As part of an audit, auditors want NOQLOGON specified for the ACF2 GSO TSO record, but when NOQLOGON is specified the user has to put their password in twice: once for the session manager and once for TSO. How can this be avoided? Why does the ACF2 documentation suggest that password integrity can be jeopardized by QLOGON?

QLOGON|NOQLOGON

QLOGON allows users to input their password on the prompt for the logonid in logonid/password format. The password can be seen in plain text to anyone who happens to pass by. If the user is prompted for the password instead, the password appears as blanks as the user is typing, thus mitigating risk of someone seeing the password as its being typed.

Your session manager may have settings that allow for it to respond to a prompt instead of sending the logonid and password all on one line. TPX, as an example, allows you to write an ACL script to sign on to TSO.

To get around the issue in ACF2 would require a user exit to be written. The site coded exit would need to precede the code in module ACF82LD1, which is the normal TSO Logon Pre-Prompt exit. This additional code would be linked together with the available module ACF82LD1, and would be the entry csect to that module. The System Programmers Guide has a description in section Authorized Logon Preprompt Exit (USREFLD1)                                   
                                                                             
This exit would need to have code that scans the input buffer for a "/" that would indicate a single line logon. Then you would need to determine if the request comes from your Session Manager. If yes, let it pass and pass control to the standard code in ACF82LD1 . If not, return control to the caller.