Security Patrol: Security Questions & Answers

IBM i (OS/400, i5/OS)
Typography
  • Smaller Small Medium Big Bigger
  • Default Helvetica Segoe Georgia Times

Q: I would like to bypass the sign-on screen when I use Display Station Pass- Through. On the Start Pass-Through (STRPASTHR) command, I specify the RMTUSER and RMTPWD keywords and specify the needed sign-on information. Rather than bypassing the sign-on screen, I get a sign-on screen for the remote system. Am I missing something?

A: Your STRPASTHR command is correct. However, one change must be made at the remote system to allow you to bypass the sign-on screen. The system value QRMTSIGN defaults to *FRCSIGN, requiring that all pass-through users sign on. Change this system value to either *SAMEPRF or *VERIFY to eliminate the sign-on screen.

The SAMEPRF option requires that you sign on the remote system with the same user profile as your local system. *VERIFY allows you to have different user profiles on the local (source) system and the remote (target) system. The *SAMEPRF is the most secure option.

Q: What is the difference between the End Pass-Through (ENDPASTHR) and SIGNOFF commands?

A: The SIGNOFF command terminates an interactive session. If you have passed- through to another system and use the SIGN-OFF command, the pass-through session remains active. The ENDPASTHR command performs the function of the SIGNOFF command and also terminates the Pass-Through session. You can use the ENDPASTHR command only when you use Display Station Pass-Through. Suppose you have executed the STRPASTHR command from your system in New York to initiate a pass-through session to a remote system in Chicago. If you issue an ENDPASTHR command, the session in Chicago will be signed off and you will return to the New York system. If you issue a SIGNOFF command, you receive the sign-on screen for the Chicago system.

Do not walk away from your workstation after entering the SIGNOFF command if you have pass-through active! The session in New York is still active and your workstation is not secure. You must use an ENDPASTHR command to return to the New York system and sign off the New York system before you leave your workstation unattended.

Security Tip: It is difficult for me-let alone end users-to remember when to use the ENDPASTHR command. I naturally use the SIGNOFF command to end a session. The program in 1 contains the command processing program I use for my version of the SIGNOFF command. I put it in library MYSYS, which appears before QSYS on my library list. When you issue this version of the SIGNOFF command, it terminates a pass-through session.

Security Tip: It is difficult for me-let alone end users-to remember when to use the ENDPASTHR command. I naturally use the SIGNOFF command to end a session. The program in Figure 1 contains the command processing program I use for my version of the SIGNOFF command. I put it in library MYSYS, which appears before QSYS on my library list. When you issue this version of the SIGNOFF command, it terminates a pass-through session.

Editor's Note: Beginning with V2R3, the SIGNOFF command provides a new End Connection (ENDCNN) parameter which eliminates the need to create the program described above. Simply specify a value of *YES in the ENDCNN parameter when you sign off and you will return to the system from which you started pass- through. If you specify *NO in the ENDCNN parameter, the SIGNOFF command will act as it did prior to V2R3-you'll be presented with a sign-on screen for the target system.


Security Patrol: Security Questions & Answers

Figure 1 CPP for SIGNOFF Command

 /*==================================================================*/ /* To compile: */ /* */ /* (XXX should be a library before QSYS in your library list) */ /* */ /* 1. CRTCLPGM PGM(XXX/SIGNOFF) SRCFILE(XXX/QCLSRC) */ /* */ /* */ /* 2. CRTDUPOBJ OBJ(SIGNOFF) FROMLIB(QSYS) OBJTYPE(*CMD) + */ /* TOLIB(XXX) */ /* */ /* 3. CHGCMD CMD(XXX/SIGNOFF) PGM(XXX/SIGNOFF) */ /* */ /* */ /*==================================================================*/ SIGNOFF: PGM PARM(&LOG &DROP) DCL VAR(&LOG) TYPE(*CHAR) LEN(7) DCL VAR(&DROP) TYPE(*CHAR) LEN(5) QSYS/ENDPASTHR LOG(&LOG) MONMSG MSGID(CPF8914) EXEC(QSYS/SIGNOFF LOG(&LOG) + DROP(&DROP)) ENDPGM: ENDPGM 
BLOG COMMENTS POWERED BY DISQUS

LATEST COMMENTS

Support MC Press Online

$0.00 Raised:
$