[prev in list] [next in list] [prev in thread] [next in thread] 

List:       racf-l
Subject:    Re: PASSWORD and PASSPHRASE
From:       Alan Altmark <Alan_Altmark () US ! IBM ! COM>
Date:       2011-12-30 21:58:01
Message-ID: 201112302158.pBU67hqP032056 () waikiki ! cc ! uga ! edu
[Download RAW message or body]

On Fri, 23 Dec 2011 08:49:27 -0500, Walter Farrell <wfarrell@US.IBM.COM> wrote:

>RACF/VM allows users with password phrases, but no password, but it has
>the advantage of only needing to worry about logons to VM, not to other
>applications.
>
>Some of us envision that someday RACF on z/OS will also allow that, but as
>you know it does not allow it today. I suggest you submit a requirement
>for this, Butch. It is important, in my opinion, for RACF on z/OS support
>this, too, and formal requirements from customers will help speed the
>process along.

Actually, Walt, RACF/VM *does* have to worry about applications that don't
support password phrases.  (IBM ships some with z/VM, e.g. NFS daemon)

When password phrases were introduced to RACF/VM, I decided that the mere
existence of a password obviated any benefit of a phrase.  That is, the
short password could still be used to penetrate a virtual machine,
regardless of the complexity and wonderfulness of the password phrase.

As it turned out, applications were being updated to accept EITHER, via the
simple expedient of logic that determined that a single token of 8 or fewer
characters MUST be a password.

This logic was subsequently enshrined in CP's Diagnose 0x88 service.   The
applications no longer need to care about case and length: the formalized
interface between CP and RACF determines whether the string is a password or
password phrase and calls the correct RACROUTE REQUEST=VERIFY as needed.

But not all applications use Diagnose 0x88 (also encapsulated by the DMSPASS
callable service).  Consequently, any user who needs to authenticate via an
application that supports only old-style passwords must be given a PASSWORD.
  All others need only a PHRASE.

Alan Altmark
Sr. Managing System z IT Consultant
(former Chief z/VM Security Weasel)
[prev in list] [next in list] [prev in thread] [next in thread]