You start iSeries Navigator, connect to your system. Your password is
sent in plain text, so everyone can read it and enjoy your QSECOFR
rights!
I believe the main point of the post from which this snippet was taken is
valid and well stated. The statement above is true for the password that
is typed on a green screen of a 5250Telnet session (standard telnet
protocol), but...(there's always a but, at least with me :-) ).....
The password exchange between iSeries Access/Navigator and the host
servers (i.e. the prompt that pops up on your windows desktop when you
sign on to a system from iAccess/iNav) uses a password substitution
protocol which essentially performs, on the client-side, the same
hashing/encryption on the password typed by the user at the prompt as the
400 did to the user profile password at the time the password was set.
Then, I believe, it hashes that result again with a timestamp, it is this
value that is sent from the client to the Host Servers sign-on server
which retrieves the stored password, hashes it, and then compares that
result to what iNav/iAccess sent.
In other words, the password is protected for the iAccess/Navigator
prompts. However, the password typed into the password field on a green
screen does flow in the clear(unless that connection is done over SSL or a
VPN). Also, iAccess/iNavigator do not protect subsequent dataflows, just
the password (except if the connection is over SSL or a VPN in which case
the data is protected on the wire also).
Again, the main point of the append is valid, just wanted to clarify the
wording of that particular statement.
Thanks.
Patrick Botz
IBM STG Lab Services Security Practice
botz@xxxxxxxxxx
work: 507 253 0917 mobile: 507 250 5644
http://www.ibm.com/systems/services/labservices
midrange.com
