Unconfigured Ad Widget

**Guest.Visitor** · 07-06-2000, 08:00 AM

With all the user accounts disabled, how do you login?

Warren, How did you disable your QSECOFR user? I did not know you could do that, and I've been working with /400 security for many years. Are you sure it's disabled or have you limited the locations that QSECOFR can sign on to and are outside that range? Later, Bret

**Guest.Visitor** · 07-06-2000, 08:04 AM

With all the user accounts disabled, how do you login?

Well... someone didn't know the password (me) and after three attempts the account has been auto-disabled. I can not sign on to the DSP01 with QSECOFR, it just says "Account has been disabled"

**cwscholbe@dstsystems.com** · 07-06-2000, 08:08 AM

With all the user accounts disabled, how do you login?

Warren, You have to do a "manual" IPL and come up under DST (Dedicated Service Tools). There is an option to reset the QSECOFR password. I've never done it, but I think this is where it happens.

**Guest.Visitor** · 07-06-2000, 08:09 AM

With all the user accounts disabled, how do you login?

Warren, You're going to have to use the Dedicated Service Tools (DST) to log on to your AS/400 and reset the QSECOFR password. To start DST, you need to use the AS/400's Control Panel to IPL the system in manual IPL mode. When the first screen appears on the system console, select option 3 to start the DST. When prompted for the DST password, type in QSECOFR. Next, select option 5 to work with the DST Environment. Take option 9 to change the DST passwords. Take option 4 to reset all default passwords (this works for all the shipped "Q" user ids such as QSECOFR, QPGMR, etc.). The QSECOFR password will be reset to QSECOFR. And Brett, QSECOFR can be disabled just like any other AS/400 User Profile. HTH

**Guest.Visitor** · 07-06-2000, 08:13 AM

With all the user accounts disabled, how do you login?

Warren, Go to http://as400service.ibm.com/supporth...ument/10000051 to see how to reset your QSECOFR password by ipl'ing to manual mode and starting DST. Alex Garrison

**Guest.Visitor** · 07-06-2000, 08:15 AM

With all the user accounts disabled, how do you login?

Warren - If you can remember the QSECOFR password, QSECOFR can always sign on from the console (the device referenced by sysval (QCONSOLE) - even if the usrprf is disabled. From OS/400 Security Reference V4R4 - "You can always sign on with the QSECOFR (security officer) profile at the console, even if the status of QSECOFR is *DISABLED. If the QSECOFR user profile becomes disabled, sign on as QSECOFR at the console and type CHGUSRPRF QSECOFR STATUS(*ENABLED)." HTH, Steve

**Guest.Visitor** · 07-06-2000, 08:18 AM

With all the user accounts disabled, how do you login?

Woops, should have mentioned to search for IBM doc 4231240.

**Guest.Visitor** · 07-06-2000, 08:29 AM

With all the user accounts disabled, how do you login?

Steve, Yes! Yes! This is what I meant to say in my obscure posting. While it is possible to *DISABLE the QSECOFR profile, it can still sign on to a device defined as the CONSOLE. Thanks for clearing that up, Bret

**Guest.Visitor** · 07-10-2000, 03:45 AM

With all the user accounts disabled, how do you login?

Gentlemen! Your statements may be correct several years ago, but it does not apply anymore. At least, from version 4.3, if QSECOFR is disabled, it cannot enable itself from the console. I know because I encountered the situation described by Warren more than once. In one instance, the console was the only terminal available, and it was varied off! The trick is to force a manual IPL first (using options from the control panel). During a manual IPL, the console is always varied on, and QSECOFR is always 'enabled'. So the only problem now is finding out the password for QSECOFR. By the way, the method using DST works if you do not know the QSECOFR password... and if the default DST password had not been changed. Makes me wonder... just how many of us do know about the need to change the default DST passwords?

**Guest.Visitor** · 07-12-2000, 08:20 AM

With all the user accounts disabled, how do you login?

Ricardo - If "the console . . . was varied off" I wouldn't expect to be able to sign-on whether I knew the QSECOFR password or not! If you will re-read my post, I quoted from the V4R4 Security reference manual so I'm not sure why you had a problem at V4R3. Think about the reason behind allowing QSECOFR to sign-on at the console even if the usrprf is disabled - suppose someone maliciously attempts to sign-on to your system multiple times, intentionally using the wrong QSECOFR password. This (obviously) disables the QSECOFR usrprf. Do you want to have to go into DST every time this happens? I think not! Allowing QSECOFR to sign-on at the console even when disabled is a method to prevent this from occurring. FWIW, Steve

**cwscholbe@dstsystems.com** · 07-12-2000, 09:42 AM

With all the user accounts disabled, how do you login?

Hopefully, you were able to sign on using QSECOFR and enable some other USRPRF with SECADM authority, sign on with that USRPRF and then ENABLE QSECOFR. Otherwise,?????????????/

**Guest.Visitor** · 07-13-2000, 07:31 PM

With all the user accounts disabled, how do you login?

Steve, I made some tests and inquiries. You are right! I revisited the client AS/400 where I could not sign-on at the console as a disabled QSECOFR. I discovered (via DSPSYSVAL QCONSOLE) that the console name is CONSOLE (and not the default DSP01)! They are using a dual-session workstation as a console. One of the session-ids is DSP01 while the other is CONSOLE. I happened to be working in the non-console session of DSP01. My apologies.

**Guest.Visitor** · 07-13-2000, 07:54 PM

With all the user accounts disabled, how do you login?

Chris, No big deal. This only happens with newly delivered/installed boxes. At this point only IBM or their remarketer could have accessed the machine. It is a simple matter to contact their offices and ask who among them changed the QSECOFR password. If I can't wait, I just do a manual IPL and use DST to reset the QSECOFR password. For other machines, I maintain a separate user-id for doing security-related tasks. Additionally, I keep a list of all the changed DST passwords.

**Guest.Visitor** · 07-14-2000, 09:42 AM

With all the user accounts disabled, how do you login?

Hacker note: Be aware that a smart hacker could really mess things up for you. Suppose someone wanted a listing of all of your user profiles on the system. If they had access to a command line, they could list all of the *msgq objects. Each user profile usually has a respective message queue. Now a simple batch process can hit your target system with every user profile and a fake password. If you have the system value set to disable the profile after so many password attemts......BOOM.....everyone is disabled! Now, you say the console can still be used by QSECOFR, yes if it hasn't been varied off by the hacker. Then your only recovery would be to IPL. For this reason, I have a few user's that don't have an accessible message queue. (Don't go out there and restrict everyone's message queues from the public. You will have undesirable results!!!) As for the console, only certain people have authority to even see it. Thought everyone might enjoy knowing this info.

Unconfigured Ad Widget

Announcement

With all the user accounts disabled, how do you login?

With all the user accounts disabled, how do you login?

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment