[Info-vax] SSH footprint

[VAXman- at SendSpamHere.ORG]

In article <hc4v5i$4sa$1 at reader1.panix.com>, Dale Dellutri <ddelQQQlutr at panQQQix.com> writes:
>On Mon, 26 Oct 2009 20:17:00 +0100, Marc Van Dyck <marc.vandyck at brutele.be> wrote:
>> We are running a banking environment where high-level traceability
>> is required. For OpenVMS systems, audit is the key to that. It is
>> mostly ok, but we have discovered a serious flaw : when a user logs
>> into an OpenVMS system using SSH (as we are all required to do, since
>> telnet is considered unsecure), the corresponding audit entry says that
>> the user SSH did a remote login, instead of displaying the real user.
>
>> We want to correct that by writing a small program that will be called
>> early in the sylogin.com of the system and create an audit entry (there
>> is a system call to do that) with the name of the real user. Not
>> difficult.
>
>> The problem is to decide whether or not to run the program. It is
>> useless to do it when telnet is used to enter the system, since in
>> this case a proper audit record has already been created by OpenVMS
>> itself. It is only when SSH is used to come in that the program must
>> run. But how can I detect, with some DCL code, that the SSH protocol
>> has been used rather than another one ? Any idea ?
>
>See the following:
>  http://labs.hoffmanlabs.com/node/1224
>in which he says:
>  "Examples of template devices include LTA0: for LAT, and
>  NTA0: and TNA0: for telnet devices. Both DECnet and ssh
>  tend to use FTA0:."
>
>So if you can find the correct pid for your current login,
>then use f$getjpi for item TERMINAL or TT_ACCPORNAM, you
>can at least narrow it down to either DECnet or ssh by looking
>for FTA in the string.
>
>I'm not sure how to rule out DECnet.

FTAs do not, by default, employ TT_ACCPORNAM.

-- 
VAXman- A Bored Certified VMS Kernel Mode Hacker    VAXman(at)TMESIS(dot)ORG

  http://www.quirkfactory.com/popart/asskey/eqn2.png
  
  "Well my son, life is like a beanstalk, isn't it?"