[Info-vax] VMS and MFA?

Jan-Erik Söderholm jan-erik.soderholm at telia.com
Wed Aug 19 11:44:18 EDT 2020 

Den 2020-08-19 kl. 15:40, skrev Arne Vajhøj:
> On 8/19/2020 5:20 AM, Phillip Helbig (undress to reply) wrote:
>> In article <rhik59$9mi$1 at dont-email.me>,
>> Jan-Erik Söderholm <jan-erik.soderholm at telia.com>
>> writes:
>>> As in many other places, our VMS systems lives in a much larger
>>> non-VMS environment. Lately, MFA (Multi Factor Authentication)
>>> https://en.wikipedia.org/wiki/Multi-factor_authentication has
>>> been introduced at this company. So when, like connecting to
>>> the Citrix remote environment, I get a SMS ("text") with a code
>>> that needs to be entered in the login sequence.
>>>
>>> Now, I have not seen any ready-made solution for this for VMS.
>>> I know about the LDAP based account/password synchronisation
>>> against (usually) Microsoft AD. But that is not MFA as such.
>>
>> Probably most VMS systems affected by this have some sort of MFA in
>> order to get to a session (perhaps recorded) where one can get to VMS
>> via ssh or whatever.
> 
> Indeed.
> 
> I would expect a typical setup to be:
> 1) connect to corporate network
> 2) tunnel into production environment
> 3) login to VMS
> 
> #1 and #2 seems much more obvious candidates for 2FA than #3.
> For security reasons!
> 
>> It shouldn't be too difficult to roll your own.  Many mobile-phone
>> providers have the possibility to convert emails to SMS.  If your VMS
>> system can send email, then you could compute some random number in
>> SYS$SYLOGIN, send it as an SMS, and then READ/PROMPT="_code: " and then
>> exit if nothing correct is entered (quickly enough).
> 
> You need to:
> * send email
> * do timeout
> * log bad attempts
> * block or delay access if too many bad attempts
> * enable user to resend number
> * manage user to phone mapping preferably self service
> * have process for disable general and for specific user
> etc.etc.
> 
> If anything COTS exists then I would go for that.
> 
> Arne
> 

Thanks all. Yes, there are several "layers" before anyone reach the VMS
"Username:" prompt. I first login to the Citrix Remote Desktop, and that
is throught a MFA (6-digit code in SMS/text message). From there is it
a Putty session against the VMS system "as usual".

We had a discussion, and many of our "users" are generic and named
after the workplace. There can be 10 different operators working there
and using a group login VMS account setup for each "process terminal".

So, the decision was that MFA is not suitable for us.

We'll begin with removing all the stale accounts from people that
has retired or left the company. And giving those that are still
using the accounts from the retired people a new account...

Interesting question, anyway...

Jan-Erik.

More information about the Info-vax mailing list