Re: Password expiration message?

From: wfarrell@xxxxxxxxxxxx (Walt Farrell)
Date: 13 Sep 2006 15:38:41 -0700

On 9/13/2006 4:49 PM, Charles Mills wrote:

My problem is I have responsibility for batch FTP processes at customer
sites. The FTP server userid is specifically non-TSO-enabled. How do they
know it is about to expire? How do they change it? I don't have a good (as
in good human/business process, not as in working technology) answer.

You run IRRDBU00 to get a flat-file of the RACF database, then generate a report of IDs with passwords about to expire, and for the ones that you care about you issue ALTUSER whatever-id PASSWORD(newpw) NOEXPIRED
and then you change the batch processes to use the new password.

Or, you make those IDs have non-expiring passwords, and change them at your convenience, rather than every normal interval of time.

Or you authenticate differently, possibly with Kerberos, if that makes things simpler (I don't know that it does, not having full details of your environment).

Or you use something like SFTP (provided on z/OS by OpenSSH) and its public/private key support to avoid password expiration.

Or you use web-based technology, with a browser at one end, and a server at the other, with authentication done via digital certificates.

Or you use something based on PassTickets, if the host is a z/OS system.

Walt Farrell, CISSP
z/OS Security Design, IBM

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to listserv@xxxxxxxxxxx with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html
.

References:
- Re: Password expiration message?
  - From: gilmap
- RE: Password expiration message?
  - From: Charles Mills

Prev by Date: Re: Non-SMP/e packaging
Next by Date: Re: Non-SMP/e packaging
Previous by thread: RE: Password expiration message?
Next by thread: Re: Password expiration message?
Index(es):
- Date
- Thread

Relevant Pages

Re: How To Enabling a Password Policy
... > passwords is on the system configuration side not the ... limited testing running this on a Win2K Pro workstation to force admins ... to change their passwords over X days old (set on PDC). ... ::Avoid admins whose accounts are set never to expire. ...
(microsoft.public.win2000.security)
Re: Group Policys and Passwords
... Either you have two separate domains or you are implementing it at a local ... There is only one pw policy per domain.... ... it's not a great idea to have all passwords expire the same day. ...
(microsoft.public.windows.server.general)
Re: Password expirey
... Passwords expire based on the pwdlastset time being older than the current date minus the domain password policy. ... So yes, if you get all of the passwords expired and set in time, when you turn on the policy, no one will expire until their password age hits the date. ...
(microsoft.public.windows.server.active_directory)
Re: All users passwords in the domain expired without Notice
... until the next time that passwords are about to expire. ... the same in Local Security Policy of all domain computers. ... I would also verify that the Local Security Policy of all your ...
(microsoft.public.windowsxp.security_admin)
Re: Password Complexity
... customers and their desires to have RACF support mixed-case passwords as other systems do. ... The z/OS R8 implementation of password phrases, however, derives from one of the NSA-generated Common Criteria Protection Profiles for operating systems, as well as customer requirements for longer passwords. ... For IBM-MAIN subscribe / signoff / archive access instructions, ... send email to listserv@xxxxxxxxxxx with the message: GET IBM-MAIN INFO ...
(bit.listserv.ibm-main)