Idea Details

Passphrase only capability

Last activity 06-13-2019 09:18 AM
Dave Low's profile image
12-04-2014 11:24 AM

If a user has been given a passphrase for logon, I would like the ability to no longer allow that user to log in with a password. Currently there is no way to do this other than to administratively randomize the user's password. But that is not an elegant solution and still leaves open the possibility of logon with the 8 character password if that password has been exposed via brute force methods.

 

RACF already allows for selective restricting of password checking in favor of passphrase. (See this document: IBM RACF: The Password Phrase Only ICHRIX02 Exit). I would like Top Secret to have identical functionality.

 

Thanks!


Comments

02-25-2016 02:49 PM

Hello low.david and TSS Community - Thank you for your contribution of this enhancement idea!

 

CA is continually working to improve its software and services to best meet the needs of its customers and your input is vital to that effort. The CA Top Secret product team has reviewed your enhancement idea and decided to add it to our Wishlist to maintain this idea for consideration in a future release. The Community will continue to be able to vote on this enhancement idea which can increase the priority of it in the Team's backlog. When the product team knows it will being working on this enhancement idea, the status will be changed to "currently planned."

06-12-2015 06:43 AM

randomize the password, set it to expired and add attribut NOPWCHG. so in this case a password is completely useless i think even if password revealed by brute force etc.

i hope a stolen secfile is useless without the enryption key

12-12-2014 08:24 AM

Good suggestions. Thinking on this from a security perspective, I would also like the ability to completely remove the password from an ACID when a passphrase has been established for the user. The current method of using TSS REP(acid) PASS(NOPW) doesn't work because then it allows logon with any password given. This feature would be to satisfy a security audit finding. The scenario given to me was, suppose a security hole is exploited and a hacker is able to make a copy of the SECFILE. Although the SECFILE itself is encrypted and therefore protected, the exploiter in theory could establish a new TSS environment with the stolen SECFILE and bang away on it. 8 character passwords do not take long to discover using brute force methods. I think to satisfy the security audit, 8 character passwords must be removed once passphrase has been established.

12-11-2014 12:17 PM

How about this methodology --

 

TSS control options -

 

  • AUTHENTICATION({ANY|PASSWORD|PHRASE})
  • Specifies the default authentication methodology to be used during signon.  This will apply to all facilities unless overridden in a subsequent facility control option -
      • ANY -
        • Either a password or a password phrase can be used for authentication.  This would still be dependent upon the capabilities of the signon screen.
      • PASSWORD -
        • A password must be used for authentication.  A password phrase will be rejected.
      • PHRASE -
        • A password phrase must be used for authentication.  A password will be rejected.
  • FACILITY(facility-ID-8=AUTHENTICATION={ANY|PASSWORD|PHRASE})
    • Specifies the authentication methodology to be used during signon -
      • ANY -
        • Either a password or a password phrase can be used for authentication.  This would still be dependent upon the capabilities of the signon screen.
      • PASSWORD -
        • A password must be used for authentication.  A password phrase will be rejected.
      • PHRASE -
        • A password phrase must be used for authentication.  A password will be rejected.

 

TSS Commands -

 

  • TSS ADDTO(accessor-ID-8) -

            FACILITY(facility-ID-8[,...]) -

                AUTHENTICATION({ANY|DEFAULT|PASSWORD|PHRASE})

 

  • AUTHENTICATION -
    • Specifies the authentication methodology to be used during signon -
      • ANY -
        • Either a password or a password phrase can be used for authentication.  This would still be dependent upon the capabilities of the signon screen.
      • DEFAULT -
        • The authentication methodology would be derived from the facility setting.
      • PASSWORD -
        • A password must be used for authentication.  A password phrase will be rejected.
      • PHRASE -
        • A password phrase must be used for authentication.  A password will be rejected.

12-11-2014 11:50 AM

TSS has PSWDPHRASE(ON) control as well as an Attribute of PSWDPHR that would allow users to use PASSPHRASES either globally or individually.

 

It would be a great new capability as PART of the TSS product natively to:

 

1.  ACID with passphrase and password assigned - while accessing FTP are forced to use Passphrase.

 

TSS PER(ACID)PASSPHR(YES)FAC(TCPIP)

 

2.  Eventually when CA provides Passphrase support for their numerous products such as:  CA-IDMS, CA-ROSCOE, etc - just as IBM has provided support for FTP, TSO and CICS, then to have an global option for users with PASSPHRASES to be required to use PASSPHRASES for all authentication.

 

PASSPHRASERQ(YES)

 

CA-TSS should do this natively and not require exists to be coded and maintained.  

12-10-2014 09:03 AM

Thanks for your input. That sounds like it might work for the general case.

 

I'm hoping CA will eventually match the RACF feature. With RACF, you can specify ALTUSER userid NOPASSWORD and it removes the user's password and the ability to log in with password.

12-08-2014 04:03 PM

You should be able to use the TSS installation exit (PREINIT) to do what you are proposing.

 

If field TXAIPASS is non-zero, then the user specified a password rather than a password phrase on the logon screen.

 

You will likely need to take a look at the associated system facilities matrix entry.  For example, this check would likely be desirable on an interactive multi-user facility (i.e., TSO, CICSxxxx, etc.) but would be undesirable on other facility types (i.e., BATCH, STC, etc.).  The TXAIFACM field points to the system facilities matrix entry.

 

Since it is reasonable to expect that an accessor ID having a password phrase will have an associated password phrase interval, then you can issue a RACROUTE REQUEST=EXTRACT,TYPE=EXTRACT to retrieve the password phrase date (segment BASE, field PHRDATE).  If you are able to extract this field and if it contains a valid date, then you can conclude that a password phrase is associated with the accessor ID and reject password processing for the PREINIT event.

 

John P. Baker