after installing Secure SSH 3.61 (T1471AA), last command reports some sessions still are open
Hi
(I repost this issue because it persists after installing patches).
Open Secure Shell 3.50 was used in my box. It worked fine. Due to security hole in Open SSH, I installed Open SSH 3.61 (product number T1471AA). Now every session closed in my box appears as 'open' in 'last' command output. For instance:
$ who pete pts/2 Feb 23 09:59
$ last -4 pete pts/2 Mon Feb 23 09:59 still logged in pete pts/1 Mon Feb 23 09:57 still logged in root console Mon Feb 23 09:45 - 09:58 (00:13)
Session in 'pts/1' is closed but 'last' reports it is still open.
I reported this issue some months ago. I installed patches recently but the problem persists.
Re: after installing Secure SSH 3.61 (T1471AA), last command reports some sessions still are open
Hi,
Are you on 3.61.001 or 3.61.002? I am using 3.61.002 on HP-UX 11.11 and it does not have any of your problems. the only qualms I have about this version has some trusted system auditing issue (which may be resolve in the next version).
regards.
what you do not see does not mean you should not believe
Re: after installing Secure SSH 3.61 (T1471AA), last command reports some sessions still are open
Hi
I opened a call in HP Response Center. Unlike call opened in last September, they said this issue is in labs since January 8th, 2004. Labs said a new SSH depot will be released.
2) I realized that a) at least two lines are logged into this file for each closed connection (one or more lines for opening, one for closing). I tracked a session by means of its tty. b) the third field is the PID of the process.
3) In sessions before installing SSH 3.61.002, all sessions handled by SSH are logged with the same PID for session openning event and for session closing event.
mary ts/1 pts/1 8675 7 0000 0000 1077277797 Feb 20 12:49:57 2004 192.39.137.53 192.39.137.53 ts/1 pts/1 8675 8 0000 0000 1077278211 Feb 20 12:56:51 2004 mary ts/1 pts/1 8992 7 0000 0000 1077279599 Feb 20 13:19:59 2004 192.39.137.53 192.39.137.53 ts/1 pts/1 8992 8 0000 0000 1077279687 Feb 20 13:21:27 2004 mary ts/1 pts/1 9031 7 0000 0000 1077279745 Feb 20 13:22:25 2004 192.39.137.53 192.39.137.53 johnny ts/2 pts/2 9112 7 0000 0000 1077279964 Feb 20 13:26:04 2004 182.27.249.97 182.27.249.97 ts/1 pts/1 9031 8 0000 0000 1077280012 Feb 20 13:26:52 2004 ts/2 pts/2 9112 8 0000 0000 1077282047 Feb 20 14:00:47 2004
After installing new SSH release, the PID fields are different:
mary ts/1 pts/1 4502 7 0000 0000 1077802850 Feb 26 14:40:50 2004 192.39.137.53 192.39.137.53 ts/1 pts/1 4500 8 0000 0000 1077803197 Feb 26 14:46:37 2004 mary ts/1 pts/1 4567 7 0000 0000 1077803294 Feb 26 14:48:14 2004 192.39.137.53 192.39.137.53 ts/1 pts/1 4565 8 0000 0000 1077803388 Feb 26 14:49:48 2004
Then I decided to change that field in the wtmp.txt in order to set the same PID value in both lines:
mary ts/1 pts/1 4567 7 0000 0000 1077803294 Feb 26 14:48:14 2004 192.39.137.53 192.39.137.53 ts/1 pts/1 4567 8 0000 0000 1077803388 Feb 26 14:49:48 2004
And recbuild the original wtmp file:
/usr/sbin/acct/fwtmp -ic < wtmp.txt > wtmp.new
and run last command:
last -f wtmp.new -10 mary
mary pts/1 Thu Feb 26 14:48 - 14:49 (00:01)
Now it shows that session closed...
Next step is tracking the source code in /opt/ssh/src/ssh/session.c ... but I have no time.
Re: after installing Secure SSH 3.61 (T1471AA), last command reports some sessions still are open
Good news...
T1471AA release A.03.71.000 is available. The /opt/ssh/README.hp contains the following paragraphs:
* The following additional bug fixes have been made for HP-UX Secure Shell
JAGaf00719 Fix for SSH server to properly log the pid of the closing session in the /var/adm/wtmp file to avoid "last" command showing "still logged in" output.
Re: after installing Secure SSH 3.61 (T1471AA), last command reports some sessions still are open
Excellent,
Glad your thread brought this to my attention.
SEP
Steven E Protter Owner of ISN Corporation http://isnamerica.com http://hpuxconsulting.com Sponsor: http://hpux.ws Twitter: http://twitter.com/hpuxlinux Founder http://newdatacloud.com
