Global LOGON options settable in PARMLIB

Thu, 19 Jan 2017 10:16:17 -0800 

Hi Folks,
Relatively recently, IBM's TSO people have implemented four global LOGON options (valid for the entire LPAR) which are settable with the (new) LOGON keyword in the IKJTSOxx member of PARMLIB. 

    In short, these are (with the bit that sets each one):

Password Phrase Support     08
Applid Verification         04
LOGONHERE Support           02
Password Preprompt Support  01


Of these options, only LOGONHERE support is defaulted to be ON.  Where 
are these bits?  They should be set to match, in both the IKJTSVT and 
IKJTPVT control blocks.  But a SET IKJTSO=xx operator command or a 
PARMLIB UPDATE(xx) TSO command, should really be used to reset these 
options, because that is the safest way to do things, and that's how IBM 
designed the setup to be implemented.



    I want to especially mention the implication of the newest of these 
options, which is Password Preprompt Support, because of its security value.



    Everybody knows that when you LOGON to TSO, you get a full screen 
display.  There is (quite a bit of) information on that display, such as 
what your LOGON proc is, and if there is an initial TSO command to 
execute at LOGON time, and so forth (region size, account number etc.).



    Well, what if somebody knows a userid, but not a password, and not 
the name of the LOGON PROC, etc. or anything that normally shows up on 
that full screen.  Then without knowing the password, he/she can find 
out all the other information.  No need to actually LOGON.  The default 
is for the LOGON full screen to appear, as soon as you type LOGON userid.



    So, the new IBM-supplied "fix" for this is to set the Password 
Preprompt option on.  What does this do?  It forces the user to enter 
the valid password for the ID before all the other full screen 
information shows up.  This makes the LOGON process more secure.


    Try it.  You'll like it.

    All the best of everything to all of you.....!!!

Sincerely,    Sam

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN






















					Reply via email to