I don't think anyone suggested generic IDs. The NETRC data set should be specific to each user authorized to do this, the same way each user has an ISPPROF if they are authorized to use ISPF.
Charles Mills <[EMAIL PROTECTED]> wrote: I'm not a security guy. I have no idea what the exposures are. I suspect they are between minimal and none. The prospect has simply stated that "generic" userids are unacceptable and that the remote process must be run under the ID of the originator. That's what I am responding to. I am not in the business of arguing with prospects. You don't make sales arguing with prospects who raise security objections. We have multiple customers doing it the way we do it now with a single highly-restricted "generic" (to use this prospect's term) ID and no one has reported any problems. No one has had any objections until now. Perhaps I am not understanding you. If you are saying "give each user their own NETRC file with UACC(NONE)" I think the objection would be the maintenance headache. Each user's password would have to be maintained once in RACF (two instances) and once in their NETRC. I can try proposing that, but what I would REALLY like is what I asked for: some "automated" way of getting a user "here" signed on automatically "there." It looks like PassTicket will do exactly that but I am a little boggled by all of the details - it would be great to have a Redbook-style "cookbook" - and I'd really like to understand the possible applicability of SSL/TLS. Charles -----Original Message----- From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On Behalf Of Greg Saccomanno Sent: Thursday, January 05, 2006 2:17 PM To: IBM-MAIN@BAMA.UA.EDU Subject: Re: FTP userid propagation Charles, I am curious what security disaster exists with each of the users that will use this process having a userid.NETRC file with a UACC(NONE) be? If ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html --------------------------------- Yahoo! DSL Something to write home about. Just $16.99/mo. or less ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
