While not exactly the same, anyone with access to bpx.superuser can copy or load a user's ssh public key into another users home directory .ssh files and logon password-less as that user.
________________________________ From: IBM Mainframe Discussion List <[email protected]> on behalf of Walt Farrell <[email protected]> Sent: Sunday, June 22, 2025 4:00:44 PM To: [email protected] <[email protected]> Subject: Re: Mapping certificates to a userid. On Fri, 13 Jun 2025 17:19:46 +0100, Colin Paice <[email protected]> wrote: >I've found I can map a certificate to any userid eg >RACDCERT MAP ID(START1) - > WITHLABEL('ZZ') - > SDNFILTER('CN=zzcolinpaice.O=cpwebuser.C=GB') > > >Which seems to allow me to do a certificate logon and become any userid. > This includes using protected userid. >Are there any controls I can use to restrict this? I'm working with Zowe >which allows me to use z/OS facilities from Linux/Windows. Perhaps more appropriate for RACF-L than IBM-MAIN... But according to the RACF Command Language Reference you need SPECIAL or UPDATE authority to the IRR.DIGTCERT.MAP resource in the FACILITY class to map to anyone other than yourself. So it's reasonably well protected, except from your RACF administrators, of course. -- Walt ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN This e-mail transmission contains information that is confidential and may be privileged. It is intended only for the addressee(s) named above. If you receive this e-mail in error, please do not read, copy or disseminate it in any manner. If you are not the intended recipient, any disclosure, copying, distribution or use of the contents of this information is prohibited. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please erase it from your computer system. Your assistance in correcting this error is appreciated. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
