|
HP TCP/IP Services for OpenVMS Guide to SSH |
Managing the SSH Service |
|
|
| |
 | The default settings are used for options that do not appear in the configuration file. |
Auditing
Options for the Client Configuration File
NumberOfPasswordVerificationPrompts
Allowed values: An integer greater than 0
Default: 3
Description: Specifies the number of times the client user is allowed to fail verification of the new password when forced to change it on login. Applies to OpenVMS-to-OpenVMS connections only.
PubkeyPassphraseGuesses
Allowed values: An integer greater than 0
Default: 3
Description: Specifies the number of guesses the client user is allowed for the passphrase associated with public/private key pair. Used for public key authentication method only.
The value of this option affects connections to servers on all platforms, including those on non-OpenVMS systems that may have problems associated with passphrase entry.
When the value is different on an OpenVMS client and the associated OpenVMS server, the lower value takes precedence.
Each prompt for passphrase is of the following format:
Passphrase for key "ssh2/KAREN-SELFDBOB_SQA_UCX_ABC_ACME_COM"with comment "1024-bit dsa, karen@dbob.sqa.ucx.abc.acme.com,Wed May 21 2003 12:42:14":
If the user enters an incorrect passphrase, the prompt appears the number of times specified for thePubkeyPassphraseGuessesoption.
NumberOfHostkeyCopyPrompts
Allowed values: an integer greater than 0
Default: 3
Description: Specifies the number of times the client user gets prompted to answer yes or no when asked about continuing to start an SSH session, if there is no host key and the value of StrictHostKeyChecking is ask.
Auditing Options for the Server Configuration
File
LogfailAuthentications
Allowed values: password, hostbased, all, none
Default: password
Description: Specifies the authentication methods for which the SYSUAF login failure count is updated for the user.
The following command displays the number of login failures:MCR AUTHORIZE SHOW username
Allowed values: password, hostbased, all, none
Default: password
Description: Specifies the methods for which the server intrusion database is updated for the user in case of login failure.
Displays the contents of the intrusion database:SHOW INTRUSION
IntrusionIdentSsh
Default: publickey, password, hostbased
Description: For entries in the intrusion database, this option controls whether the string SSH_ is included in the text of the intrusion Source (as displayed by the SHOW INTRUSION command). The value of this option is ignored if IntrusionAuthentications is not active for the specified method.
Displays contents of intrusion database:SHOW INTRUSION
IntrusionIdentMethod
Allowed values: password, hostbased, all, noneDefault: publickey, password, hostbased
Description: For entries in the intrusion database, this option controls whether the authentication method is included in the text of the intrusion Source (as displayed by the SHOW INTRUSION command). The value of this option is ignored if either IntrusionAuthentications or IntrusionIdentSsh is not active for the specified method.
Displays the contents of the intrusion database:SHOW INTRUSION
AccountingAuthentications
Allowed values: password, hostbased, all, noneDefault: publickey, password, hostbased
Description: Specifies the authentication methods for which accounting data is updated.
Displays contents of intrusion database:ACCOUNTING
AllowNonvmsLoginWithExpiredPw
Allowed values: yes, noDefault: no
Description: Controls behavior when a non-OpenVMS client attempts to establish an SSH connection to an OpenVMS server account with an expired password. The password change option is implemented for OpenVMS-to-OpenVMS connections only. The value yes allows clients to connect with a warning message and sets the pwd_expired flag in the user's SYSUAF record. The value no rejects the login.
UserLoginLimit
Allowed values: integers from -1 to 8192
Default: -1
Description: Controls the number of times individual users can be logged in. If the value is -1, the systemwide limit on interactive logins (SYSGEN parameter IJOBLIM) applies. If the value is greater than zero, the number specifies the maximum number of times that an individual user can log in.
-1 = no limit on specific users
0 = disable all users
1 - 8192 = number of logins permitted for individual users
Displays details on login processes for USER:SHOW USER /FULL /NODE=serverhost
PubkeyPassphraseGuesses
Allowed values: Integers greater than 0
Default: 3
Description: Specifies the number of times the client user is allowed to attempt to enter the passphrase associated with public/private key pair. Used for public key authentication method only. In the server configuration file, this value affects all clients, including those on OpenVMS systems.
When the value is different on an OpenVMS client and the associated OpenVMS server, the lower value takes precedence.
Each prompt for passphrase is of the following format:
Passphrase for key "ssh2/KAREN-SELFDBOB_SQA_UCX_ABC_ACME_COM"with comment "1024-bit dsa, karen@dbob.sqa.ucx.abc.acme.com,Wed May 21 2003 12:42:14":
How the
Server Performs Auditing
When auditing is enabled for the specified authentication
method, the SSH server performs the following functions depending
on the type of login and whether the login attempt is successful.When
an interactive login is successful:
AccountingAuthentications keyword includes the current authentication method, the accounting
data is updated.When a remote command execution is successful, no updates are made to the user's SYSUAF record. Thus:
When the login or remote command execution fails:
IntrusionAuthentications keyword includes the current authentication method, the
intrusion database is updated with text controlled by the IntrusionIdentSsh and IntrusionIdentMethod keywords in the server configuration file. AccountingAuthentications keyword includes the current authentication method, the accounting
data is updated.
|
|