On 19 March 2013 15:07, EXT-Schwarz, Barry <[email protected]> wrote:
> A user with a pass phrase must also have a password. When RACF is called to > validate either, it uses the length of the data to determine which it is > validating. Depends which "it" you mean. RACF doesn't provide a facility to treat a pass-thing as a password or phrase depending on its length. It's up to the calling application program/subsystem, e.g. TSO to determine how to pass the string to RACF. > Consequently, a user with a pass phrase need not ever use it. The password > will > always work. (I imagine the password authentication exits could be used to > prohibit > using the password.) That might have some problems; not that you can't do it, but explaining what's gone wrong to the end user is tricky. It's almost certainly too late to reprompt in a way that will make the application accept a phrase at that point. But maybe TSO does get it right... There is at least one password sync product (the one I work on - Beta's SAM Password) that can set the password to a random value as part of synchronizing passwords with other systems, so that it is not known to either the user or the administrators. It seems strange that this should be necessary or useful, but it is. Tony H. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
