[Info-vax] SSH footprint
Fred Zwarts
F.Zwarts at KVI.nl
Tue Oct 27 04:41:06 EDT 2009
Marc Van Dyck <marc.vandyck at brutele.be> typed
(in mn.d4c17d9a41b701ab.104627 at brutele.be)
> We are running a banking environment where high-level traceability
> is required. For OpenVMS systems, audit is the key to that. It is
> mostly ok, but we have discovered a serious flaw : when a user logs
> into an OpenVMS system using SSH (as we are all required to do, since
> telnet is considered unsecure), the corresponding audit entry says
> that the user SSH did a remote login, instead of displaying the real
> user.
>
> We want to correct that by writing a small program that will be called
> early in the sylogin.com of the system and create an audit entry
> (there is a system call to do that) with the name of the real user.
> Not difficult.
>
> The problem is to decide whether or not to run the program. It is
> useless to do it when telnet is used to enter the system, since in
> this case a proper audit record has already been created by OpenVMS
> itself. It is only when SSH is used to come in that the program must
> run. But how can I detect, with some DCL code, that the SSH protocol
> has been used rather than another one ? Any idea ?
>
> Thanks in advance,
You don't say which TCP/IP implementation you use.
We use Multinet 5.0 and in our SYLOGIN.COM the check looks like:
$ SSH_LOGIN = f$trnlnm("SYS$REM_NODE") .eqs. "SSH::"
More information about the Info-vax
mailing list