[Info-vax] SSH footprint
VAXman- at SendSpamHere.ORG
VAXman- at SendSpamHere.ORG
Tue Oct 27 08:54:07 EDT 2009
In article <hc6bn3$6sg$1 at news.albasani.net>, "Fred Zwarts" <F.Zwarts at KVI.nl> writes:
>Marc Van Dyck <marc.vandyck at brutele.be> typed
>(in mn.d4c17d9a41b701ab.104627 at brutele.be)
>> We are running a banking environment where high-level traceability
>> is required. For OpenVMS systems, audit is the key to that. It is
>> mostly ok, but we have discovered a serious flaw : when a user logs
>> into an OpenVMS system using SSH (as we are all required to do, since
>> telnet is considered unsecure), the corresponding audit entry says
>> that the user SSH did a remote login, instead of displaying the real
>> user.=20
>>=20
>> We want to correct that by writing a small program that will be called
>> early in the sylogin.com of the system and create an audit entry
>> (there is a system call to do that) with the name of the real user.
>> Not difficult.
>>=20
>> The problem is to decide whether or not to run the program. It is
>> useless to do it when telnet is used to enter the system, since in
>> this case a proper audit record has already been created by OpenVMS
>> itself. It is only when SSH is used to come in that the program must
>> run. But how can I detect, with some DCL code, that the SSH protocol
>> has been used rather than another one ? Any idea ?
>>=20
>> Thanks in advance,
>
>You don't say which TCP/IP implementation you use.
>We use Multinet 5.0 and in our SYLOGIN.COM the check looks like:
>
>$ SSH_LOGIN =3D f$trnlnm("SYS$REM_NODE") .eqs. "SSH::"
I checked a MultiNet SSH session and there is no SSH:: in the translation
of SYS$REM_NODE. It contains the remotehostname and SYS$REM_NODE_FULLNAME
maintains the fully-qualified remotehostname. THere's no SSH:: found in
either translation.
MultiNet can optionally augment the FTA UCB to maintain TT_ACCPORNAM using
code I devised. You can check that field with F$getdvi("TT","TT_ACCPORNAM")
and look for "ssh".
--
VAXman- A Bored Certified VMS Kernel Mode Hacker VAXman(at)TMESIS(dot)ORG
http://www.quirkfactory.com/popart/asskey/eqn2.png
"Well my son, life is like a beanstalk, isn't it?"
More information about the Info-vax
mailing list