> what if somebody knows a userid, but not a password The other thing is that with the "old" way of doing things, a bad guy can try random userids all day and all night until he hits on a good one. He still needs a password, but he is halfway there. Preprompt fixes that.
Charles -----Original Message----- From: IBM Mainframe Discussion List [mailto:[email protected]] On Behalf Of Sam Golob Sent: Thursday, January 19, 2017 10:15 AM To: [email protected] Subject: Global LOGON options settable in PARMLIB Hi Folks, Relatively recently, IBM's TSO people have implemented four global LOGON options (valid for the entire LPAR) which are settable with the (new) LOGON keyword in the IKJTSOxx member of PARMLIB. In short, these are (with the bit that sets each one): Password Phrase Support 08 Applid Verification 04 LOGONHERE Support 02 Password Preprompt Support 01 Of these options, only LOGONHERE support is defaulted to be ON. Where are these bits? They should be set to match, in both the IKJTSVT and IKJTPVT control blocks. But a SET IKJTSO=xx operator command or a PARMLIB UPDATE(xx) TSO command, should really be used to reset these options, because that is the safest way to do things, and that's how IBM designed the setup to be implemented. I want to especially mention the implication of the newest of these options, which is Password Preprompt Support, because of its security value. Everybody knows that when you LOGON to TSO, you get a full screen display. There is (quite a bit of) information on that display, such as what your LOGON proc is, and if there is an initial TSO command to execute at LOGON time, and so forth (region size, account number etc.). Well, what if somebody knows a userid, but not a password, and not the name of the LOGON PROC, etc. or anything that normally shows up on that full screen. Then without knowing the password, he/she can find out all the other information. No need to actually LOGON. The default is for the LOGON full screen to appear, as soon as you type LOGON userid. So, the new IBM-supplied "fix" for this is to set the Password Preprompt option on. What does this do? It forces the user to enter the valid password for the ID before all the other full screen information shows up. This makes the LOGON process more secure. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
