Appendix E: Telnet Validation
Network Security allows you to exclude attempts to initiate Telnet sessions, based on validated password level.
IBM provides three levels of password validation:
- No validation
- Clear text password validation
- Encrypted password validation
The TELNETPVL command lets you customize Network Security, which, if enabled, requires password verification on TELNET. To use the validation feature, users must use the 5250E protocol that allows the user ID to pass as part of the sign-on request.
To set up validation, enter the following command on a command line to display the Telnet Verification Levels panel:
TELNETPVL
Telnet Verification Levels Fields
You can enter the following on the Telnet Verification Levels panel:
Required verification level
Specify the verification level necessary to accept a Telnet request. Possible values are:
| *ALL | Accept Telnet initialization requests when a client's password was not validated, or no password was received. If set to *ALL, any password verification level is allowed. |
| *PASSWORD | Accept Telnet initialization requests when a client's clear text password was validated, or an encrypted password was validated. Any Telnet requests where a client's password was not validated, or no password was received, are rejected by Network Security. If set to *PASSWORD, the settings passed by the Telnet exit point are checked to see if the password has been validated. If it hasn't, the connection is rejected. |
| *ENCRYPTED | Accept Telnet initialization requests when a client's encrypted password was validated. Any Telnet requests received where the password is not validated as encrypted are rejected by Network Security. If set to *ENCRYPTED, the settings passed by the Telnet exit point are checked to see if the encrypted password has been verified. If not, the connection is rejected. When you specify *ENCRYPTED, the connection must be a secured socket connection. |
Log requests
Specifies if Network Security should log rejected password verification attempts. A password verification is rejected when either of the following occurs:
- Verification level *PASSWORD is specified, but the password was not verified.
- Verification level *ENCRYPTED is specified, but password was verified as a clear text password, or password verification did not occur.
Possible values are:
| *YES | Log rejected password verification attempts. |
| *NO | Do not log rejected password verification attempts. |
Send message on failure
Specifies if Network Security is to send a message to the message queue defined in the system values when a password verification failure has occurred. Possible values are:
| *NO | Do not send a message when a failed password verification occurs. |
| *YES | Send a message when a failed password verification occurs. |