[2951] in Kerberos
Re: kerberos for MVS.
daemon@ATHENA.MIT.EDU (Robert G. Moskowitz)
Sat Jan 1 22:34:22 1994
Date: Sat, 1 Jan 94 22:17 EST
From: "Robert G. Moskowitz" <0003858921@mcimail.com>
To: Steve Bui <KHAAM@asuvm.inre.asu.edu>
To: kerberos <kerberos@MIT.EDU>
>Has anybody set up Kerberos on MVS to authenticate Tso logons or Cics
> transactions and willing to give us an overview of your system?
The current version of HAL, 2.2.1 has only Kerberos v 4 and it is totally
independent of RACF. So it would be very non-trivial to do this.
The next version changes all of this. The next version of HAL will support
a new MVS option called MVS/OPEN. Amongst other things (like new file
structures that are UNIX like), has Kerberos v 5 support AND new RACF calls
so that RACF is the password database behind it all.
From my conversations with IBMers, it appears that they already have
implemented the TELNET auth RFC internally as a part of their testing of
MVS/OPEN.
Now as far as the CICS transactions, are you talking about a simple TN3270
logon to CICS? Thus technically no different than TSO, or IMS, or etc. Or
are you talking about CICS sockets? CICS sockets is a MAJOR security risk!
The listener runs privledge. All transactions are passed through it. We
have discussed including a userid/password token with each transaction in an
attempt to secure CICS sockets, but in the end, we have limited the use of
it for a couple of pilots and are waiting for the next version....
Bob Moskowitz
Chrysler Corp
(313) 758-8212
