[Info-vax] VMS and MFA?

Stephen Hoffman seaohveh at hoffmanlabs.invalid
Sat Aug 22 13:22:37 EDT 2020 

On 2020-08-21 23:00:26 +0000, Dave Froble said:

> Unless you have come up with a method to defeat the VMS captive 
> account, then no, it has not happened.  The logging of activity would 
> have showed something.  Never has.  It is monitored.
> 
> Do note, the menu utility was never intended as a security tool, just a 
> method of putting users where they needed to be, and keep them there.

Development trade-offs with home-grown: This requires implementing 
local mapping, including storage and data management and related 
baggage. Those storage and retrieval primitives are already available 
with the identifier-related system services, though those primitives 
will probably then be wrapped.  DCL RMS file handling and particularly 
DCL data handling is limited, and RMS itself has some weaknesses and 
particularly around changing data requirements, but then I'm in a 
polite mood. Writing commands to wrap that is feasible, but now we're 
staring at more code, and part of which will replicate what the OpenVMS 
identifier storage and retrieval APIs² already provide.

Security trade-offs with home-grown: If there is a hole discovered 
somewhere in the app logic, or if there's a hole discovered in DCL or 
elsewhere in OpenVMS², using security identifiers makes the 
exploitation of the vulnerability that much more difficult, as the 
menus can operate with few or no privileges enabled, and with access to 
resources moderated by the same identifiers used to control the menu 
displays.

Advantages of home-grown: complete control of what happens, how it 
happens, and when. That's also arguably a liability, when fixes or 
enhancements become required.

📎

¹LDAP storage would be preferable to local, but we use what we have. 
Identity management servers (RADIUS or otherwise) are something not 
usually seen with OpenVMS, though those can and variously are what is 
used for multi-factor authentication.

²INQUIRE was and remains useful for exploring DCL command procedures, 
though CAPTIVE (thankfully) blocks access to that DCL command. Whether 
other app-specific or local commands or even potentially OpenVMS system 
commands might have holes?


-- 
Pure Personal Opinion | HoffmanLabs LLC

More information about the Info-vax mailing list