Rick Fochtman wrote:
--------------------------------<snip>------------------------------
Hi all ,
In my previous shop we add TSS instead of RACF . I remember we had a
way to
get a user password but I’m not really familiar what was the background
process.
Is somebody familiar with a method to get a user password when using
RACF ?
I assume RACF DB is holding the DB in hash base on a one way function
, but
I'll also expect that TSS will do the same .
if it truly so , I’ll be interesting on HOW could my previous shop bypass
the basic security (maybe using Exit to insert the password to protected
dataset before the HASH) I’ll expect from a security product to allow
only
reset of the password and not reviewing of the user password .
-----------------------------------<unsnip>---------------------------------
In a previous incarnation of RACF, it was possible, under some
circumstances, to acquire the user's password from the RACF database.
This hole has been closed for a long time now. The password in the
database is encrypted using a one-way trap-door function. It could
probably be decrypted, if you've got enough computer time to spare, but
I suspect that it would be changed long before it could be decrypted.
<snip>
As Walt posted earlier, there is a password enveloping function that can
be used make passwords retrievable. You can read about it here:
http://publibz.boulder.ibm.com/cgi-bin/bookmgr_OS390/BOOKS/ichza7b0/22.1?SHELF=EZ2ZBK0K&DT=20100614190745
--
John Eells
z/OS Technical Marketing
IBM Poughkeepsie
[email protected]
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html
