IBM i Global

 View Only
  • 1.  IBM i authentication protocol

    Posted 19 days ago
    Hello everyone
     
    Is there a way to demonstrate the authentication protocol of my IBM i if I only log in with a username and password via telnet, there will be related documentation.


    ------------------------------
    Regards,

    Jorge Lee
    ------------------------------


  • 2.  RE: IBM i authentication protocol

    Posted 19 days ago

    Dear Jorge

    I'm not sure I understand your question. When signing on to a 5250 telnet session with user profile and password, there is no special authentication protocol used other than 5250 telnet data stream.  The 5250 telnet client just passes the character string of the user and password to telnet server in IBM i server.  This is why it is crucial to use TLS to encrypt the session.  One thing you can do to see this in action is to start IBM i communication trace during the sign on and dump it to a PC and use Wireshark to display the data stream.  (You cannot see the data if TLS is used.)  Or you can even use a PC with Wireshark that connects to the same LAN as IBM i server to capture the data stream directly from LAN if you know how to and it is allowed.  



    ------------------------------
    Satid S
    ------------------------------



  • 3.  RE: IBM i authentication protocol

    Posted 19 days ago
    Edited by Jorge Lee 19 days ago
     
    Hello Satid,
     
    Thank you for responding, I will explain that this question comes from a security auditor, if there are authentication protocols such as Kerberos, LDAP, Password Authentication Protocol PAP, etc. on the IBM i, I have identified that we only enter with a username and password and we have configured the TLS 1.2 and 1.3, we do not have LDAP configured.



    ------------------------------

    Regards, 


    Jorge Lee
    ------------------------------



  • 4.  RE: IBM i authentication protocol

    Posted 19 days ago

    Dear Jorge

    As far as I know, IBM i supports Kerberos, LDAP, key-based authentication protocol such as that used in Secure Shell (SSH) and also MFA (multifactor authentication).   My guess is that the security auditor asked whether any one of these is used in your IBM i server.  To demonstrate any one of these, you need to set them up. Do a Google search and you will find info on how to set each of these up. 



    ------------------------------
    Satid S
    ------------------------------



  • 5.  RE: IBM i authentication protocol

    IBM Champion
    Posted 18 days ago
    Edited by Dominique Gayte 18 days ago

    Dear Jorg,

    The most effective way is to set up SSO with AD based on Kerberos (and the IBM-specific layer called EIM).

    Dominique



    ------------------------------
    Dominique Gayte
    Président (CEO)
    gayte it
    Saint Jean la Fouillouse
    +33630170255
    ------------------------------



  • 6.  RE: IBM i authentication protocol

    IBM Champion
    Posted 18 days ago

    There's telnet and there's secure telnet too.  One uses port 23 and the other port 992.  I can easily hack passwords when someone uses unsecured telnet using basic tools available on IBM i.  Anyone competent with a network sniffer can do the same.  I've demonstrated it at work.  I have a sql using IBM i Services which will show me the users using unsecured telnet. NETSTAT *CNN and subsetting it by port 23 is a crude alternative.



    ------------------------------
    Robert Berendt IBMChampion
    ------------------------------



  • 7.  RE: IBM i authentication protocol

    Posted 15 days ago

    Hacked in 3 Minutes: The Realities of IBM i Security (youtube.com)



    ------------------------------
    Juergen Gleiss
    ------------------------------



  • 8.  RE: IBM i authentication protocol

    IBM Champion
    Posted 15 days ago

    Good one.



    ------------------------------
    Robert Berendt IBMChampion
    ------------------------------



  • 9.  RE: IBM i authentication protocol

    Posted 14 days ago
    Edited by ace ace 14 days ago

    IMHO kind of click bait ;) , nothing fancy and not subverting something IBMi specific at all - it just how a fully clear text unencrypted proto works since telnet style beginnings unrelated to OSes (telnet, ftp, plain smtp...).

    And you should do it from a tap interface on a switch to hack be external or via other means. Installing wireshark locally should be a privileged operation, you can even decode a standard ciphered stream if you have the keys.

    Anyway please just use TLS 5250 (and would be preferrable other protos too, databases connections etc.) at least in new installations/deployments , ACS doesn't even complain about a self signed long term certificate so no excuses and better than nothing ;)



    ------------------------------
    --ft
    ------------------------------