- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - OpenVMS
- >
- Re: lgi_brk_disuser and SSH not working
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО01-23-2007 04:27 AM
тАО01-23-2007 04:27 AM
OpenVMS 7.3-2, TCPIP 5.4 ECO 6.
I've got lgi_brk_disuser set to 1, and lgi_brk_term set to 0; lgi_brk_tmo is set to 5 minutes (300 seconds), and lgi_brk_lim is 5.
A user yesterday attempted to login using SSH. She tried 18 times(!), failing each time per the audit logs, for about 25 minutes. As expected, after the 5th attempt, her attempts were logged as breakin attempts by the auditing subsystem. However, she should have been disusered once this started happening. She wasn't.
She should have been prevented from logging in for 90 minutes (18 failed attempts * 5 minutes per). She wasn't.
She logged in about 25 minutes later after her SSH session (using Reflection v14 client on her end) prompted for a password change and she changed it.
(First person to say "HP recommends against setting lgi_brk_disuser to 1" gets a big fat 0 points. 8^) (BTW, HP does NOT recommend against it, they say it should be set "only under extreme security watch conditions", which I qualify for. I understand the ramifications of this setting, and I've been running this way for over 5 years WITHOUT a single problem. Discussion over.)
Why are none of these security settings working? Why was a user who flagrantly violated their password policy allowed to login?
Solved! Go to Solution.
- Tags:
- ssh
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО01-23-2007 04:39 AM
тАО01-23-2007 04:39 AM
Re: lgi_brk_disuser and SSH not working
Purely Personal Opinion
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО01-23-2007 04:54 AM
тАО01-23-2007 04:54 AM
Re: lgi_brk_disuser and SSH not working
Good question. Yes, as indicated by the audits and the fact that the intrusion was flagged as a breakin attempt. I should have also mentioned that I have lgi_brk_term set to 0.
Aaron
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО01-23-2007 05:22 AM
тАО01-23-2007 05:22 AM
Re: lgi_brk_disuser and SSH not working
From my experience here in my site, when we get failed attempts from SSH users, the username is usually shown as TCPIP$SSH. I would say that's why the system is unable to disuser the user (because it doesn't know what username to disuser at that point).
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО01-23-2007 05:38 AM
тАО01-23-2007 05:38 AM
Re: lgi_brk_disuser and SSH not working
Security alarm (SECURITY) and security audit (SECURITY) on WOODY, system id: 7178
Auditable event: Network login failure
Event time: 22-JAN-2007 07:26:56.27
PID: 2051EC4B
Process name: TCPIP$SS_BG5780
Username: TCPIP$SSH
Remote node fullname: SSH_PASSWORD:1.2.3.4
Remote username: WEBER(LOCAL)
Status: %LOGIN-F-NOTVALID, user authorization failure
gets turned into this:
Security alarm (SECURITY) and security audit (SECURITY) on WOODY, system id: 7178
Auditable event: Network breakin detection
Event time: 22-JAN-2007 07:42:49.46
PID: 205271C4
Process name: TCPIP$SS_BG7054
Username: WEBER
Password:
Remote node fullname: SSH_PASSWORD:1.2.3.4
Remote username: WEBER(LOCAL)
Status: %LOGIN-F-NOTVALID, user authorization failure
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО01-23-2007 05:57 AM
тАО01-23-2007 05:57 AM
Re: lgi_brk_disuser and SSH not working
%%%%%%%%%%% OPCOM 23-JAN-2007 10:35:15.20 %%%%%%%%%%%
Message from user AUDIT$SERVER on CLCC
Security alarm (SECURITY) and security audit (SECURITY) on CLCC, system id: 2131
Auditable event: Network breakin detection
Event time: 23-JAN-2007 10:35:15.20
PID: 0017EA95
Process name: TCPIP$SS_BG3042
Username: TCPIP$SSH
Remote nodename: SSH_PASSWORD:MLE
Remote username: SSH_808AF214
Status: %LOGIN-F-NOTVALID, user authorization failure
Maybe because my SSH remote sources are not VMS? Sorry I wasnt of help.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО01-23-2007 06:36 AM
тАО01-23-2007 06:36 AM
Re: lgi_brk_disuser and SSH not working
$ Analyze /audit /full /since=yesterday /before=today sys$manager:security.audit$journal /event=breakin
I've got a job that runs daily and extracts separate reports for login, logfail, breakin, sysuaf, rightsdb, file access, and much more; it prints one copy of each to a hardcopy printer for our audit logs, then a second copy to a web page for me to examine.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО01-23-2007 12:07 PM
тАО01-23-2007 12:07 PM
Re: lgi_brk_disuser and SSH not working
I think the clue is in the audit messages. Note that they're classified as "Network login failure" and "Network breakin detection". The help for LGI_BRK_DISUSER doesn't qualify what constitutes an attempted breakin, but I'm betting that it only applies to Interactive breakins.
For some reason SSH logins aren't treated the same as other kinds of interactive connection. You may have seen discussion about things like forced password changes, and other stuff associated with interactive logins not happening for SSH connections.
There are fairly good arguments for treating "true" network connections differently from interactive connections in terms of password handling. The trouble here is the way SSH is implemented blurs the distinction (or, is arguably just plain wrong!).
Log another case with HP Customer Support?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО01-23-2007 01:47 PM
тАО01-23-2007 01:47 PM
Re: lgi_brk_disuser and SSH not working
But seriously, I'd encourage direct contact with the good folks at the HP support center, particularly given that this does appear to be a security-relevant problem.
Stephen Hoffman
HoffmanLabs
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО01-24-2007 02:53 AM
тАО01-24-2007 02:53 AM
Re: lgi_brk_disuser and SSH not working
Hoff, I thought you WERE the Shadow!?! Oh, wait, no, that's Wizard. Gotcha. 8^)
Thanks for the feedback folks -- based on this sanity check, I'm going forward with logging a call on this one. Even if it is just the subtle distinction between a network vs. interactive login, something really does appear to be wrong.