IBM i Global

 View Only

  • 1.  IBM i authentication protocol

    Posted Wed May 29, 2024 12:37 PM
    Hello everyone
     
    Is there a way to demonstrate the authentication protocol of my IBM i if I only log in with a username and password via telnet, there will be related documentation.


    ------------------------------
    Regards,

    Jorge Lee
    ------------------------------


  • 2.  RE: IBM i authentication protocol

    Posted Wed May 29, 2024 07:54 PM

    Dear Jorge

    I'm not sure I understand your question. When signing on to a 5250 telnet session with user profile and password, there is no special authentication protocol used other than 5250 telnet data stream.  The 5250 telnet client just passes the character string of the user and password to telnet server in IBM i server.  This is why it is crucial to use TLS to encrypt the session.  One thing you can do to see this in action is to start IBM i communication trace during the sign on and dump it to a PC and use Wireshark to display the data stream.  (You cannot see the data if TLS is used.)  Or you can even use a PC with Wireshark that connects to the same LAN as IBM i server to capture the data stream directly from LAN if you know how to and it is allowed.  



    ------------------------------
    Satid S
    ------------------------------

    Original Message


  • 3.  RE: IBM i authentication protocol

    Posted Wed May 29, 2024 09:47 PM
    Edited by Jorge Lee Wed May 29, 2024 09:50 PM
     
    Hello Satid,
     
    Thank you for responding, I will explain that this question comes from a security auditor, if there are authentication protocols such as Kerberos, LDAP, Password Authentication Protocol PAP, etc. on the IBM i, I have identified that we only enter with a username and password and we have configured the TLS 1.2 and 1.3, we do not have LDAP configured.



    ------------------------------

    Regards, 


    Jorge Lee
    ------------------------------

    Original Message


  • 4.  RE: IBM i authentication protocol

    Posted Thu May 30, 2024 03:28 AM

    Dear Jorge

    As far as I know, IBM i supports Kerberos, LDAP, key-based authentication protocol such as that used in Secure Shell (SSH) and also MFA (multifactor authentication).   My guess is that the security auditor asked whether any one of these is used in your IBM i server.  To demonstrate any one of these, you need to set them up. Do a Google search and you will find info on how to set each of these up. 



    ------------------------------
    Satid S
    ------------------------------

    Original Message


  • 5.  RE: IBM i authentication protocol

    IBM Champion
    Posted Fri May 31, 2024 05:51 AM
    Edited by Dominique Gayte Fri May 31, 2024 05:50 AM

    Dear Jorg,

    The most effective way is to set up SSO with AD based on Kerberos (and the IBM-specific layer called EIM).

    Dominique



    ------------------------------
    Dominique Gayte
    Président (CEO)
    gayte it
    Saint Jean la Fouillouse
    +33630170255
    ------------------------------

    Original Message


  • 6.  RE: IBM i authentication protocol

    IBM Champion
    Posted Fri May 31, 2024 10:18 AM

    There's telnet and there's secure telnet too.  One uses port 23 and the other port 992.  I can easily hack passwords when someone uses unsecured telnet using basic tools available on IBM i.  Anyone competent with a network sniffer can do the same.  I've demonstrated it at work.  I have a sql using IBM i Services which will show me the users using unsecured telnet. NETSTAT *CNN and subsetting it by port 23 is a crude alternative.



    ------------------------------
    Robert Berendt IBMChampion
    ------------------------------

    Original Message


  • 7.  RE: IBM i authentication protocol

    Posted Mon June 03, 2024 01:59 AM

    Hacked in 3 Minutes: The Realities of IBM i Security (youtube.com)



    ------------------------------
    Juergen Gleiss
    ------------------------------

    Original Message


  • 8.  RE: IBM i authentication protocol

    IBM Champion
    Posted Mon June 03, 2024 07:08 AM

    Good one.



    ------------------------------
    Robert Berendt IBMChampion
    ------------------------------

    Original Message


  • 9.  RE: IBM i authentication protocol

    Posted Tue June 04, 2024 03:56 AM
    Edited by ace ace Tue June 04, 2024 04:37 AM

    IMHO kind of click bait ;) , nothing fancy and not subverting something IBMi specific at all - it just how a fully clear text unencrypted proto works since telnet style beginnings unrelated to OSes (telnet, ftp, plain smtp...).

    And you should do it from a tap interface on a switch to hack be external or via other means. Installing wireshark locally should be a privileged operation, you can even decode a standard ciphered stream if you have the keys.

    Anyway please just use TLS 5250 (and would be preferrable other protos too, databases connections etc.) at least in new installations/deployments , ACS doesn't even complain about a self signed long term certificate so no excuses and better than nothing ;)



    ------------------------------
    --ft
    ------------------------------

    Original Message