Thanks Alan.
In the interest of good citizenship I'll open a Sev 3 PMR.
Regarding NOPASSWORD, we do typically use that for SVMs, etc. Not this
time because of what I was testing.
Mark
At 11:32 AM 6/10/2009, Alan Altmark wrote:
FTP logon allows users in the ACL to use "testuser.by.surrogate" to log
on to TESTUSER as expected, but DOES allow TESTUSER to logon directly.
This is a surprise.
Bug, or feature?
Bug. Feel free to open a PMR.
If you want to stop authentication using TESTUSER, remove its password
(ALTUSER TESTUSER NOPASSWORD). Then it can't be used as an authenticator
in ANY interface (including RACROUTE REQUEST=VERIFY), it can never be
revoked due to invalid password attempts, and isn't subject to password
expiry rules. This effectively turns it into AUTOONLY without having to
mess with the directory.
Alan Altmark
z/VM Development
IBM Endicott
