The VMS Authentication Module (VAM) provides users of OpenVMS systems controlled access to both user-written applications and the OpenVMS system overall using RADIUS. It can be incorporated into an OpenVMS-based platform in three ways:
· Via an API that the user incorporates into a specific application to control access to that application. The VAM API is described in detail in Chapter 7, “Using the VAM API”.
· On a system-wide basis via use of the LGI callouts for OpenVMS LOGINOUT.EXE.
· On a system-wide basis via the use of a VAM agent for the OpenVMS ACME system on OpenVMS V8.3 and higher. See Chapter 6, “Using VAM with ACME” for details on configuring your system to use VAM with ACME.
SSH logins are not affected by the VAM LGI callouts.
The system console (OPA0:) is never required to use the RADIUS LGI Callout interface, to prevent being locked-out of the system in the event of a network failure that prevents the VMS system from talking with the RADIUS server system(s).
Note: This chapter assumes the user is familiar with RADIUS in general and of the specifics of the user’s RADIUS server installation. Due to the breadth and depth of how a RADIUS server may be configured, this chapter will not attempt to present a tutorial on those topics.
|
The following sections describe the post-installation setup required to enable the various forms of authentication.
VAM uses configuration keywords, set in the VAM:VAM_CONFIG.DAT file, to determine the location of the RADIUS server, the filter to be used for lookups, etc. In this way, it presents the maximum flexibility for integration into the user’s existing RADIUS environment. The VAM RADIUS support must be configured for all three modes of operation (callable module, LGI callout and ACME).
VAM may be incorporated into the OpenVMS login mechanism to control access to the entire system. VAM provides an OpenVMS shareable image, which the system manager can incorporate, using supported OpenVMS mechanisms, into the OpenVMS LOGINOUT mechanism. This image uses the RADIUS protocol to supplement the standard OpenVMS login processing and provides the necessary user authentication to access the system as part of the login process.
The following example shows a login to a system. It assumes the configuration keyword RADIUS_PW_PROMPT has been set to “RADIUS Password: “:
$ SET HOST BOSTON1
Welcome to OpenVMS (TM) IA64 Operating System, Version V8.4
Username: johndoe
RADIUS Password: ********
Welcome to OpenVMS IA64 V8.4
Last interactive login on Monday, 13-AUG-2022 12:04:50.21
Last non-interactive login on Friday, 2-DEC-2021 07:33:34.74
You have 1 new Mail message.
BOSTON1_$
The system manager configures the system to use the LGI callouts. This may be done in two ways:
· Define the configuration keyword REQUIRE_RADIUS. If set, all users are required to use RADIUS authentication.
· Add the rights identifier VAM_LGI_RADIUS to the system rights database. This identifier may then be granted to those users who will be required to use RADIUS authentication.
Access to RADIUS via VAM requires setting several configuration options in the configuration file VAM:VAM_CONFIG.DAT. This section describes those keywords and their usage.
ALLOW_DECNET_LOGIN
If set to a non-zero value, DECnet CTERM (RTAnn:) devices are required log in using RADIUS
ALLOW_DECTERM_LOGIN
If set to a non-zero value, DECterm (FTAnn:) devices are required log in using RADIUS
RADIUS_KEY
This keyword defines the key to use when transacting with the RADIUS server. This is case-sensitive, and must be absolutely identical to the corresponding key on the RADIUS server. For example:
radius_key TopSecretKey
RADIUS_NOPASSWORD_SYNC
If set to 1, this will prevent VAM from updating the user's password and password change data in the VMS UAF file after a successful RADIUS login. By default, VAM synchronizes this information in the UAF file to ensure that RADIUS and VMS passwords are kept in sync.
This keyword defines the port on the RADIUS server system to use. It will default to 1812 if not specified.
RADIUS_PW_PROMPT
This keyword defines the prompt to use when prompting for the RADIUS password, if the default of "Password: " isn't desired
RADIUS_SERVER
This is the fully-qualified domain name of the RADIUS server to be used. For example:
radius_server radius.example.org
Defines a server called radius.example.org
RADIUS_TIMEOUT
This configuration item sets the maximum length of time an RADIUS transaction will be allowed to take. The value is in seconds. If not specified, the default is 5 seconds.
RADIUS_COMMON_USERNAME
Defines the common username for a “many-to-one” mapping of RADIUS usernames to a single VMS username. This is applicable to LGI callout session only.
The following is an excerpt from a VAM:VAM_CONFIG.DAT file that illustrate a sample VAM RADIUS configuration.
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
! RADIUS Configuration Keywords
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!
! If the next keyword is set to 1, then all users will be required
! to use RADIUS authentication when using the LGI$ callouts.
! This will override the checks for the LGI_RADIUS
! rights identifier to determine who is required to use RADIUS.
!
REQUIRE_RADIUS 1
!
! The next keyword defines the RADIUS server to use.
!
RADIUS_SERVER radius.example.com
!
! The next keyword defines the key to use when transacting with
! the RADIUS server. This is case-sensitive, and must be
! absolutely identical to the corresponding key on the RADIUS
! server.
!
RADIUS_KEY topsecret
!
! The next keyword, if set to 1, will prevent VAM from updating the
! user's password and password change data in the VMS UAF file after a
! successful RADIUS login.
!!
RADIUS_NOPASSWORD_SYNC 0
! The next keyword defines the prompt to use when prompting for the
! RADIUS password, if the default of "Password: " isn't desired.
!
RADIUS_PW_PROMPT "RADIUS Password: "
!
! Set the max time limit (in seconds) for RADIUS responses. Defaults
! to 5 seconds if not defined.
!
RADIUS_TIMEOUT 10
!!
! The next keyword is used to define the VMS username to which
! RADIUS usenames will map upon successful authentication,
! providing a "many-to-one" external username to VMS username
! mapping.
!
!RADIUS_COMMON_USERNAME johndoe
Using a common username with RADIUS allows the mapping of some or all RADIUS usernames to a single VMS username when using the LGI callouts.
The purpose of this feature is to have a common application on a VMS system where, for example, 1000 users would all use it, but it's not important to identify the users uniquely. Those 1000 users could each have a RADIUS sign on, but it's neither practical nor necessary to have a dedicated VMS user account for each of them. Hence, the "many-to-one" mapping.
To use a common username:
· The common username must have VAM_LGI_RADIUS as a rights identifier, or the configuration keyword REQUIRE_RADIUS needs to be set to 1.
· The configuration keyword RADIUS_COMMON_USERNAME must be set.
If any of the RADIUS accounts have a VMS UAF record, that record is ignored.
Note that the configuration above would cause all RADIUS usernames to use the common username. If there are accounts where you don't want this behavior, you must grant the VAM_LGI_RADIUS_UNIQUE_USERNAME rights identifier to each account that you don't want to use the common username. Consequently, each of those accounts must have a valid VMS UAF record.