On Fri, 8 Jan 2021 at 12:19, Sam Golob <[email protected]> wrote: > Does anyone have user-written code for RACF, so that if the user > types in a password, the code will verify if it is the user's actual > LOGON password?
More detailed specs, please. Are you fundamentally looking for sample code to learn from, or something to [adapt and] use as-is? Programming language? Execution environment? (TSO session? UNIX session? Some other environment?) Is this a program to run in an existing session to verify that the user at the keyboard knows the password that was used at logon? (TSS has a TSO command to lock the screen and prompt for the password upon resuming. It would be easy enough to write a similar command for any of the security systems.) Or is it a program that accepts both a userid and password at the keyboard (or in a batch job), and verifies that they are a good match? Or something else I'm not thinking of? Any program that accepts userids and passwords needs to have controls to prevent its use to try many passwords without penalty. Generally the required security system calls require at least an APF authorized state to make this query, for the reason above. > I'd like to see code that does this, for ACF2 and Top Secret as > well, but I'm primarily interested in RACF. If you use the SAF (RACROUTE REQUEST=VERIFY) approach, it should work identically for all three security systems. Your code has to decide if what you are verifying is a password or a phrase. If you are using an LE language (C, PL/I, ...) there is a library function __passwd(...) to do this. If you are writing in assembler, probably the easiest to use is IRRSPW00, documented in the RACF Callable Services book. IRRSPW00 may not work in the CA security systems - I'm not sure. Both the above assume password vs phrase based on the length. Tony H. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
