HPE Community
Operating System - OpenVMS
1752794 Members
7415 Online
108789 Solutions
New Discussion юеВ

Re: SSH Logins and LGI_RETRY_LIM

 
SOLVED
Go to solution
Richard W Hunt
Valued Contributor

тАО06-24-2009 06:57 AM

тАО06-24-2009 06:57 AM

SSH Logins and LGI_RETRY_LIM

I've got an OpenVMS 7.3-2 and TCPIP services vers 5.4 ECO 7, SSH says it is v5.5 and then something about 3.2.0 after that but not part of the regular version display.

LGI_RETRY_LIM is set to 3. A user attempts to enter the system, fat-fingers the password several times. She then logs in correctly. Problem is, I watched her do it. She gets at least 6 or 7 retries instead of just 3. When she logs in, the "login failures since last login" count is only 3. But I know for a fact that's a lie.

In my SSHD2_CONFIG file, AuthKbdInt.Retries is set to 3. PasswordGuesses is set to 3. Are these somehow multiplicative or additive in effect? (Instead of being minimized against each other as is done with certain quotas and limits when two different values apply?)


Sr. Systems Janitor
0 Kudos
Reply
4 REPLIES 4
Hoff
Honored Contributor

тАО06-24-2009 07:18 AM

тАО06-24-2009 07:18 AM

Re: SSH Logins and LGI_RETRY_LIM

Empirical evidence indicates that neither ssh nor certain other parts of TCP/IP Services (eg: mail-related components) have been integrated with the OpenVMS authentication and evasion mechanisms.

Use the local mechanisms and controls where available within the tools, use good passwords, and expect to get hit with dictionary attacks on "public-facing" servers.

Some folks have used communications with a firewall to control these; to implement breakin evasion based on ssh activity. That task is easier on various Unix boxes, as you have an on-board firewall and can use a shell script and iptables or such to adjust its settings. But it's certainly also feasible to configure OpenVMS to communicate with an outboard firewall for this purpose. (HP claims/claimed a firewall for V8.4, but few details around programmatic control of same.)

And specifically with ssh, you can also choose to trump this problem and use the no-password login via certificates.

http://labs.hoffmanlabs.com/node/1118
Reply
David Jones_21
Trusted Contributor

тАО06-24-2009 08:24 AM

тАО06-24-2009 08:24 AM

Solution

Re: SSH Logins and LGI_RETRY_LIM

I'm using TCPIP 5.6 ECO3 and it seems to works correctly: login failues counted correctly in sysuaf; intrusion records added on logfail;

The early versions of the TCPIP SSH server was broken it a lot of ways. It didn't recognize mixed case passwords, for example.
I'm looking for marbles all day long.
Reply
Richard W Hunt
Valued Contributor

тАО06-24-2009 08:30 AM

тАО06-24-2009 08:30 AM

Re: SSH Logins and LGI_RETRY_LIM

Unfortunately, the PKI problem is more complex than that.

This is a case of Windows Reflection 14.0.x to OpenVMS, so the secure shell parameters relating to "non-OpenVMS to OpenVMS" apply. The only PKI that I could use is part of a certificate in a government-issue Computer Access Card (CAC), with an X509v3 certificate. The CAC is in Windows IPSEC format but the PKI keys that OpenVMS wants should be in OpenSSH format and I don't have a handy utility to do the extraction and conversion. Per Dept. of Defense regulations, I cannot legally issue the user a certificate because the only legal key is the one in the CAC.

What bothers me even more is that even things like the "Password Guesses" option in the SSHD2_CONFIG file isn't being honored.

As further information, the user failed to login at least 6 or 7 times, which violates the DoD rules massively.

First, you are supposed to lose the connection after you exceed the "password guess" limit - in this case 3 for both SSH parameter PasswordGuess and SYSGEN's LGI_RETRY_LIM.

Second, you are supposed to cause evasion based on the LGI_BRKxxx parameters. The user's 6 or 7 login failures occurred in less than one minute. My parameters are set for LGI_BRK_LIM = 3, LGI_BRK_TMO=3600, so I should have had an evasion event. But that didn't happen either, because the user logged in correctly after that (also within one minute of the initial failure).

Third, DoD Regs suggest that you should get accurate counts of the failed logins since your last good login, and it reported 3 but the accurate number would have been 6 or 7. So that is not good either.

Our site is planning an upgrade to OpenVMS 8.3 and whatever is the current TCPIP services for that O/S version, but the upgrade won't occur for a couple of months yet. Does anyone know if this problem exists for that version combination?
Sr. Systems Janitor
0 Kudos
Reply
Richard W Hunt
Valued Contributor

тАО06-24-2009 08:48 AM

тАО06-24-2009 08:48 AM

Re: SSH Logins and LGI_RETRY_LIM

David, thanks. Your post and mine "crossed" I guess. I look forward to having this work better under OpenVMS 8.3
Sr. Systems Janitor
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.