> -----Original Message----- > From: IBM Mainframe Discussion List > [mailto:[EMAIL PROTECTED] On Behalf Of Support, DUNNIT > SYSTEMS LTD. > Sent: Thursday, December 06, 2007 7:28 AM > To: IBM-MAIN@BAMA.UA.EDU > Subject: Forcing a userid and password prompt on session connect > > > Hi, > > Running z/OS 1.8 from ADCD on a FlexEs box. > > We are about to enable remote external access to our z/OS > system. Security > is lousy as it is. The network router does port forwarding > for Telnet to our > z/OS system. That brings up the ADCD default login screen, > which on its own > offers no security. For example, by ADCD install default, you > can logon > straight into CICS without any signon. > > Is there some simple VTAM session application readily > available with ADCD that > can be automatically started for a terminal session when a > connection is made > and force prompting for a valid RACF ID and password? > > Are there any other security holes that need to be plugged > under this scenario > of router port forwarding to our FlexEs z/OS system? > > TIA, > Jerry
I assume that your users are using TN3270 to connect to the z/OS system. If so, then you can the RESTRICTAPPL section of the BEGINVTAM section on the TN3270 server parms for the ports to be secured. We have a port, 2323, dedicated to SMCS consoles. An example: BEGINVTAM PORT 2323 DEFAULTLUS LIH1SM01..LIH1SM09..FFFFFFFB ENDDEFAULTLUS DEFAULTAPPL SMCSH1 DEFONLY RESTRICTAPPL SMCSH1 USER * ENDVTAM What this does is cause the TN3270 server on z/OS to ask for a user's RACF id and password before connecting them to the application specified. Note that this stuff is "in the clear", so you could still have somebody steal userids and passwords with a "sniffer". I greatly suggest that you implement the SSH daemon on the UNIX host. Give your users UNIX userids and passwords. Make them use an SSH client to connect to the FlexES host UNIX system, then use something like x3270, running on the FlexES host, to connect to the z/OS system. -- John McKown Senior Systems Programmer HealthMarkets Keeping the Promise of Affordable Coverage Administrative Services Group Information Technology The information contained in this e-mail message may be privileged and/or confidential. It is for intended addressee(s) only. If you are not the intended recipient, you are hereby notified that any disclosure, reproduction, distribution or other use of this communication is strictly prohibited and could, in certain circumstances, be a criminal offense. If you have received this e-mail in error, please notify the sender by reply and delete this message without copying or disclosing it. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html