How VMS can perform multifactor authentications

Sometimes the IT kingpins at a VMS-using company sharpen their knives. The need to prune away legacy systems rises anew, so VMS administrators and managers snap to attention. Do this thing, say the kingpins, or VMS must be history.

This latest time out at Wesley Dunnahoo’s company, it’s multifactor authentication that’s the crucial item. Two-factor authentication has been available for legacy systems for decades by now. Some of the popular solutions in the 1990s used standalone pagers to verify logins. Phones serve that purpose now.

Dunnahoo’s problem sparks several solutions, appearing on the VMS Special Interest Group mailing list. “I like the idea of going with an LDAP,” Dunnahoo says. “All of our users have to at least get to the DCL menus.  Programmers still need the DCL prompt. At least there’s options to look at. Several systems that will be using MobilePASS+ for the authenticator.”

An existing LDAP server can talk to the MobilePASS system. Perhaps, says John Santos at Evans, Griffiths & Hart, “the MobilePASS system itself includes an LDAP server?  It could be a simple matter of enabling ACME authentication and configuring it correctly on your VMS servers. Or it could be much more complicated.”

VNS can use LDAP

Santos and his company are working on a similar issue for a customer using RSA SecurID on their corporate LDAP server. “We have worked out a partial solution. Their handful of VMS systems can use the LDAP server.”

“The standard VMS ACME LDAP agent will not work with their LDAP server, but we have got authentication to work (at least partially) with a custom LGI CALLOUT routine (See the VMS Utility Routines Manual, Chapter 15.)

“There are still some holes in it. Not security holes; missing features. The main ones are SSH doesn’t integrate with it; plus there are some solvable issues with DECnet FAL that require some competent VMS C programming. Or a lot more incompetent VMS C programming by me.”

Santos adds “the right way to solve this is to write a custom ACME agent, but that’s a lot of work.” An easier solution might be the standard VMS ACME LDAP agent being coerced into doing the right thing. Process Software (TCPware and Multinet) has done some work in this area.”

Process Software chimes in to say their product is VAM (VMS Authentication Module. It works with LDAP and RADIUS servers.

Neil Rieck adds that LDAP is still an ensconced solution. “At my employer’s company, almost all network authentication is done via Active Directory (this is all Microsoft stuff).  When one of those users wants to hit our site, we have a little LDAP hook linking back to the AD server. We ask “Hey, is this username and password combo valid?” If it is, then we let them in. Three fails in a row will lock out the account for 30 minutes in AD, so there is no way to do a brute force attack over the Internet.

“Long story short, LDAP is everywhere,” he says, “and I don’t hear anyone talking about replacing it.”

Leave a Reply