- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - OpenVMS
- >
- SSH Logins and LGI_RETRY_LIM
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО06-24-2009 06:57 AM
тАО06-24-2009 06:57 AM
LGI_RETRY_LIM is set to 3. A user attempts to enter the system, fat-fingers the password several times. She then logs in correctly. Problem is, I watched her do it. She gets at least 6 or 7 retries instead of just 3. When she logs in, the "login failures since last login" count is only 3. But I know for a fact that's a lie.
In my SSHD2_CONFIG file, AuthKbdInt.Retries is set to 3. PasswordGuesses is set to 3. Are these somehow multiplicative or additive in effect? (Instead of being minimized against each other as is done with certain quotas and limits when two different values apply?)
Solved! Go to Solution.
- Tags:
- ssh
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО06-24-2009 07:18 AM
тАО06-24-2009 07:18 AM
Re: SSH Logins and LGI_RETRY_LIM
Use the local mechanisms and controls where available within the tools, use good passwords, and expect to get hit with dictionary attacks on "public-facing" servers.
Some folks have used communications with a firewall to control these; to implement breakin evasion based on ssh activity. That task is easier on various Unix boxes, as you have an on-board firewall and can use a shell script and iptables or such to adjust its settings. But it's certainly also feasible to configure OpenVMS to communicate with an outboard firewall for this purpose. (HP claims/claimed a firewall for V8.4, but few details around programmatic control of same.)
And specifically with ssh, you can also choose to trump this problem and use the no-password login via certificates.
http://labs.hoffmanlabs.com/node/1118
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО06-24-2009 08:24 AM
тАО06-24-2009 08:24 AM
SolutionThe early versions of the TCPIP SSH server was broken it a lot of ways. It didn't recognize mixed case passwords, for example.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО06-24-2009 08:30 AM
тАО06-24-2009 08:30 AM
Re: SSH Logins and LGI_RETRY_LIM
This is a case of Windows Reflection 14.0.x to OpenVMS, so the secure shell parameters relating to "non-OpenVMS to OpenVMS" apply. The only PKI that I could use is part of a certificate in a government-issue Computer Access Card (CAC), with an X509v3 certificate. The CAC is in Windows IPSEC format but the PKI keys that OpenVMS wants should be in OpenSSH format and I don't have a handy utility to do the extraction and conversion. Per Dept. of Defense regulations, I cannot legally issue the user a certificate because the only legal key is the one in the CAC.
What bothers me even more is that even things like the "Password Guesses" option in the SSHD2_CONFIG file isn't being honored.
As further information, the user failed to login at least 6 or 7 times, which violates the DoD rules massively.
First, you are supposed to lose the connection after you exceed the "password guess" limit - in this case 3 for both SSH parameter PasswordGuess and SYSGEN's LGI_RETRY_LIM.
Second, you are supposed to cause evasion based on the LGI_BRKxxx parameters. The user's 6 or 7 login failures occurred in less than one minute. My parameters are set for LGI_BRK_LIM = 3, LGI_BRK_TMO=3600, so I should have had an evasion event. But that didn't happen either, because the user logged in correctly after that (also within one minute of the initial failure).
Third, DoD Regs suggest that you should get accurate counts of the failed logins since your last good login, and it reported 3 but the accurate number would have been 6 or 7. So that is not good either.
Our site is planning an upgrade to OpenVMS 8.3 and whatever is the current TCPIP services for that O/S version, but the upgrade won't occur for a couple of months yet. Does anyone know if this problem exists for that version combination?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО06-24-2009 08:48 AM
тАО06-24-2009 08:48 AM