[Info-vax] SSH footprint
VAXman- at SendSpamHere.ORG
VAXman- at SendSpamHere.ORG
Tue Oct 27 13:20:49 EDT 2009
In article <hc6q7e$s06$1 at news.albasani.net>, "Fred Zwarts" <F.Zwarts at KVI.nl> writes:
>VAXman- @SendSpamHere.ORG <VAXman- @SendSpamHere.ORG> typed
>(in 00A93A63.1FB370ED at SendSpamHere.ORG)
>> In article <hc6bn3$6sg$1 at news.albasani.net>, "Fred Zwarts"
>> <F.Zwarts at KVI.nl> writes:=20
>>> Marc Van Dyck <marc.vandyck at brutele.be> typed
>>> (in mn.d4c17d9a41b701ab.104627 at brutele.be)
>>>> We are running a banking environment where high-level traceability
>>>> is required. For OpenVMS systems, audit is the key to that. It is
>>>> mostly ok, but we have discovered a serious flaw : when a user logs
>>>> into an OpenVMS system using SSH (as we are all required to do,
>>>> since telnet is considered unsecure), the corresponding audit entry
>>>> says that the user SSH did a remote login, instead of displaying
>>>> the real user.=3D20
>>>> =3D20
>>>> We want to correct that by writing a small program that will be
>>>> called early in the sylogin.com of the system and create an audit
>>>> entry (there is a system call to do that) with the name of the real
>>>> user. Not difficult.
>>>> =3D20
>>>> The problem is to decide whether or not to run the program. It is
>>>> useless to do it when telnet is used to enter the system, since in
>>>> this case a proper audit record has already been created by OpenVMS
>>>> itself. It is only when SSH is used to come in that the program must
>>>> run. But how can I detect, with some DCL code, that the SSH protocol
>>>> has been used rather than another one ? Any idea ?
>>>> =3D20
>>>> Thanks in advance,
>>>=20
>>> You don't say which TCP/IP implementation you use.
>>> We use Multinet 5.0 and in our SYLOGIN.COM the check looks like:
>>>=20
>>> $ SSH_LOGIN =3D3D f$trnlnm("SYS$REM_NODE") .eqs. "SSH::"
>>=20
>> I checked a MultiNet SSH session and there is no SSH:: in the
>> translation=20
>> of SYS$REM_NODE. It contains the remotehostname and
>> SYS$REM_NODE_FULLNAME maintains the fully-qualified remotehostname.=20
>> THere's no SSH:: found in=20
>> either translation.
>>=20
>> MultiNet can optionally augment the FTA UCB to maintain TT_ACCPORNAM
>> using=20
>> code I devised. You can check that field with
>> F$getdvi("TT","TT_ACCPORNAM")=20
>> and look for "ssh".
>
>I checked a SSH session on a OpenVMS V7.3 system with Multinet 5.0.
>$ sh log sys$rem_node
> "SYS$REM_NODE" =3D "SSH::" (LNM$JOB_85564680)
>
>Maybe it changed in later versions.
>
I checked on Eisner (DECUServe.org) which is running:
$ MULTINET SHOW/VERSION
Process Software MultiNet V5.2 Rev A-X, AlphaServer DS20 500 MHz, OpenVMS AXP V8.3
--
VAXman- A Bored Certified VMS Kernel Mode Hacker VAXman(at)TMESIS(dot)ORG
http://www.quirkfactory.com/popart/asskey/eqn2.png
"Well my son, life is like a beanstalk, isn't it?"
More information about the Info-vax
mailing list