search

zowe / zowe-install-packaging

Packaging repository for the Zowe install scripts and files
Eclipse Public License 2.0
27 stars 51 forks source link

1 failed login from zowe desktop resulted in 4 times actual logon attemtps on MVS side. #2357

Open rjmaomao opened 3 years ago

rjmaomao commented 3 years ago

Logon to zowe desktop, if user input id and wrong password, we noticed there are 4 ICH408I message related to this single one logon. It looks like zowe attempt to logon with the incorrect password for 4 times, but I only logon from zowe desktop once.

Following is the message I got with one zowe desktop logon with wrong password.

Z2       2021269 23:12:55.14 S0127305 00000211  ICH408I USER(RENJING ) GROUP(CSTLGRP ) NAME(JING REN            ) 709         
                                  709 00000211    LOGON/JOB INITIATION - INVALID PASSWORD                                     
Z2       2021269 23:12:55.14 S0127305 00000090  IRR013I  VERIFICATION FAILED. INVALID PASSWORD GIVEN.                         

Z2       2021269 23:12:55.19 S0127305 00000211  ICH408I USER(RENJING ) GROUP(CSTLGRP ) NAME(JING REN            ) 713         
                                  713 00000211    LOGON/JOB INITIATION - INVALID PASSWORD                                     
Z2       2021269 23:12:55.19 S0127305 00000090  IRR013I  VERIFICATION FAILED. INVALID PASSWORD GIVEN.                         
Z2       2021269 23:12:55.34 S0127305 00000211  ICH408I USER(RENJING ) GROUP(CSTLGRP ) NAME(JING REN            ) 715         
                                  715 00000211    LOGON/JOB INITIATION - INVALID PASSWORD                                     
Z2       2021269 23:12:55.34 S0127305 00000090  IRR013I  VERIFICATION FAILED. INVALID PASSWORD GIVEN.                         
Z2       2021269 23:12:55.39 S0127305 00000211  ICH408I USER(RENJING ) GROUP(CSTLGRP ) NAME(JING REN            ) 717         
                                  717 00000211    LOGON/JOB INITIATION - INVALID PASSWORD                                     
Z2       2021269 23:12:55.40 S0127305 00000090  IRR013I  VERIFICATION FAILED. INVALID PASSWORD GIVEN.

This would result in ID got revoked because in some z/OS environment, only 4 or less CONSECUTIVE UNSUCCESSFUL PASSWORD ATTEMPTS are allowed before RACF revoking the id.

I tested this on 1.15, 1.19. 1.20, and 1.21, all the same result. Could you please help to take a look to see if this is what zowe designed? I think one logon failure with one ICH408I message looks more reasonable.

Thanks!

Tam-Lin commented 3 years ago

I think (and may be wrong) that the issue is that Zowe can use multiple different ways to authenticate: at the least, SAF, ZSS, and APIML. But each of those is a separate logon attempt. If you're set up to revoke an account after x bad logon attempts, a single Zowe incorrect password can result in multiple logon attempts from a security product point of view, leading to a revoked account.