RE: iSeries passwords

[rob@xxxxxxxxx]

Scott,

Wouldn't that data be flowing regardless of whether or not you are using 
QPWDVLDPGM?  So how does it contribute to the risk?  Unless you have an 
unscrupulous programmer who wrote QPWDVLDPGM.  But then again, if the 
values for WRKSYSVAL QPWD* are sufficient for you, then what else is IBM 
to do?

Rob Berendt
-- 
"They that can give up essential liberty to obtain a little temporary 
safety deserve neither liberty nor safety." 
Benjamin Franklin 




Scott Klement <klemscot@xxxxxxxxxxxx> 
Sent by: midrange-l-bounces@xxxxxxxxxxxx
11/18/2003 04:15 PM
Please respond to
Midrange Systems Technical Discussion <midrange-l@xxxxxxxxxxxx>


To
Midrange Systems Technical Discussion <midrange-l@xxxxxxxxxxxx>
cc

Subject
RE: iSeries passwords







I think he's referring to the wire that connects your PC or 5250 terminal
to your iSeries.

Unless you're using SSL to connect your 5250 screen to your iSeries, the
password that you type into the CHGPWD command could be viewed by a
network sniffer, and used against you.

Or for a similar function in iSeries Navigator, again the password travels
in cleartext from the PC to the iSeries before it gets to the QPWDVLDPGM.



On Tue, 18 Nov 2003 rob@xxxxxxxxx wrote:
>
> Once again, travel over what wire?  The iSeries server executes the
> QPWDVLDPGM on the box as where the passwords are stored.  Wouldn't this
> all be in main memory or some such thing?  I fail to see where this 
would
> hit your network.
>
_______________________________________________
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing 
list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/midrange-l.