|
Admin Alert: Weird i5 User Profile Sign-On Secrets
Published: June 6, 2007
by Joe Hertvik
i5/OS can be a little quirky when it comes to user profiles. There are little-known facets to System i profile management (some call them loopholes) that allow users to perform system sign-on tricks that are technically not allowed by the operating system. This week, I'll focus on a few i5 quirks you may not have known about and how they can affect your user sign-ons.
Quirk #1: You can't create a system i user profile name that starts with a number but you can sign on with a user profile name that begins with a number. In several systems besides i5/OS, administrators can set up user profiles that begin with a number rather than a letter. However, i5/OS has a prohibition against starting a user profile name with a number, but there is a workaround. If you want to synchronize your i5 user profiles with other system IDs that start with a number, you can configure i5 users to also sign on with a user profile name that begins with a number.
It's easy to configure a user profile for numeric sign-on. The process starts by creating a user profile that has the following format:
Qnxxxxxxxx
Where Q equals the letter 'Q', n equals any number between 0 and 9, and xxxxxxxx equals any eight character or less string consisting of letters, numbers, or the special characters @, #, $, or _. Using this naming convention, any of the following user profiles would be valid i5/OS user IDs.
Q1TEST#
Q12345
Q1_2_3_4_5
Either by quirk or design in i5/OS, user profile names configured according to the Qnxxxxxxxx format allow users to sign on to an i5/OS system by using two different user profile names.
- The actual Qnxxxxxxxx profile name that was created for the user.
- The second 2 through 9 characters of the user profile name, the nxxxxxxxx part of the name.
For our sample user profiles, this means that a user could sign on to an i5 system by using any of the following user profile names.
Q1TEST# or 1TEST#
Q12345 or 12345
Q1_2_3_4_5 or 1_2_3_4_5
When the user signs on, his job name will always be created and running under the Qnxxxxxxxx name but i5/OS will also accept an alternate user sign-on under the shortened nxxxxxxxx user name. This quirk allows you to fool the user into thinking that they are signing on with a user profile that starts with a number, even though the system is using a user profile that starts with the letter 'Q'. This is a handy trick when you want your users to sign on to different systems with a consistent user profile name that starts with a number.
Quirk #2: i5/OS user passwords can and cannot start with a number. Earlier this year, I was perplexed to learn that several of my users had managed to create new user profile passwords that started with numbers, which is not allowed in i5/OS when the Password level system value (QPWDLVL) is equal to '0' or '1'. QPWDLVL's default value is '0'. At this level all passwords must begin with an alphabetic character from A-Z, and this rule is enforced under most circumstances when a password is changed. But if that's the case, how can users sign on to the system with a password that starts with a number?
The answer is that the same rules that apply to user profile names also apply to password values in level '0' and '1' systems. If a user thinks they are changing their password to start with a number (say '12345'), the system is really saving that password in the same Qnxxxxxxxx format that I explained in the previous section. So my '12345' password is actually saved in the system as 'Q12345'. In this situation, the system is providing the user with an alternate password that starts with a number, and either password can be used to sign on to the system.
However, it's difficult to believe that users are consciously changing their passwords to the Qnxxxxxxxx format so that they can sign on with a numeric password. So how do alternate passwords get entered into the system when the system is supposedly monitoring for passwords that start with a number? I found the answer in the Personal Communications (PC5250) program provided with iSeries Access for Windows.
Testing with the PC5250 program that comes with iSeries Access for Windows V5R3M0, I found that PC5250 will let the user specify a new numeric password in the following situations:
- If the user profile password has expired. This is specified when the Password expiration interval setting (PWDEXPITV) for the user profile has passed, or when the Set password to expired user profile setting (PWDEXP) is set to *YES, and
- The user uses PC5250's Change iSeries Password function to change the password.
In these scenarios, PC5250 will allow the user to enter a numeric password for their user profile. Once entered, the password will be saved in the Qnxxxxxxxx format, which triggers the alternate password scenario. So by using PC5250, it's relatively easy for users to specify an alternate numeric password for their user profile.
Now the real danger with this user profile quirk is that the system is opening the door for users to specify trivial and easily guessed all numeric passwords (such as phone numbers, dates, or social security numbers) to allow them system access. To close off that loophole, you can set the Limit adjacent digits in password system value (QPWDLMTAJC) to '1' or not allowed. When QPWDLMTAJC is turned on, adjacent numbers cannot be used in passwords. So while a user can start their password with a number, turning on QPWDLMTAJC makes it impossible to set up an easily guessed numeric password.
To display and change QPWDLMTAJC on the green screen, use the following Work with System Value command (WRKSYSVAL).
WRKSYSVAL SYSVAL(QPWDLMTAJC)
From this command, you can either select option 2 (Change) or option 5 (Display) for this value. To change this value in iSeries Navigator (OpsNav), double-click on the Password Policies entry under the Security --> Policies node of your partition. Inside the Password Policy Properties panel that appears, check the Restrict Consecutive Digits check box under the Validation tab.
Regardless of whether you change this system value on the green screen or inside OpsNav, this change takes effect immediately for all new passwords.
Quirk #3: User profiles can legitimately contain special characters, but be careful which characters you use when working in multi-language environments. Besides the letters A through Z and the numbers 0 through 9, you can also use the @, #, $, and _ characters in your user profile names. However, IBM cautions against using special characters in a user profile name for two specific reasons:
- To avoid problems with keyboard mapping for workstations.
- To avoid interpretation problems on systems with multiple national language versions of the i5/OS operating system.
The key point here is that three of these special characters are interpreted by the operating system as hexadecimal codepoints x'5B', x'7B', and x'7C'. For CCSID 37 (English), these hex codes are interpreted as the '$', '#', and '@' characters. The problem shows up when different language versions map these hex codes out to different characters in their respective CCSID interpretations. In the iSeries Globalization: Set Up OS/400 with an NLV redbook, for example, IBM notes that the Spanish CCSID interpretation for hex x'7B' (#) is the Ñ character, which could cause problems if this character is used in a user profile in a multi-language environment.
So while you can designate special characters in user profile names, it may prove impractical to use them in everyday situations name.
About Our Testing Environment
All configurations described in this article were tested on an i5 550 box running i5/OS V5R3. Most of the commands used here are also available in earlier versions of the i5/OS and OS/400 operating systems, so the configurations should be usable in prior releases. However, you may notice some variations in pre-V5R3 copies of these commands. These differences may be due to command improvements that have occurred from release to release.
RELATED STORIES
Resurrecting the QSECOFR Profile in OS/400
iSeries Globalization: Set Up OS/400 with an NLV, IBM
 Post this story to del.icio.us
 Post this story to Digg
 Post this story to Slashdot
|
