Question about DB2LOGINRESTRICTIONS registry parameter in DB2 V9.5 (LUW)

Arvind Saigal

Question about DB2LOGINRESTRICTIONS registry parameter in DB2 V9.5 (LUW)
Dear Experts,

My requirement is to disable local and remote login of a user with
non-expiring password on the AIX server. (command: chuser login=false
rlogin=false <USERID>). I still need this userid to remotely connect to
database server. The DB2 authentication parameter is set to SERVER_ENCRYPT
on both DB2 client and database server.

How safe is usage of DB2LOGINRESTRICTIONS with value set to *NONE* on
database server (DB2 V9.5) hosted on AIX box? With this registry parameter
set to NONE, does DB2 continue to authenticate the user? Or is the
authentication process bypassed entirely?

The description of this parameter on IBM knowledge centre does not clarify
if DB2 bypasses the authentication upon setting the value of this parameter
as NONE.

The other solution I could think of was to change the DB2 authentication
type to CLIENT on both DB2 client and server along with setting
TRUST_ALLCLNTS to NO & parameter TRUST_CLNAUTH to CLIENT. This will ensure
that the authentication takes place at the client and no authentication
will be performed at the server.

I'm not sure which approach to take. Can you please help?

Kindly clarify my doubts about DB2LOGINRESTRICTS and advise which approach
would work better.

Thanks,
Arvind

Nadir Doctor

Question about DB2LOGINRESTRICTIONS registry parameter in DB2 V9.5 (LUW)
(in response to Arvind Saigal)
Hi Arvind,

I believe you should be good as long as the userid hasn't got locked out
due to multiple wrong password attempts or been revoked - OS authentication
will still work fine.

You may want to consider upgrading to 10.5 as the 9.5 release is no longer
active in support and 9.7 is being withdrawn soon.


Best Regards,
Nadir



On Thu, Aug 31, 2017 at 3:57 AM, Arvind Saigal <[login to unmask email]> wrote:

> Dear Experts,
>
> My requirement is to disable local and remote login of a user with
> non-expiring password on the AIX server. (command: chuser login=false
> rlogin=false <USERID>). I still need this userid to remotely connect to
> database server. The DB2 authentication parameter is set to SERVER_ENCRYPT
> on both DB2 client and database server.
>
> How safe is usage of DB2LOGINRESTRICTIONS with value set to *NONE* on
> database server (DB2 V9.5) hosted on AIX box? With this registry parameter
> set to NONE, does DB2 continue to authenticate the user? Or is the
> authentication process bypassed entirely?
>
> The description of this parameter on IBM knowledge centre does not clarify
> if DB2 bypasses the authentication upon setting the value of this parameter
> as NONE.
>
> The other solution I could think of was to change the DB2 authentication
> type to CLIENT on both DB2 client and server along with setting
> TRUST_ALLCLNTS to NO & parameter TRUST_CLNAUTH to CLIENT. This will ensure
> that the authentication takes place at the client and no authentication
> will be performed at the server.
>
> I'm not sure which approach to take. Can you please help?
>
> Kindly clarify my doubts about DB2LOGINRESTRICTS and advise which approach
> would work better.
>
> Thanks,
> Arvind
>
>
> -----End Original Message-----
>

Ian Bjorhovde

Question about DB2LOGINRESTRICTIONS registry parameter in DB2 V9.5 (LUW)
(in response to Arvind Saigal)
Arvind,

I can't speak to using DB2LOGINRESTRICTIONS, but because this is AIX-only
you may be better off having your UNIX system administrator simply set the
user's login shell to /bin/false. This solution will work on any UNIX or
Linux platform and will prevent the user from being able to log directly in
to the server.

I would advise you against using AUTHENTICATION=CLIENT, even with the other
related settings as you mention. This provides almost no security, as
anyone who is on your network and who has the ability create a local
account on the client machine could simply create a user with any user name
and authenticate as any user in your database.



Ian Bjorhovde
IBM Gold Consultant




On Thu, Aug 31, 2017 at 1:57 AM, Arvind Saigal <[login to unmask email]> wrote:

> Dear Experts,
>
> My requirement is to disable local and remote login of a user with
> non-expiring password on the AIX server. (command: chuser login=false
> rlogin=false <USERID>). I still need this userid to remotely connect to
> database server. The DB2 authentication parameter is set to SERVER_ENCRYPT
> on both DB2 client and database server.
>
> How safe is usage of DB2LOGINRESTRICTIONS with value set to *NONE* on
> database server (DB2 V9.5) hosted on AIX box? With this registry parameter
> set to NONE, does DB2 continue to authenticate the user? Or is the
> authentication process bypassed entirely?
>
> The description of this parameter on IBM knowledge centre does not clarify
> if DB2 bypasses the authentication upon setting the value of this parameter
> as NONE.
>
> The other solution I could think of was to change the DB2 authentication
> type to CLIENT on both DB2 client and server along with setting
> TRUST_ALLCLNTS to NO & parameter TRUST_CLNAUTH to CLIENT. This will ensure
> that the authentication takes place at the client and no authentication
> will be performed at the server.
>
> I'm not sure which approach to take. Can you please help?
>
> Kindly clarify my doubts about DB2LOGINRESTRICTS and advise which approach
> would work better.
>
> Thanks,
> Arvind
>
>
> -----End Original Message-----
>