I didn't like it. In our environment we have a single tso logon procedure, so know it is not a big deal.
And logon takes longer because you have an extra panel to issue ENTER. Atenciosamente / Regards / Saludos Ituriel do Nascimento Neto BANCO BRADESCO S.A. 4250 / DITI Engenharia de Software Sistemas Operacionais Mainframes Tel: +55 11 3684-9602 R: 49602 3-1404 Fax: +55 11 3684-4427 -----Mensagem original----- De: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] Em nome de Charles Mills Enviada em: quinta-feira, 19 de janeiro de 2017 16:26 Para: IBM-MAIN@LISTSERV.UA.EDU Assunto: Re: Global LOGON options settable in PARMLIB > what if somebody knows a userid, but not a password The other thing is that with the "old" way of doing things, a bad guy can try random userids all day and all night until he hits on a good one. He still needs a password, but he is halfway there. Preprompt fixes that. Charles -----Original Message----- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Sam Golob Sent: Thursday, January 19, 2017 10:15 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Global LOGON options settable in PARMLIB Hi Folks, Relatively recently, IBM's TSO people have implemented four global LOGON options (valid for the entire LPAR) which are settable with the (new) LOGON keyword in the IKJTSOxx member of PARMLIB. In short, these are (with the bit that sets each one): Password Phrase Support 08 Applid Verification 04 LOGONHERE Support 02 Password Preprompt Support 01 Of these options, only LOGONHERE support is defaulted to be ON. Where are these bits? They should be set to match, in both the IKJTSVT and IKJTPVT control blocks. But a SET IKJTSO=xx operator command or a PARMLIB UPDATE(xx) TSO command, should really be used to reset these options, because that is the safest way to do things, and that's how IBM designed the setup to be implemented. I want to especially mention the implication of the newest of these options, which is Password Preprompt Support, because of its security value. Everybody knows that when you LOGON to TSO, you get a full screen display. There is (quite a bit of) information on that display, such as what your LOGON proc is, and if there is an initial TSO command to execute at LOGON time, and so forth (region size, account number etc.). Well, what if somebody knows a userid, but not a password, and not the name of the LOGON PROC, etc. or anything that normally shows up on that full screen. Then without knowing the password, he/she can find out all the other information. No need to actually LOGON. The default is for the LOGON full screen to appear, as soon as you type LOGON userid. So, the new IBM-supplied "fix" for this is to set the Password Preprompt option on. What does this do? It forces the user to enter the valid password for the ID before all the other full screen information shows up. This makes the LOGON process more secure. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN AVISO LEGAL <br>...Esta mensagem é destinada exclusivamente para a(s) pessoa(s) a quem é dirigida, podendo conter informação confidencial e/ou legalmente privilegiada. Se você não for destinatário desta mensagem, desde já fica notificado de abster-se a divulgar, copiar, distribuir, examinar ou, de qualquer forma, utilizar a informação contida nesta mensagem, por ser ilegal. Caso você tenha recebido esta mensagem por engano, pedimos que nos retorne este E-Mail, promovendo, desde logo, a eliminação do seu conteúdo em sua base de dados, registros ou sistema de controle. Fica desprovida de eficácia e validade a mensagem que contiver vínculos obrigacionais, expedida por quem não detenha poderes de representação. LEGAL ADVICE<br>...This message is exclusively destined for the people to whom it is directed, and it can bear private and/or legally exceptional information. If you are not addressee of this message, since now you are advised to not release, copy, distribute, check or, otherwise, use the information contained in this message, because it is illegal. If you received this message by mistake, we ask you to return this email, making possible, as soon as possible, the elimination of its contents of your database, registrations or controls system. The message that bears any mandatory links, issued by someone who has no representation powers, shall be null or void. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN