Re: Get a user password from RACF.
this was clear form me , I misused the word hash . basically in the open-system when encrypting a password , the literature describe the encryption method use , and you can also found the mathematical function used in the encryption . regarding comments like : Would you mind telling us which bank you are trying to hack? Jantje. curiosity only ! I have learned in the past the encryption history and common used method and still have alot of interest in this subject . Beside it I never really started checked how this issue implemented on z/OS . On Fri, Aug 19, 2011 at 5:45 PM, Tom Russell tom_russ...@sympatico.cawrote: There is no command that will get a Password from RACF. You can reset it to a known value if you have authority, but you can not display it. Your assumption that there is hash of the password is incorrect. RACF encrypts the user ID with the password, and the resultant ciphertext is all that is stored in the RACF data set. This is done so that neither the user ID nor the password is stored in the clear for perusal by hackers on the RACF data set, or more likely on a backup copy. regards, Tom On 2011-08-19 12:00 AM, IBM-MAIN automatic digest system wrote: Date:Thu, 18 Aug 2011 08:20:42 -0400 From:Chicklon, Thomasthomas.chick...@53.com** Subject: Re: Get a user password from RACF. I am not aware of this being documented anywhere. Maybe someone else can jump in with that info if they have it. Tom Chicklon -Original Message- thanks , Is the literature specifying the HASH algurithm and where the HASH password is located? -- G. Tom Russell “Stay calm. Be brave. Wait for the signs.” — Jasper FriendlyBear “... and remember to leave good news alone.” — Gracie HeavyHand --**--**-- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/**ibm-main.htmlhttp://bama.ua.edu/archives/ibm-main.html -- best regards, matan cohen MF System Administrator. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Get a user password from RACF.
On Thu, 18 Aug 2011 15:56:39 +0300, Matan Cohen matancohen...@gmail.com wrote: actually there isn't any problem . I wanted to know a user password instead of changing it and I remembered that in my previously shop this was a something I was doing regularly . So I just started interesting in how this was available to me in the past and if it still available to me in RACF . Security is always interesting for me. Would you mind telling us which bank you are trying to hack? Jantje. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Get a user password from RACF.
A little Friday fun... We all know what the decrypted password is in a RACF database - it's the user ID! The trick it to determine the key used to encrypt it in the first place... Tom Chicklon -Original Message- It could probably be decrypted, if you've got enough computer time to spare, but I suspect that it would be changed long before it could be decrypted. Rick This e-mail transmission contains information that is confidential and may be privileged. It is intended only for the addressee(s) named above. If you receive this e-mail in error, please do not read, copy or disseminate it in any manner. If you are not the intended recipient, any disclosure, copying, distribution or use of the contents of this information is prohibited. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please erase it from your computer system. Your assistance in correcting this error is appreciated. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Get a user password from RACF.
Rick Fochtman wrote: snip-- Hi all , In my previous shop we add TSS instead of RACF . I remember we had a way to get a user password but I’m not really familiar what was the background process. Is somebody familiar with a method to get a user password when using RACF ? I assume RACF DB is holding the DB in hash base on a one way function , but I'll also expect that TSS will do the same . if it truly so , I’ll be interesting on HOW could my previous shop bypass the basic security (maybe using Exit to insert the password to protected dataset before the HASH) I’ll expect from a security product to allow only reset of the password and not reviewing of the user password . ---unsnip- In a previous incarnation of RACF, it was possible, under some circumstances, to acquire the user's password from the RACF database. This hole has been closed for a long time now. The password in the database is encrypted using a one-way trap-door function. It could probably be decrypted, if you've got enough computer time to spare, but I suspect that it would be changed long before it could be decrypted. snip As Walt posted earlier, there is a password enveloping function that can be used make passwords retrievable. You can read about it here: http://publibz.boulder.ibm.com/cgi-bin/bookmgr_OS390/BOOKS/ichza7b0/22.1?SHELF=EZ2ZBK0KDT=20100614190745 -- John Eells z/OS Technical Marketing IBM Poughkeepsie ee...@us.ibm.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Get a user password from RACF.
There is no command that will get a Password from RACF. You can reset it to a known value if you have authority, but you can not display it. Your assumption that there is hash of the password is incorrect. RACF encrypts the user ID with the password, and the resultant ciphertext is all that is stored in the RACF data set. This is done so that neither the user ID nor the password is stored in the clear for perusal by hackers on the RACF data set, or more likely on a backup copy. regards, Tom On 2011-08-19 12:00 AM, IBM-MAIN automatic digest system wrote: Date:Thu, 18 Aug 2011 08:20:42 -0400 From:Chicklon, Thomasthomas.chick...@53.com Subject: Re: Get a user password from RACF. I am not aware of this being documented anywhere. Maybe someone else can jump in with that info if they have it. Tom Chicklon -Original Message- thanks , Is the literature specifying the HASH algurithm and where the HASH password is located? -- G. Tom Russell “Stay calm. Be brave. Wait for the signs.” — Jasper FriendlyBear “... and remember to leave good news alone.” — Gracie HeavyHand -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Get a user password from RACF.
Well technically the user ID is stored since it is the name of the User profile. Lou Artificial Intelligence is no match for Natural Stupidity On Fri, Aug 19, 2011 at 9:45 AM, Tom Russell tom_russ...@sympatico.cawrote: There is no command that will get a Password from RACF. You can reset it to a known value if you have authority, but you can not display it. Your assumption that there is hash of the password is incorrect. RACF encrypts the user ID with the password, and the resultant ciphertext is all that is stored in the RACF data set. This is done so that neither the user ID nor the password is stored in the clear for perusal by hackers on the RACF data set, or more likely on a backup copy. regards, Tom On 2011-08-19 12:00 AM, IBM-MAIN automatic digest system wrote: Date:Thu, 18 Aug 2011 08:20:42 -0400 From:Chicklon, Thomasthomas.chick...@53.com** Subject: Re: Get a user password from RACF. I am not aware of this being documented anywhere. Maybe someone else can jump in with that info if they have it. Tom Chicklon -Original Message- thanks , Is the literature specifying the HASH algurithm and where the HASH password is located? -- G. Tom Russell “Stay calm. Be brave. Wait for the signs.” — Jasper FriendlyBear “... and remember to leave good news alone.” — Gracie HeavyHand --**--**-- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/**ibm-main.htmlhttp://bama.ua.edu/archives/ibm-main.html -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Get a user password from RACF.
Older releases of Top Secret used to allow for a user's password to be displayed with a simple TSS list command. It required the PWVIEW system option to be turned on, as well as specific authority on the security admin's ACID. This ability to display passwords is (fortunately) no longer available. As far back as I can recall (RACF 1.7?), RACF has never allowed passwords to be displayed. Tom Chicklon -Original Message- Hi all , In my previous shop we add TSS instead of RACF . I remember we had a way to get a user password but I'm not really familiar what was the background process. Is somebody familiar with a method to get a user password when using RACF ? I assume RACF DB is holding the DB in hash base on a one way function , but I'll also expect that TSS will do the same . if it truly so , I'll be interesting on HOW could my previous shop bypass the basic security (maybe using Exit to insert the password to protected dataset before the HASH) I'll expect from a security product to allow only reset of the password and not reviewing of the user password . -- best regards, matan cohen MF System Administrator. This e-mail transmission contains information that is confidential and may be privileged. It is intended only for the addressee(s) named above. If you receive this e-mail in error, please do not read, copy or disseminate it in any manner. If you are not the intended recipient, any disclosure, copying, distribution or use of the contents of this information is prohibited. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please erase it from your computer system. Your assistance in correcting this error is appreciated. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Get a user password from RACF.
On Thu, 18 Aug 2011 14:44:25 +0300 Matan Cohen matancohen...@gmail.com wrote: :In my previous shop we add TSS instead of RACF . I remember we had a way to :get a user password but Im not really familiar what was the background :process. I greatly doubt it. :Is somebody familiar with a method to get a user password when using RACF ? Dictionary attack. :I assume RACF DB is holding the DB in hash base on a one way function , but :I'll also expect that TSS will do the same . :if it truly so , Ill be interesting on HOW could my previous shop bypass :the basic security (maybe using Exit to insert the password to protected :dataset before the HASH) Ill expect from a security product to allow only :reset of the password and not reviewing of the user password . Why do you need to hack a password? With appropriate privileges you can simply alter the password to a known value - but, then again, you would be logged. -- Binyamin Dissen bdis...@dissensoftware.com http://www.dissensoftware.com Director, Dissen Software, Bar Grill - Israel Should you use the mailblocks package and expect a response from me, you should preauthorize the dissensoftware.com domain. I very rarely bother responding to challenge/response systems, especially those from irresponsible companies. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Get a user password from RACF.
thanks , Is the literature specifying the HASH algurithm and where the HASH password is located? On Thu, Aug 18, 2011 at 2:58 PM, Chicklon, Thomas thomas.chick...@53.comwrote: Older releases of Top Secret used to allow for a user's password to be displayed with a simple TSS list command. It required the PWVIEW system option to be turned on, as well as specific authority on the security admin's ACID. This ability to display passwords is (fortunately) no longer available. As far back as I can recall (RACF 1.7?), RACF has never allowed passwords to be displayed. Tom Chicklon -Original Message- Hi all , In my previous shop we add TSS instead of RACF . I remember we had a way to get a user password but I'm not really familiar what was the background process. Is somebody familiar with a method to get a user password when using RACF ? I assume RACF DB is holding the DB in hash base on a one way function , but I'll also expect that TSS will do the same . if it truly so , I'll be interesting on HOW could my previous shop bypass the basic security (maybe using Exit to insert the password to protected dataset before the HASH) I'll expect from a security product to allow only reset of the password and not reviewing of the user password . -- best regards, matan cohen MF System Administrator. This e-mail transmission contains information that is confidential and may be privileged. It is intended only for the addressee(s) named above. If you receive this e-mail in error, please do not read, copy or disseminate it in any manner. If you are not the intended recipient, any disclosure, copying, distribution or use of the contents of this information is prohibited. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please erase it from your computer system. Your assistance in correcting this error is appreciated. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html -- best regards, matan cohen MF System Administrator. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Get a user password from RACF.
I am not aware of this being documented anywhere. Maybe someone else can jump in with that info if they have it. Tom Chicklon -Original Message- thanks , Is the literature specifying the HASH algurithm and where the HASH password is located? This e-mail transmission contains information that is confidential and may be privileged. It is intended only for the addressee(s) named above. If you receive this e-mail in error, please do not read, copy or disseminate it in any manner. If you are not the intended recipient, any disclosure, copying, distribution or use of the contents of this information is prohibited. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please erase it from your computer system. Your assistance in correcting this error is appreciated. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Get a user password from RACF.
In my previous shop , it was nessecery for some user to get other users password (and they didn't have the privilige to change any user password) . On Thu, Aug 18, 2011 at 3:16 PM, Matan Cohen matancohen...@gmail.comwrote: thanks , Is the literature specifying the HASH algurithm and where the HASH password is located? On Thu, Aug 18, 2011 at 2:58 PM, Chicklon, Thomas thomas.chick...@53.comwrote: Older releases of Top Secret used to allow for a user's password to be displayed with a simple TSS list command. It required the PWVIEW system option to be turned on, as well as specific authority on the security admin's ACID. This ability to display passwords is (fortunately) no longer available. As far back as I can recall (RACF 1.7?), RACF has never allowed passwords to be displayed. Tom Chicklon -Original Message- Hi all , In my previous shop we add TSS instead of RACF . I remember we had a way to get a user password but I'm not really familiar what was the background process. Is somebody familiar with a method to get a user password when using RACF ? I assume RACF DB is holding the DB in hash base on a one way function , but I'll also expect that TSS will do the same . if it truly so , I'll be interesting on HOW could my previous shop bypass the basic security (maybe using Exit to insert the password to protected dataset before the HASH) I'll expect from a security product to allow only reset of the password and not reviewing of the user password . -- best regards, matan cohen MF System Administrator. This e-mail transmission contains information that is confidential and may be privileged. It is intended only for the addressee(s) named above. If you receive this e-mail in error, please do not read, copy or disseminate it in any manner. If you are not the intended recipient, any disclosure, copying, distribution or use of the contents of this information is prohibited. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please erase it from your computer system. Your assistance in correcting this error is appreciated. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html -- best regards, matan cohen MF System Administrator. -- best regards, matan cohen MF System Administrator. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Get a user password from RACF.
Unfortunately, this was true. TSS did provided a way to display a users password. Fortunately, they've seen the light and removed this ability. Imagine trying to prove any particular user was responsible for something done with their ID when some number of security admins could all display, and thus use the ID with the compromised password. Tom Chicklon -Original Message- :In my previous shop we add TSS instead of RACF . I remember we had a way to :get a user password but I'm not really familiar what was the background :process. I greatly doubt it. This e-mail transmission contains information that is confidential and may be privileged. It is intended only for the addressee(s) named above. If you receive this e-mail in error, please do not read, copy or disseminate it in any manner. If you are not the intended recipient, any disclosure, copying, distribution or use of the contents of this information is prohibited. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please erase it from your computer system. Your assistance in correcting this error is appreciated. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Get a user password from RACF.
Short answer: NOT POSSIBLE. The provided password is encrypted via a 1-way algorithm. There is no way to decode this value that I know of. I am sure Walt Farrell will chime in shortly if I am incorrect. snip Is somebody familiar with a method to get a user password when using RACF ? /snip -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Get a user password from RACF.
Hi Matan, Listing the password is not possible, as you already know. You don't need to know the user's password in order to use his access rights (if you are authorised to do so). RACF let you use other user's authority using the user.submit profile under the surrogat class. This function is also available under TSS. Tell us what is the problem you are trying to solve by knowing the user's password. ITschak On Thu, Aug 18, 2011 at 3:32 PM, Staller, Allan allan.stal...@kbmg.comwrote: Short answer: NOT POSSIBLE. The provided password is encrypted via a 1-way algorithm. There is no way to decode this value that I know of. I am sure Walt Farrell will chime in shortly if I am incorrect. snip Is somebody familiar with a method to get a user password when using RACF ? /snip -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Get a user password from RACF.
-Original Message- From: IBM Mainframe Discussion List On Behalf Of Chicklon, Thomas I am not aware of this being documented anywhere. Maybe someone else can jump in with that info if they have it. Tom Chicklon -Original Message- thanks , Is the literature specifying the HASH algurithm and where the HASH password is located? RACF doesn't store the actual password in any way, shape or form. RACF uses the password as a key to encrypt the user ID, and stores that encrypted user ID as the password. -jc- -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Get a user password from RACF.
actually there isn't any problem . I wanted to know a user password instead of changing it and I remembered that in my previously shop this was a something I was doing regularly . So I just started interesting in how this was available to me in the past and if it still available to me in RACF . Security is always interesting for me. On Thu, Aug 18, 2011 at 3:38 PM, Itschak Mugzach imugz...@gmail.com wrote: Hi Matan, Listing the password is not possible, as you already know. You don't need to know the user's password in order to use his access rights (if you are authorised to do so). RACF let you use other user's authority using the user.submit profile under the surrogat class. This function is also available under TSS. Tell us what is the problem you are trying to solve by knowing the user's password. ITschak On Thu, Aug 18, 2011 at 3:32 PM, Staller, Allan allan.stal...@kbmg.com wrote: Short answer: NOT POSSIBLE. The provided password is encrypted via a 1-way algorithm. There is no way to decode this value that I know of. I am sure Walt Farrell will chime in shortly if I am incorrect. snip Is somebody familiar with a method to get a user password when using RACF ? /snip -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html -- best regards, matan cohen MF System Administrator. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Get a user password from RACF.
I see. But, if you know one of the old passwords of a user (if you maintain pw history), you can restore to that password ;-) ITschak On Thu, Aug 18, 2011 at 3:56 PM, Matan Cohen matancohen...@gmail.comwrote: actually there isn't any problem . I wanted to know a user password instead of changing it and I remembered that in my previously shop this was a something I was doing regularly . So I just started interesting in how this was available to me in the past and if it still available to me in RACF . Security is always interesting for me. On Thu, Aug 18, 2011 at 3:38 PM, Itschak Mugzach imugz...@gmail.com wrote: Hi Matan, Listing the password is not possible, as you already know. You don't need to know the user's password in order to use his access rights (if you are authorised to do so). RACF let you use other user's authority using the user.submit profile under the surrogat class. This function is also available under TSS. Tell us what is the problem you are trying to solve by knowing the user's password. ITschak On Thu, Aug 18, 2011 at 3:32 PM, Staller, Allan allan.stal...@kbmg.com wrote: Short answer: NOT POSSIBLE. The provided password is encrypted via a 1-way algorithm. There is no way to decode this value that I know of. I am sure Walt Farrell will chime in shortly if I am incorrect. snip Is somebody familiar with a method to get a user password when using RACF ? /snip -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html -- best regards, matan cohen MF System Administrator. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Get a user password from RACF.
On Thu, 18 Aug 2011 08:20:42 -0400, Chicklon, Thomas thomas.chick...@53.com wrote: I am not aware of this being documented anywhere. Maybe someone else can jump in with that info if they have it. If on the OP's system RACF is for some weird reason configured to use the old, deprecated, obsolete hashing method (different meaning of hash than is typically used today, by the way) for passwords rather than DES, then the password can be recovered by anyone who has access to old enough RACF source code, and is clever enough to figure out how to reverse the method. RACF never provided a retrieval method, but the hashing can be reversed if it's used. Of course, that method has not been the standard (default) method for over 20 years now, and we would hope no one has manually configured their system that way. So it's likely that the OP's system is using the encryption method, rather than the hashing method, and in that case the password can not be retrieved in the sense that we're discussing here. However, the installation does have the option of configuring password enveloping. The password enveloping process allows capture of the user's password, and secures it cryptographically using a PKCS #7 envelope contained within the user's profile so that it can be retrieved securely via LDAP by appropriately authorized users who have authenticated with the proper digital certificate. This would normally be used by some kind of password synchronization process, where you wanted to send the user's RACF password to some other non-z/OS system to keep the passwords synchronized. And of course before doing that you would want to consider the security implications, both of exposing the user's password on a system that is possibly less secure/protected than your z/OS system, and of having some other process or person who knows the user's password and can thus impersonate the user (giving loss of accountability). -- Walt Farrell IBM STSM, z/OS Security Design -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Get a user password from RACF.
this begs the question... why? If you need to use the ID, why not just change the password? only answer I can come up with is that the ID's password is embedded in a bunch of stuff across applications and/or platforms. if that's the case, then you got procedural issues to iron out with solutions that don't involve displaying passwords. --- On Thu, 8/18/11, Matan Cohen matancohen...@gmail.com wrote: From: Matan Cohen matancohen...@gmail.com Subject: Get a user password from RACF. To: IBM-MAIN@bama.ua.edu Date: Thursday, August 18, 2011, 7:44 AM Hi all , In my previous shop we add TSS instead of RACF . I remember we had a way to get a user password but I’m not really familiar what was the background process. Is somebody familiar with a method to get a user password when using RACF ? I assume RACF DB is holding the DB in hash base on a one way function , but I'll also expect that TSS will do the same . if it truly so , I’ll be interesting on HOW could my previous shop bypass the basic security (maybe using Exit to insert the password to protected dataset before the HASH) I’ll expect from a security product to allow only reset of the password and not reviewing of the user password . -- best regards, matan cohen MF System Administrator. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Get a user password from RACF.
snip-- Hi all , In my previous shop we add TSS instead of RACF . I remember we had a way to get a user password but I’m not really familiar what was the background process. Is somebody familiar with a method to get a user password when using RACF ? I assume RACF DB is holding the DB in hash base on a one way function , but I'll also expect that TSS will do the same . if it truly so , I’ll be interesting on HOW could my previous shop bypass the basic security (maybe using Exit to insert the password to protected dataset before the HASH) I’ll expect from a security product to allow only reset of the password and not reviewing of the user password . ---unsnip- In a previous incarnation of RACF, it was possible, under some circumstances, to acquire the user's password from the RACF database. This hole has been closed for a long time now. The password in the database is encrypted using a one-way trap-door function. It could probably be decrypted, if you've got enough computer time to spare, but I suspect that it would be changed long before it could be decrypted. Rick -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Get a user password from RACF.
-snip--- thanks , Is the literature specifying the HASH algurithm and where the HASH password is located? -unsnip There is no public doc of the exact algorithm and there is no single HASH password used. (Thanks be to God and the developers!) Why do you need this information? Rick -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Get a user password from RACF.
Agreed. Maybe a good application for RACF Passtickets? On Thu, Aug 18, 2011 at 2:14 PM, Cris Hernandez #9 hernandez...@yahoo.comwrote: this begs the question... why? If you need to use the ID, why not just change the password? only answer I can come up with is that the ID's password is embedded in a bunch of stuff across applications and/or platforms. if that's the case, then you got procedural issues to iron out with solutions that don't involve displaying passwords. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Get a user password from RACF.
--snip In my previous shop , it was nessecery for some user to get other users password (and they didn't have the privilige to change any user password) . unsnip For one user to access another user's password would be considered a security breach of the worst kind by any competent auditor, as well as most incompetent auditors. If the current facilities of RACF are insufficient then you should reconsider the usage and need for this capability. I would welcome a off-list contact to further discuss this. You might also want to get involved in the RACF list, whose address I don't recall at this moment. Rick -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Get a user password from RACF.
-Original Message- From: IBM Mainframe Discussion List On Behalf Of Rick Fochtman --snip In my previous shop , it was nessecery for some user to get other users password (and they didn't have the privilige to change any user password) . unsnip For one user to access another user's password would be considered a security breach of the worst kind by any competent auditor, as well as most incompetent auditors. If the current facilities of RACF are insufficient then you should reconsider the usage and need for this capability. I would welcome a off-list contact to further discuss this. You might also want to get involved in the RACF list, whose address I don't recall at this moment. rac...@listserv.uga.edu Send subscription request to lists...@listserv.uga.edu -jc- -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html