× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. MIDRANGE-L
  3. August 2004

RE: Client Access bypass signon

midrange-l-request@xxxxxxxxxxxx wrote:

>   2. RE: Client Access bypass signon (Dan Bale) (Jones, John (US))
>
>>"If it is a security violation, why would IBM supply it?"
>
>If the PC is considered to be in a secure location, then allowing signon
>bypass can still be considered tolerable / secure.  

My understanding is that "bypass signon" essentially means "do not present the 
(5250) signon panel". This is only viable _if_ profile/password is verified by 
some other means and the telnet server has a way either to know that 
verification has been done or to perform the verification before allowing the 
session to start. It doesn't mean that no 'signon occurs.

iSeries Access provides a few ways to verify outside of the (5250) signon 
display. I suppose most sites do it via the signon server. A few now use 
Kerberos. But I'm not sure there's any way to cause iSeries Access to do it 
with a clear-text password. I haven't looked at the RFC, but I suppose it's 
possible to have a client that talks TN5250E to the telnet server without 
implementing some kind of password encryption.

That is, "bypass signon" would be more secure, in terms of transmitted password 
security, regardless of whether a PC was in a secured area.

By _not_ using bypass signon, the clear-text signon panel must be used. And 
unless this is done within VPN or a similar protected conduit, there are 
essentially no protections at all except keeping PCs in secured areas.

So, I assume the comment about 'tolerable/secure' refers to security on any 
file that a password might be stored in rather than to "bypass signon" itself? 
Or are there other aspects to be considered?

Tom Liotta

-- 
Tom Liotta
The PowerTech Group, Inc.
19426 68th Avenue South
Kent, WA 98032
Phone  253-872-7788 x313
Fax    253-872-7904
http://www.powertech.com


__________________________________________________________________
Switch to Netscape Internet Service.
As low as $9.95 a month -- Sign up today at http://isp.netscape.com/register

Netscape. Just the Net You Need.

New! Netscape Toolbar for Internet Explorer
Search from anywhere on the Web and block those annoying pop-ups.
Download now at http://channels.netscape.com/ns/search/install.jsp

As an Amazon Associate we earn from qualifying purchases.

This thread ...
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.