> Yes, and I corrected my statement quickly after in a second email...I
> was thinking about the initial negotiation of the session. As *you*
> know, but I'll set it out for those that don't;
>
>  * For vanilla 5250, the password is sent in the clear.
>  * For 5250E the password is encrypted client side before sending.
>  * For OpsNav the password is encrypted client side before sending.
>  * Using SSL for vanilla 5250 removes it being in the clear.

I think it's important, again, to stress that just because you're using
TN5250e does *NOT* mean that your password is being sent securely.  It's
only secure if sent as part of the initial parameters negotiation (during
the exchange of telnet USERVAR's) and *ONLY* if the 5250e client uses the
password substitution algorithm, rather than cleartext.

Most people that I've seen using TN5250e continue to use the standard
QDSIGNON signon screen, and therefore are still sending a cleartext
password.

> Again, with regard to the session start-up, if you're using either
> vanilla 5250 *or* 5250E (without SSL) the end result for the
> 'man-in-the-middle' is that;
>
>  * For vanilla 5250, the password is right there for the picking.
>  * For 5250E the password is obtainable within a few minutes extra work.
>  * For OpsNav the password is obtainable within a few minutes extra work.

I'm still not sure why you're saying this.   Are you saying that the
password substitution algorithm used to sending the passwords is easy to
decrypt for passwords under 10 chars?

> Conclusion : For remote access, when security is key, the only safe
> option for now is SSL.

SSL can make a big difference in security, especially if you can set up
client certificates so that only people who have a certificate that YOU
generated are allowed to log in.

> But this isn't a iSeries 'only' issue, on Unix/Linux the default
> behaviour of some of the TCP/IP protocol clients is also to send
> passwords in the clear.

In FreeBSD, by default the telnet,ftp,etc servers are turned off.  The
only remote access server that's enabled by default is SSH.  (Which is
similar to SSL, security-wise.)  If you enable them, however, yes you'll
have the same types of problems.

I believe that RedHat Linux, at least, is the same way... I seem to recall
that from the last time I set it up -- but it's been awhile, so I'm not
positive.

OpenBSD takes things even a step further than that...  but if you're
running OpenBSD, security is probably a very big concern for you.


As an Amazon Associate we earn from qualifying purchases.

This thread ...

Follow-Ups:
Replies:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.