Classification: Confidential Certificates provide the "functions" of MFA. The public/private keypair is unique.
In the implementations I have observed, there is a second layer of validation within the secure connection, The public/private keypair of the SERVER is also validated. Thus 2 public/private keypairs must be compromised. https://coztoolkit.com/webinars.html IBM Ported Tools for z/OS: OpenSSH - Using Key Rings IBM Ported Tools for z/OS: OpenSSH - Key Authentication Slides and recordings are available. HTH, -----Original Message----- From: IBM Mainframe Discussion List <[email protected]> On Behalf Of Colin Paice Sent: Monday, June 23, 2025 4:10 AM To: [email protected] Subject: MFA and scripting [CAUTION: This Email is from outside the Organization. Unless you trust the sender, Don’t click links or open attachments as it may be a Phishing email, which can steal your Information and compromise your Computer.] MFA is getting to be more of a requirement. How do people handle MFA when scripting from Windows and Linux? The basic rules are something you know, and something you have - which makes it hard for scripts as there is no person to type things in. We can do certificate logon which avoids a password - but what other factor can we use? If your password is encrypted ( or masked) on your laptop, then bad guys with access to your machine can steal both your password and your certificate, so this doesn't count. All I can think of is to have a hardware dongle like a Yubicon USB device plugged into the laptop. You could have networking rules - if from these IP addresses (internal to your site) then do something special - otherwise require full MFA. But I dont think we have the systems on z/OS to support this - for example z/OS TCPIP going to Liberty on z/OS. Any thoughts? Colin ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN ::DISCLAIMER:: ________________________________ The contents of this e-mail and any attachment(s) are confidential and intended for the named recipient(s) only. E-mail transmission is not guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or may contain viruses in transmission. The e mail and its contents (with or without referred errors) shall therefore not attach any liability on the originator or HCL or its affiliates. Views or opinions, if any, presented in this email are solely those of the author and may not necessarily reflect the views or opinions of HCL or its affiliates. Any form of reproduction, dissemination, copying, disclosure, modification, distribution and / or publication of this message without the prior written consent of authorized representative of HCL is strictly prohibited. If you have received this email in error please delete it and notify the sender immediately. Before opening any email and/or attachments, please check them for viruses and other defects. ________________________________ ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
