On Sat, 9 May 2009 16:28:48 -0400, Tony Harminc <[email protected]> wrote:
>2009/5/8 Paul Gilmartin <[email protected]>: > >> Sigh. If IBM users were serious about this sort of thing, they'd >> submit a Requirement that LOGON not distinguish between invalid >> user ID and valid user ID with invalid password, reducing the >> exhaustive search space from M*N to M+N. > >That requirement would have to go against the various products that >issue SAF calls. There is nothing to stop any product that does logons >from being as vague as it likes about why the user can't log on. It could go against RACF, I think. We could simply give the "bad password" return code for all authentication failures. SMF records and ICH408I messages would still need to stay the same as they are, to provide proper auditing and trouble shooting, but the applications wouldn't know. We would probably need to change the error messages that we let applications retrieve from RACROUTE, too, in case they display them to the user. So it's non-trivial, but could be done in one central spot. Of course, you'd need is a larger help desk support staff to handle the increased number of calls from users. -- Walt Farrell, CISSP IBM STSM, z/OS Security Design ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
