That opens the way to a denial of service attack; someone can write a script to cause revocation of a long list of userids.
-- Shmuel (Seymour J.) Metz http://mason.gmu.edu/~smetz3 ________________________________________ From: IBM Mainframe Discussion List <[email protected]> on behalf of Barbara Nitz <[email protected]> Sent: Tuesday, January 21, 2020 2:14 AM To: [email protected] Subject: Re: IBM AOAR O44855 >Is anyone using this feature >https://www-01.ibm.com/support/docview.wss?uid=isg1OA44855 I implemented TSO PrePrompt when I was RACF Admin. If someone is attempting to hack into the mainframe using userid/password, I didn't want them to know if their userid was wrong or their password. After x invalid combinations (x is whatever your amount of allowed invalid passwords is before revoking you) the userid gets revoked, as before. It threw off the session manager we used to use back then, and it threw off a screenscraper that the compliance department uses (screenscraper=shudder). Both got around it. Barbara ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
