iSeries Access bypass signon for 5250 session

Rene Perry wrote: > I'm a contractor on site at a client who instructs their desktop > support personnel how to configure 5250 sessions for their telnet > connection to their iSeries. They are instructing these folks to > click the option "bypass signon", stating concerns that if they > don't, the password in the first signon prompt (not the actual 5250 > session) will be sent unencrypted. Can anyone confirm this > information for me? Rene, According to this page, they are mostly correct: http://publib.boulder.ibm.com/infoce...stationpwd.htm "Security exposure: For 5250 emulation or any other type of interactive session, the Sign On display is the same as any other display. Although the password is not displayed on the screen when it is typed, the password is sent over the link in unencrypted form just like any other data field. For some types of links, this may provide the opportunity for a would-be intruder to monitor the link and to detect a user ID and password. Monitoring a link by using electronic equipment is often referred to as sniffing. Beginning with V4R4, you can use secure sockets layer (SSL) to encrypt communication between iSeries Access and the iSeries server. This protects your data, including passwords, from sniffing. When you choose the option to bypass the Sign On display, the PC encrypts the password before it is sent. Encryption avoids the possibility of having a password stolen by sniffing. However, you must ensure that your PC users practice operational security. An unattended PC with an active session to the iSeries system provides the opportunity for someone to start another session without knowing a user ID and password. PCs should be set up to lock when the system is inactive for an extended period, and they should require a password to resume the session." Bill