[Info-vax] SSH footprint

Wilm Boerhout w6.boerhout at planet.nl
Mon Oct 26 16:05:01 EDT 2009


Dale Dellutri mentioned  on 26-10-2009 21:00:
> On Mon, 26 Oct 2009 20:17:00 +0100, Marc Van Dyck <marc.vandyck at brutele.be> wrote:
>> We are running a banking environment where high-level traceability
>> is required. For OpenVMS systems, audit is the key to that. It is
>> mostly ok, but we have discovered a serious flaw : when a user logs
>> into an OpenVMS system using SSH (as we are all required to do, since
>> telnet is considered unsecure), the corresponding audit entry says that
>> the user SSH did a remote login, instead of displaying the real user.
> 
>> We want to correct that by writing a small program that will be called
>> early in the sylogin.com of the system and create an audit entry (there
>> is a system call to do that) with the name of the real user. Not
>> difficult.
> 
>> The problem is to decide whether or not to run the program. It is
>> useless to do it when telnet is used to enter the system, since in
>> this case a proper audit record has already been created by OpenVMS
>> itself. It is only when SSH is used to come in that the program must
>> run. But how can I detect, with some DCL code, that the SSH protocol
>> has been used rather than another one ? Any idea ?
> 
> See the following:
>   http://labs.hoffmanlabs.com/node/1224
> in which he says:
>   "Examples of template devices include LTA0: for LAT, and
>   NTA0: and TNA0: for telnet devices. Both DECnet and ssh
>   tend to use FTA0:."
> 
> So if you can find the correct pid for your current login,
> then use f$getjpi for item TERMINAL or TT_ACCPORNAM, you
> can at least narrow it down to either DECnet or ssh by looking
> for FTA in the string.
> 
> I'm not sure how to rule out DECnet.
> 

DECnet terminals (SET HOST) use RTAn:

/Wilm



More information about the Info-vax mailing list