Finding Password=User Profile

The password is the key to accessing the iSeries.

Protecting passwords is paramount to good security. However, all too often passwords are set to equal the name of the associated user profile.

The program detailed below will identify when the Password is equal to the User Profile name. .

IBOD

Finding Password=User Profile:

The program detailed below uses the system API Get Profile Handle (QSYGETPH) to determine if a User Password has a value the same as the User Profile name. If so this would indicate a weak password and represents a security exposure. It should be noted that if a password has expired, the profile will be disabled. This is not entirely a bad thing . 
		PGM
		/* Verify User Password  VRFUSRPWD                      */
		/* Written by Trevor Seeney, Sentinex Inc.              */
		/* This program checks to see where the password is     */
		/* equal to the user profile name                       */

		DCL VAR(&USRPRF) TYPE(*CHAR) LEN(10)
		DCL VAR(&HANDLE) TYPE(*CHAR) LEN(12)
		DCLF FILE(QSYS/QADSPOBJ)

                DCL VAR(&APIERR) TYPE(*CHAR) LEN(284)
		DCL VAR(&HEX00) TYPE(*CHAR) LEN(1) VALUE(X'00')

		DCL VAR(&MSGID) TYPE(*CHAR) LEN(7)
		DCL VAR(&MSG) TYPE(*CHAR) LEN(256)
		DCL VAR(&MSGDTA) TYPE(*CHAR) LEN(256)
		DCL VAR(&MSGF) TYPE(*CHAR) LEN(10)
		DCL VAR(&MSGL) TYPE(*CHAR) LEN(10)
		MONMSG MSGID(CPF0000) EXEC(GOTO CMDLBL(ERROR))

		DSPOBJD OBJ(QSYS/*ALL) OBJTYPE(*USRPRF) +
    	 	   OUTPUT(*OUTFILE) OUTFILE(QTEMP/QADSPOBJ)
		OVRDBF FILE(QADSPOBJ) TOFILE(QTEMP/QADSPOBJ)
REREAD: 	RCVF
		MONMSG MSGID(CPF0864) EXEC(DO)
		RCVMSG MSGTYPE(*EXCP)
		RETURN
		ENDDO

		CHGVAR VAR(&APIERR) VALUE(' ')
		CHGVAR VAR(%SST(&APIERR 1 8)) +
		VALUE(X'0000011000000000')
		CHGVAR VAR(&USRPRF) VALUE(&ODOBNM)
		CALL PGM(QSYGETPH) PARM(&USRPRF &USRPRF &HANDLE +
			&APIERR)
		IF COND(%SST(&APIERR 8 1) = &HEX00) +
			THEN(DO)
		SNDPGMMSG MSGID(CPF9898) MSGF(QCPFMSG)  MSGDTA('Profile +
			name and Password match for user: ' || +
			&USRPRF)
		CHGVAR VAR(&APIERR) VALUE(' ')
		CHGVAR VAR(%SST(&APIERR 1 8)) +
			VALUE(X'0000011000000000')
		CALL PGM(QSYRLSPH) PARM(&HANDLE &APIERR)
		ENDDO
		GOTO CMDLBL(REREAD)

ERROR:
MSGD: 	        RCVMSG MSGTYPE(*DIAG) MSG(&MSG) MSGDTA(&MSGDTA) +
			MSGID(&MSGID) MSGF(&MSGF) MSGFLIB(&MSGL)
		IF COND(&MSGID *NE ' ') THEN(DO)
		SNDPGMMSG MSGID(&MSGID) MSGF(&MSGL/&MSGF) +
		MSGDTA(&MSGDTA) MSGTYPE(*DIAG)
		GOTO CMDLBL(MSGD)
		ENDDO
MSGE: 	        RCVMSG MSGTYPE(*EXCP) MSG(&MSG) MSGDTA(&MSGDTA) +
			MSGID(&MSGID) MSGF(&MSGF) MSGFLIB(&MSGL)
		IF COND(&MSGID *NE ' ') THEN(SNDPGMMSG +
			MSGID(&MSGID) MSGF(&MSGL/&MSGF) +
			MSGDTA(&MSGDTA) MSGTYPE(*ESCAPE))
		ENDPGM

Home | Software Solutions | iSeries Security | Tips & Techniques | Consulting | About us | Contact Us



Sentinex Inc.

Telephone: (800) 822 1004
E-Mail: info@sentinex.com
Mail: Sentinex Inc. 379 Hamilton Drive
Stewartsville, NJ, 08886