrange.com/midrange-l. _______________________________________________ This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list To post a message email: MIDRANGE-L@xxxxxxxxxxxx To subscribe, unsubscribe, or change list options, visit: http://lists.midrange.com/mailman/listinfo/midrange-l or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please take a moment to review the archives at http://archive.midrange.com/midrange-l.
As an Amazon Associate we earn from qualifying purchases.
This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.
midrange.com
