[Info-vax] SSH footprint

Fred Zwarts F.Zwarts at KVI.nl
Tue Oct 27 08:48:45 EDT 2009 

VAXman- @SendSpamHere.ORG <VAXman- @SendSpamHere.ORG> typed
(in 00A93A63.1FB370ED at SendSpamHere.ORG)
> In article <hc6bn3$6sg$1 at news.albasani.net>, "Fred Zwarts"
> <F.Zwarts at KVI.nl> writes: 
>> Marc Van Dyck <marc.vandyck at brutele.be> typed
>> (in mn.d4c17d9a41b701ab.104627 at brutele.be)
>>> We are running a banking environment where high-level traceability
>>> is required. For OpenVMS systems, audit is the key to that. It is
>>> mostly ok, but we have discovered a serious flaw : when a user logs
>>> into an OpenVMS system using SSH (as we are all required to do,
>>> since telnet is considered unsecure), the corresponding audit entry
>>> says that the user SSH did a remote login, instead of displaying
>>> the real user.=20
>>> =20
>>> We want to correct that by writing a small program that will be
>>> called early in the sylogin.com of the system and create an audit
>>> entry (there is a system call to do that) with the name of the real
>>> user. Not difficult.
>>> =20
>>> The problem is to decide whether or not to run the program. It is
>>> useless to do it when telnet is used to enter the system, since in
>>> this case a proper audit record has already been created by OpenVMS
>>> itself. It is only when SSH is used to come in that the program must
>>> run. But how can I detect, with some DCL code, that the SSH protocol
>>> has been used rather than another one ? Any idea ?
>>> =20
>>> Thanks in advance,
>> 
>> You don't say which TCP/IP implementation you use.
>> We use Multinet 5.0 and in our SYLOGIN.COM the check looks like:
>> 
>> $       SSH_LOGIN =3D  f$trnlnm("SYS$REM_NODE") .eqs. "SSH::"
> 
> I checked a MultiNet SSH session and there is no SSH:: in the
> translation 
> of SYS$REM_NODE.  It contains the remotehostname and
> SYS$REM_NODE_FULLNAME maintains the fully-qualified remotehostname. 
> THere's no SSH:: found in 
> either translation.
> 
> MultiNet can optionally augment the FTA UCB to maintain TT_ACCPORNAM
> using 
> code I devised.  You can check that field with
> F$getdvi("TT","TT_ACCPORNAM") 
> and look for "ssh".

I checked a SSH session on a OpenVMS V7.3 system with Multinet 5.0.
$ sh log sys$rem_node
   "SYS$REM_NODE" = "SSH::" (LNM$JOB_85564680)

Maybe it changed in later versions.

More information about the Info-vax mailing list