topic Re: auditing logins over ssh in Operating System - OpenVMS

auditing logins over ssh

mustafa_12 — Wed, 18 Oct 2006 11:37:29 GMT

Hi all,

I have enabled auditing remote logins, by

set audit /audit /enable=login=remote

By this configuration, I can easily audit user accounts who are connecting over telnet. However, When I connect using ssh, I can not see the connection (that is my username and ip) in the audit file. The command for audit is:

anal /audit /since=18-oct-2006 /event=login sys$manager:security.audit$journal

Is there any way to learn the username who is authenticated by ssh in auditing or in another log file...

Re: auditing logins over ssh

Volker Halle — Wed, 18 Oct 2006 11:51:44 GMT

Mustafa,

if you connect via SSH, it looks like you'll see a NETWORK login under the TCPIP$SSH user, followed by a Detached Process login with your username (on a FTA device).

I simply tested this with:

$ SET AUDIT/ALARM/ENABLE=LOGIN=ALL
$ REPLY/ENABLE
$ SSH local-host-name

Volker.

Re: auditing logins over ssh

mustafa_12 — Wed, 18 Oct 2006 12:10:45 GMT

Volker,

You are right. But what about the IP, I can not see the coming IP of the connected user in the audit output. However, the IP is logged in the operator log. What I want is to monitor all the tokens in one place.

Re: auditing logins over ssh

Volker Halle — Wed, 18 Oct 2006 12:21:12 GMT

Mustafa,

the remote IP address is logged in the Network Login audit event under the TCPIP$SSH user.

This clearly is an TCPIP SSH integration problem, as this 'tool' is somehow plugged into OpenVMS, but not cleanly integrated.

Volker.

Re: auditing logins over ssh

Ana M. García Olivencia — Thu, 19 Oct 2006 02:10:16 GMT

Mustafa.

You can also check the TCPIP$SSH_RUN.LOG files at the TCPIP$SSH account default directory; the user and the IP, together to the connection time, are logged in that file.

Regards.

Ana

Re: auditing logins over ssh

mustafa_12 — Thu, 19 Oct 2006 08:13:11 GMT

Yes, that's right, it's seen with /full qualifier. Thanks for your fast replies.

But I still wonder to monitor all these tokens in one record. I have looked at the sshd log file (tcpip show service ssh /full), but there is no such a file (TCPIP$SSH_DEVICE:[TCPIP$SSH]TCPIP$SSH_RUN.LOG).
How can I enable logging to this log file?

Re: auditing logins over ssh

Ana M. García Olivencia — Mon, 23 Oct 2006 06:00:51 GMT

Mustafa.

You must execute the following command:

UCX>SET SERVICE SSH/LOG=FILE=TCPIP$SSH_DEVICE:[TCPIP$SSH]TCPIP$SSH_RUN.LOG

and you must shutdown and start the service in order to activate the change:

$@SYS$MANAGER:TCPIP$SSH_SHUTDOWN
$@SYS$MANAGER:TCPIP$SSH_STARTUP

Ana

Re: auditing logins over ssh

mustafa_12 — Tue, 24 Oct 2006 06:59:38 GMT

Dear Ana,

I had done what you recommend before, but I do not understand why there is no log file. Where is my mistake if any?

My conf is:

MYPROMPT>tcpip show serv ssh /full

Service: SSH
State: Enabled
Port: 22 Protocol: TCP Address: 0.0.0.0
Inactivity: 5 User_name: TCPIP$SSH Process: TCPIP$SSH
Limit: 10000 Active: 1 Peak: 1

File: TCPIP$SYSTEM:TCPIP$SSH_RUN.COM
Flags: Listen

Socket Opts: Rcheck Scheck
Receive: 0 Send: 0

Log Opts: Acpt Actv Dactv Conn Error Exit Logi Logo Mdfy Rjct TimO Addr
File: TCPIP$SSH_DEVICE:[TCPIP$SSH]SSHD.LOG

Security
Reject msg: TCPIP SSH Connection refused
....
.....

MYPROMPT>set def TCPIP$SSH_DEVICE:[TCPIP$SSH]

MYPROMPT>dir

Directory SYS$SYSDEVICE:[TCPIP$SSH]

LOGIN.COM;1 SHOSTS.EQUIV;1 SSH2.DIR;1

Total of 3 files.

Re: auditing logins over ssh

Ana M. García Olivencia — Wed, 25 Oct 2006 04:33:55 GMT

Mustafa.

You are right. Regardless the log file name you define in the ssh service, it doesn't take it into account. The only difference between your system and mine is that, although not having TCPIP$SSH_RUN.LOG (the 'official' log file name), whenever I shutdown and start the service, a new version of that file is created (I have done some tests deleting my current TCPIP$SSH_RUN.LOG files and seen that the first version of this file is created and the information logged, although I had defined a different log file name).

I have checked the TCPIP$SYSTEM:TCPIP$SSH_RUN.COM file to see any references to the log file and it seems that it checks for the presence of TCPIP$SSH_RUN.LOG file as a log file, but it's not clear what it does when this file is not at that directory (although in the practice it is created).

I have discovered (from the SYS$MANAGER:TCPIP$CONFIG.COM file) that the syntax to define the log file is slightly different as I told you. It should be:

$UCX SET SERVICE SSH/LOG=(FILE:TCPIP$SSH_DEVICE:[TCPIP$SSH]SSHD.LOG,ALL)

I have tested with this definition and no changes from the previous tests.

I don't know why your system doesn't create, at least, the default log file TCPIP$SSH_RUN.LOG. Perhaps:

* A file protection problem? -enable security alarms whenever starting the service-.

* A TCPIP version problem?. My version is:
HP TCP/IP Services for OpenVMS Alpha Version V5.4 - ECO 6 on a AlphaServer 4000 5/400 4MB running OpenVMS V7.3-2

If I find more information I'll let you knos.

Regards.

Ana

Re: auditing logins over ssh

mustafa_12 — Sat, 28 Oct 2006 07:25:55 GMT

Ana,

I do not think that it is a file protection error. If I look at the protection of the ssh home directory:

dir /own /prot sys$sysdevice:[000000]tcpip$ssh.dir

Although I do not suppose, the version may be the problem. But I am not sure. It is VMS 7.3-2 TCPIP V5.4 ECO5. I do not have the chance to test but people using this level may comment

Thank you very much...

Re: auditing logins over ssh

JCG — Sat, 17 Mar 2007 00:13:17 GMT

There is a value (IntrusionIdentLocalUser) in [TCPIP$SSH.SSH2]SSHD2_CONFIG. which allows you to change between Username and IP.

This is the help listed:
# V5.5-06
# If "yes" then the local user name is used in the intrusion record in place of
# SSH_xxxxxxxx where 'xxxxxxxx' is HEX IP address of remote host. This makes for
# more unique intrusion records and prevents the case of one intruder on a
# remote host locking out all users from that host. This field is especially
# useful in environments where multiple client hosts appear to be from the same
# remote IP address.
#
# If "no" then SSH_xxxxxxxx is used in the intrusion record.
#
# Default is "yes".
#
# This field is experimental. It may not work for public key and host based
# authentication.
#
# This field is not currently used for SSH logins from the TCP/IP Services for
# OpenVMS SSH client.