True, but then the password would expire and the userid would be unusable. I should have mentioned this point in the design. But 30 years was quite a while back😊. Lennie
-----Original Message----- From: IBM Mainframe Discussion List <[email protected]> On Behalf Of ITschak Mugzach Sent: 13 December 2022 21:26 To: [email protected] Subject: Re: RACROUTE REQUEST=EXTRACT,TYPE=ENCRYPT,ENCRYPT=(,DES) You do not need a password to login if you are in supervisor mode, so trying to reverse engineering a password is a if that is the purpose) On Tuesday, December 13, 2022, Lennie Dymoke-Bradshaw < [email protected]> wrote: > I wrote code using doing over 30 years ago to automatically change > passwords. This was before the days of pass tickets and I needed one > piece of software to sign on as an IMS user to IMS. It needed a > password. So I coded an exit routine which would build a new password > using some randomisation algorithm and then encrypt it using the call > you mention. I then extracted the existing password in encrypted form > and used a RACROUTE REQUEST=VERIFY with those old and new passwords and > specifying ENCRYPT=NO. > > This performed the logon and switched the password every time. No one > ever saw the password. I had retry logic for siuations wher the new > password was rejected for any reason. > I think this method breaks under KDFAES passwords. Nowadays a pass > ticket would be a preferable method. > Restoring a DES encrypted password requires > REQUEST=EXTRACT,TYPE=REPLACE I think, but I have never tried doing that. > > Lennie Dymoke-Bradshaw > https://rsclweb.com > 'Dance like no one is watching. Encrypt like everyone is.' > > -----Original Message----- > From: IBM Mainframe Discussion List <[email protected]> On > Behalf Of Binyamin Dissen > Sent: 13 December 2022 17:13 > To: [email protected] > Subject: RACROUTE REQUEST=EXTRACT,TYPE=ENCRYPT,ENCRYPT=(,DES) > > The doc indicates that this request will return data that can be used > for authentication. > > Not clear to me how used (PASSWORD in REQUEST=VERIFY) . > > Also, do not understand how a DES encrypted password can be restored. > > Am I missing something obvious? > > I would think that TOKEN would be the way to go. > > -- > Binyamin Dissen <[email protected]> > http://www.dissensoftware.com > > Director, Dissen Software, Bar & Grill - Israel > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, send > email to [email protected] with the message: INFO IBM-MAIN > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, send > email to [email protected] with the message: INFO IBM-MAIN > -- ITschak Mugzach *|** IronSphere Platform* *|* *Information Security Continuous Monitoring for z/OS, x/Linux & IBM I **| z/VM coming soon * ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
