[Info-vax] SSH footprint
Dale Dellutri
ddelQQQlutr at panQQQix.com
Mon Oct 26 16:00:50 EDT 2009
On Mon, 26 Oct 2009 20:17:00 +0100, Marc Van Dyck <marc.vandyck at brutele.be> wrote:
> We are running a banking environment where high-level traceability
> is required. For OpenVMS systems, audit is the key to that. It is
> mostly ok, but we have discovered a serious flaw : when a user logs
> into an OpenVMS system using SSH (as we are all required to do, since
> telnet is considered unsecure), the corresponding audit entry says that
> the user SSH did a remote login, instead of displaying the real user.
> We want to correct that by writing a small program that will be called
> early in the sylogin.com of the system and create an audit entry (there
> is a system call to do that) with the name of the real user. Not
> difficult.
> The problem is to decide whether or not to run the program. It is
> useless to do it when telnet is used to enter the system, since in
> this case a proper audit record has already been created by OpenVMS
> itself. It is only when SSH is used to come in that the program must
> run. But how can I detect, with some DCL code, that the SSH protocol
> has been used rather than another one ? Any idea ?
See the following:
http://labs.hoffmanlabs.com/node/1224
in which he says:
"Examples of template devices include LTA0: for LAT, and
NTA0: and TNA0: for telnet devices. Both DECnet and ssh
tend to use FTA0:."
So if you can find the correct pid for your current login,
then use f$getjpi for item TERMINAL or TT_ACCPORNAM, you
can at least narrow it down to either DECnet or ssh by looking
for FTA in the string.
I'm not sure how to rule out DECnet.
--
Dale Dellutri <ddelQQQlutr at panQQQix.com> (lose the Q's)
More information about the Info-vax
mailing list