On Monday, 09/20/2010 at 03:23 EDT, Ivan Warren <i...@vmfacility.fr> wrote: > I'd rather have something like : > > - Open Lxxx > - Ask ESM (or some VM which can ask the ESM) to allow me to log on to > "userx" without password from LDEV Lxxx > - ESM (or ESM proxy) grants (or refuses) > - If ESM grants, enter userx in the login logo field, and get granted > logon (by the ESM) without password from the LDEV. > > This way no secret ever gets exchanged.. And if the requesting user is > no longer authorized to do this, then it's only a matter of changing the > ESM setting - NOT changing the password. > > (Dunno if you can do that RACF/VM though). > > PS : It also requires the ESM/ESM Proxy to trust CP as to the originator > of the request which can possibly be circumvented depending on > circumstances (access to hardware, STORE HOST, Diag D4, etc..)
As would I, as those things are needed in order to enable the z/VM equivalent of z/OS TN3270E Logon Express. That's where you have the ability to: a) Create or import X.509 user certificates b) Associate them with a VM user ID c) When used on an SSL/TLS-protected telnet session, optionally login without a password. (Or require two-factor authentication.) I know that the former Chief z/VM Security Weasel has had "LDEV login without password" on his to-do list for a long time. It doesn't work for reconnect, but today you can create an LDEV and, if you're authorized, 'XAUTOLOG user ON ldev' without a password. Alan Altmark z/VM and Linux on System z Consultant IBM System Lab Services and Training ibm.com/systems/services/labservices office: 607.429.3323 alan_altm...@us.ibm.com IBM Endicott
