IBM Security Z Security

 View Only
Expand all | Collapse all

Passphrase conversion - block use of passwords

  • 1.  Passphrase conversion - block use of passwords

    Posted Thu August 19, 2021 04:24 PM
    We're in the middle of trying to convert folks to passphrases. An issue we have is our tech support department is able to reset passwords for users, and historically they've used TSO ALU user PASSWORD(xxxxxxxx) to reset them. Unfortunately we can't untrain that muscle memory, and they keep giving folks passwords back. Do you know of any way to disable ALU specifically for passwords? Unfortunately they're both controlled by the same IRR.PASSWORD.RESET resource in the FACILITY class, so disabling that wouldn't allow them to reset passphrases. I was hoping you might have some insight on how to only let them use the ALU user PHRASE command?

    ------------------------------
    Jim Elliott
    Senior IT Consultant, GlassHouse Systems Inc.
    ------------------------------


  • 2.  RE: Passphrase conversion - block use of passwords

    IBM Champion
    Posted Fri August 20, 2021 02:51 AM
    Edited by Rob van Hoboken Fri August 20, 2021 02:55 AM
    Hi Jim
    Blocking specific RACF command keywords is the purview of zSecure Command Verifier.  There is a whole section in the Command Verifier user guide for password controls, but I'll quote just one option:

    C4R.USER.PASSWORD.owner.userid

    This policy profile controls the setting of the password by an administrator through the ADDUSER or
    ALTUSER command. Setting your own password through the PASSWORD command is controlled by the
    =RACUID profile. Some levels of RACF allow setting the password of another user through the
    PASSWORD command. This is controlled by the password quality profile for value =DFLTGRP.
    If the use of the (NO)PASSWORD keyword does not change the protected status, the current profile is
    used. If these keywords make the user protected, or remove the protected status, the
    C4R.USER.ATTR.PROTECTED profile is used instead. For more information, see "User attributes and
    access level descriptions" on page 90. The profile described here controls the authorization to manage
    passwords for normal (non-protected) users.

    No profile found
    This control is not implemented. No action is performed.

    NONE
    The terminal user is not authorized to specify the PASSWORD operand. When using the ADDUSER
    command, and depending on the level of RACF, this access level can result in users with a RACF
    default password (=DFLTGRP) or in PROTECTED users. Both can be prevented by defining adequate
    policies for password quality or the protected status.

    READ
    Same as NONE.

    UPDATE
    The terminal user is authorized to specify the PASSWORD operand on the ALTUSER command to
    reset the password for an existing user. However, if the target user currently has the PROTECTED
    attribute, the PASSWORD operand is not authorized. This access level allows for normal password
    maintenance, but prevents PROTECTED userids from becoming NON-PROTECTED.

    CONTROL
    The control is not implemented for the terminal user. The terminal user is authorized to specify the
    PASSWORD keyword, unless the target userid currently has the PROTECTED attribute.

    That means, add an XFACILIT C4R.USER.PASSWORD.**, give it UACC(NONE) and only permit ACCESS(CONTROL) to those few administrators that have to manage technical user IDs where 8 character passwords are architecturally required, for example, used in FTP connections.

    ------------------------------
    Rob van Hoboken
    ------------------------------