RE: iSeries passwords -- MIDRANGE-L

Rob

If you are entering the information on your PC and it connects to the
iSeries via TCP/IP it gets there "over the wire"...

Chuck


-----Original Message-----
From: midrange-l-bounces@xxxxxxxxxxxx
[mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of rob@xxxxxxxxx
Sent: Tuesday, November 18, 2003 3:50 PM
To: Midrange Systems Technical Discussion
Subject: RE: iSeries passwords

Once again, travel over what wire?  The iSeries server executes the 
QPWDVLDPGM on the box as where the passwords are stored.  Wouldn't this 
all be in main memory or some such thing?  I fail to see where this would 
hit your network.

Rob Berendt
-- 
"They that can give up essential liberty to obtain a little temporary 
safety deserve neither liberty nor safety." 
Benjamin Franklin 




"John Earl" <john.earl@xxxxxxxxxxxxxxxxxx> 
Sent by: midrange-l-bounces@xxxxxxxxxxxx
11/18/2003 03:05 PM
Please respond to
Midrange Systems Technical Discussion <midrange-l@xxxxxxxxxxxx>


To
"'Midrange Systems Technical Discussion'" <midrange-l@xxxxxxxxxxxx>
cc

Subject
RE: iSeries passwords






Rob,

When you sign on to the iSeries using iSeriesNavigator or CA
(or whatever it's called now) your password is encrypted on
the PC before it is sent over the wire.  This is because the
stored password on the iSeries is never unencrypted - there
is no facility on the iSeries to unencrypt passwords (and if
there was, it would be a big potential exposure!  Everyone
would target that program).  Rather, the submitted password
is encrypted using the same algorithm, and then the
submitted encrypted password is compared to the stored
encrypted password.  An exact match is a good password,
anything else is a failed signon attempt.

However, when you do a CHGPWD type function, the QPWDVLDPGM
exit program must receive the old password and the new
password in clear text in order to allow the program to
operate on them.  So, regardless of the interface
(iSeriesNav, Green Screen, etc,) If the passwords are
submitted to the QPWDVLDPGM in clear text, they must travel
over the wire in clear text (because, again, passwords are
never unencrypted by the system). 

HTH,

the



--
John Earl | Chief Technology Officer
The PowerTech Group
19426 68th Ave. S
Seattle, WA 98032
(253) 872-7788 ext. 302
john.earl@xxxxxxxxxxxxxxxxxx
www.powertech.com 
 

 
This email message and any attachments are intended only for
the use of the intended recipients and may contain
information that is privileged and confidential. If you are
not the intended recipient, any dissemination, distribution,
or copying is strictly prohibited. If you received this
email message in error, please immediately notify the sender
by replying to this email message, or by telephone, and
delete the message from your email system.
--

> -----Original Message-----
> From: midrange-l-bounces@xxxxxxxxxxxx [mailto:midrange-l-
> bounces@xxxxxxxxxxxx] On Behalf Of rob@xxxxxxxxx
> Sent: Tuesday, November 18, 2003 11:36 AM
> To: Midrange Systems Technical Discussion
> Subject: RE: iSeries passwords
> 
> Why would this exit point require that your password be
> sent in the clear?
> 
> Remember, iSeries Navigator prompts you for the new
> password.  That
> prompting might be done with some sort of security.  Then
> it would
> validate this on your iSeries.  And how it validates this
> on your iSeries,
> I don't know, but if they can make a secure 5250 client
> that doesn't send
> passwords in the clear I am sure that someone can make an
> iSeries
> Navigator method for doing so also.  Now, once it is on
> the server and
> calls this exit point program it's not on your network.
> Thus who cares if
> it is in the clear?  It never leaves the bus.
> 
> Rob Berendt
> --
> "They that can give up essential liberty to obtain a
> little temporary
> safety deserve neither liberty nor safety."
> Benjamin Franklin
> 
> 
> 
> 
> "McGivern, Tom" <Tom.McGivern@xxxxxxx>
> Sent by: midrange-l-bounces@xxxxxxxxxxxx
> 11/18/2003 02:18 PM
> Please respond to
> Midrange Systems Technical Discussion <midrange-
> l@xxxxxxxxxxxx>
> 
> 
> To
> "Midrange Systems Technical Discussion" <midrange-
> l@xxxxxxxxxxxx>
> cc
> 
> Subject
> RE: iSeries passwords
> 
> 
> 
> 
> 
> 
> The problem is, how do you change your password over the
> network.  This
> exit would require that your password be sent in clear
> text across the
> network, so it could validate the content, if it were
> already encrypted,
> then it doesn't know what the input was.
> 
> That's why ops-nav doesn't have it (IMO)..
> 
> -----Original Message-----
> From: midrange-l-bounces@xxxxxxxxxxxx
> [mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of Andy
> Nolen-Parkhouse
> Sent: Tuesday, November 18, 2003 10:43 AM
> To: 'Midrange Systems Technical Discussion'
> Subject: RE: iSeries passwords
> 
> 
> Rob,
> 
> I agree that you're probably right.  But this exit program
> is a
> user-written program which receives the old and new
> passwords as clear
> parameters and could do what it wants with them, including
> writing them
> to a database. While adding an exit point requires a
> little more
> sophistication to implement than just changing a system
> value, it
> requires the same level of authority (*ALLOBJ and *SECADM)
> as changing
> the QPWDVLDPGM system value.
> 
> What am I missing?
> 
> Andy
> 
> 
> > I bet this:
> >
> > The password validation exit program
> >
> http://publib.boulder.ibm.com/iseries/v5r2/ic2924/info/api
> s/xsyvlphr.h
> > tm
> >
> > Rob Berendt
> 
> 
> 
> 
> _______________________________________________
> This is the Midrange Systems Technical Discussion
> (MIDRANGE-L) mailing
> list To post a message email: MIDRANGE-L@xxxxxxxxxxxx To
> subscribe,
> unsubscribe, or change list options,
> visit:
> http://lists.midrange.com/mailman/listinfo/midrange-l
> or email: MIDRANGE-L-request@xxxxxxxxxxxx
> Before posting, please take a moment to review the
> archives
> at http://archive.midrange.com/midrange-l.
> 
> 
> 
> This communication is confidential and may be legally
> privileged.  If you
> are not the intended recipient, (i) please do not read or
> disclose to
> others, (ii) please notify the sender by reply mail, and
> (iii) please
> delete this communication from your system.  Failure to
> follow this
> process may be unlawful.  Thank you for your cooperation.
> 
> _______________________________________________
> This is the Midrange Systems Technical Discussion
> (MIDRANGE-L) mailing
> list
> To post a message email: MIDRANGE-L@xxxxxxxxxxxx
> To subscribe, unsubscribe, or change list options,
> visit:
> http://lists.midrange.com/mailman/listinfo/midrange-l
> or email: MIDRANGE-L-request@xxxxxxxxxxxx
> Before posting, please take a moment to review the
> archives
> at http://archive.midrange.com/midrange-l.
> 
> 
> _______________________________________________
> This is the Midrange Systems Technical Discussion
> (MIDRANGE-L) mailing list
> To post a message email: MIDRANGE-L@xxxxxxxxxxxx
> To subscribe, unsubscribe, or change list options,
> visit:
> http://lists.midrange.com/mailman/listinfo/midrange-l
> or email: MIDRANGE-L-request@xxxxxxxxxxxx
> Before posting, please take a moment to review the
> archives
> at http://archive.midrange.com/midrange-l.


_______________________________________________
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing 
list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/midrange-l.


_______________________________________________
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/midrange-l.