[Info-vax] VMS and MFA?

geze...@rlgsc.com gezelter at rlgsc.com
Wed Aug 19 07:16:04 EDT 2020 

On Wednesday, August 19, 2020 at 5:20:31 AM UTC-4, Phillip Helbig (undress to reply) wrote:
> In article <rhik59$9mi$1... at dont-email.me>, 
> Jan-Erik Söderholm <jan-erik.... at telia.com> 
> writes:
> > As in many other places, our VMS systems lives in a much larger 
> > non-VMS environment. Lately, MFA (Multi Factor Authentication) 
> > https://en.wikipedia.org/wiki/Multi-factor_authentication has 
> > been introduced at this company. So when, like connecting to 
> > the Citrix remote environment, I get a SMS ("text") with a code 
> > that needs to be entered in the login sequence. 
> > 
> > Now, I have not seen any ready-made solution for this for VMS. 
> > I know about the LDAP based account/password synchronisation 
> > against (usually) Microsoft AD. But that is not MFA as such.
> Probably most VMS systems affected by this have some sort of MFA in 
> order to get to a session (perhaps recorded) where one can get to VMS 
> via ssh or whatever. 
> 
> It shouldn't be too difficult to roll your own. Many mobile-phone 
> providers have the possibility to convert emails to SMS. If your VMS 
> system can send email, then you could compute some random number in 
> SYS$SYLOGIN, send it as an SMS, and then READ/PROMPT="_code: " and then 
> exit if nothing correct is entered (quickly enough).
Jan-Erik,

In essence, I concur with Phillip.

Rolling your own MFA would not be complicated, but one does need some precautions.

The way to do this is to insert a non-optional step into the login path. This means modifying a system-managed part of the login sequence (e.g., SYS$MANAGER:SYLOGIN.COM). One must force the initial state of the process to CONTROL-Y and CONTROL-C disabled, to avoid the user bypassing the MFA.

Generate the code, as Phillip notes, email it to the user, and use READ/PROMPT to close the loop. The JOB logical name table is a good place to temporarily store the generated code, delete the logical name before exiting, after a successful error, it is useless. Whether one allows retries of entry is a different question, I would want to think about that. 

An unsuccessful reply executes a LOGOUT. A successful reply enables CONTROL-Y and CONTROL-C (if needed, obviously not for captive accounts), and continues the LOGIN sequence.

Several of my OpenVMS Consultant columns (on WWW.RLGSC.COM) address customizing the login process.

- Bob Gezelter, http://www.rlgsc.com

More information about the Info-vax mailing list