On Tue, 13 Dec 2022 at 12:13, Binyamin Dissen <bdis...@dissensoftware.com> wrote:
> The doc indicates that this request will return data that can be used for > authentication. > > Not clear to me how used (PASSWORD in REQUEST=VERIFY) . > As Lennie says, you can EXTRACT the encrypted password, and then use RACROUTE REQUEST=VERIFY with ENCRYPT=NO . But as he also says, this will not work with KDFAES. You can extract the password and the password extension fields, but there is no interface that will let you use those for authentication. > Also, do not understand how a DES encrypted password can be restored. > I don't understand what you're asking. How to replace it if you put something else in there? I've always used ICHEINTY for this kind of thing. > Am I missing something obvious? > > I would think that TOKEN would be the way to go. > Again, I don't understand the question. Are you speaking of a Passticket? What do you want to accomplish - logon without a password? Logon without knowing the password and change it to something you do know? You can logon (RACROUTE VERIFY) with a Passticket and a new Password (or Phrase). Or you can do what Lennie did and extract the password (or phrase), encrypt a new temporary one, bang it into the field(s), and then logon with the unencrypted version of it (and optionally supply a new "permanent" one). This works for both DES and KDFAES (though the details vary quite a bit), but is probably not recommended. And you need to decide what to do if your logon fails, thus leaving the temporary password in place. And if it works, whether you want the history to be updated by your temporary password, or if you'll need to fix that up too. And there may well be other unwanted evidence of what you did. Tony H. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
