[Info-vax] VMS and MFA?
Stephen Hoffman
seaohveh at hoffmanlabs.invalid
Wed Aug 19 13:55:17 EDT 2020
On 2020-08-19 07:25:29 +0000, Jan-Erik S��øderholm said:
> As in many other places, our VMS systems lives in a much larger non-VMS
> environment. Lately, MFA...has been introduced at this company. So
> when, like connecting to the Citrix remote environment, I get a SMS
> ("text") with a code that needs to be entered in the login sequence.
>
> Now, I have not seen any ready-made solution for this for VMS. I know
> about the LDAP based account/password synchronisation against (usually)
> Microsoft AD. But that is not MFA as such.
The closest available analog within current stock OpenVMS is ssh
certificates with a password, and that likely won't pass muster with
most local two-factor or multi-factor authentication requirements.
There are various ways to add authentication into OpenVMS.
One is a LOGINOUT callout, and there are examples of that around that
can be used.
Another is a an ACME agent plug-in, though agents are rather less than
completely documented when last I checked. VSI might be worth a
discussion, there.
Or yes, a prompt within SYLOGIN, but that wouldn't be my preferred
implementation.
Process has two-factor authentication support:
http://www.process.com/products/vam/
Though workable, SMS wouldn't be my preferred choice here given SS7
shenanigans and all, it'd probably be a local physical token, or maybe
a smart card or CAC. That'd require a local token of some sort, and
there are apps for that. Process has some support for smart cards. How
you'd get the data varies by the particular clients, whether a
challenge-response or a terminal emulator with Bluetooth or USB or
other access. And there's client stuff around including
http://www.risacher.org/putty-cac/ etc. Or yes, SMS and assume the SMS
path isn't and won't be compromised.
But prompting for the token while performing an LDAP callback—that's
probably where Citrix is storing this—is certainly feasible.
There's probably another VAM-like equivalent or two around, and
two-factor or multi-factor authentication is undoubtedly worth a
discussion directly with VSI.
--
Pure Personal Opinion | HoffmanLabs LLC
More information about the Info-vax
mailing list