[Info-vax] SSH footprint
VAXman- at SendSpamHere.ORG
VAXman- at SendSpamHere.ORG
Mon Oct 26 17:04:44 EDT 2009
In article <mn.d4c17d9a41b701ab.104627 at brutele.be>, Marc Van Dyck <marc.vandyck at brutele.be> writes:
>We are running a banking environment where high-level traceability
>is required. For OpenVMS systems, audit is the key to that. It is
>mostly ok, but we have discovered a serious flaw : when a user logs
>into an OpenVMS system using SSH (as we are all required to do, since
>telnet is considered unsecure), the corresponding audit entry says that
>the user SSH did a remote login, instead of displaying the real user.
>
>We want to correct that by writing a small program that will be called
>early in the sylogin.com of the system and create an audit entry (there
>is a system call to do that) with the name of the real user. Not
>difficult.
>
>The problem is to decide whether or not to run the program. It is
>useless to do it when telnet is used to enter the system, since in
>this case a proper audit record has already been created by OpenVMS
>itself. It is only when SSH is used to come in that the program must
>run. But how can I detect, with some DCL code, that the SSH protocol
>has been used rather than another one ? Any idea ?
>
>Thanks in advance,
SSH under TCPIP Services I presume?
Look in the JOB logical table. If the terminal is a pseudo-terminal
and the JOB table logicals look like:
"SYS$REM_ID" = "SSH_13579BDF"
"SYS$REM_NODE" = "remotehostname.remotedomainname.tld::"
"SYS$REM_NODE_FULLNAME" = "remotehostname.remotedomainname.tld::"
I would say you might just have an SSH login.
--
VAXman- A Bored Certified VMS Kernel Mode Hacker VAXman(at)TMESIS(dot)ORG
http://www.quirkfactory.com/popart/asskey/eqn2.png
"Well my son, life is like a beanstalk, isn't it?"
More information about the Info-vax
mailing list