SSH Logins and LGI_RETRY_LIM (425 Views)
Reply
Valued Contributor
Richard W Hunt
Posts: 288
Registered: ‎07-22-2003
Message 1 of 5 (425 Views)
Accepted Solution

SSH Logins and LGI_RETRY_LIM

I've got an OpenVMS 7.3-2 and TCPIP services vers 5.4 ECO 7, SSH says it is v5.5 and then something about 3.2.0 after that but not part of the regular version display.

LGI_RETRY_LIM is set to 3. A user attempts to enter the system, fat-fingers the password several times. She then logs in correctly. Problem is, I watched her do it. She gets at least 6 or 7 retries instead of just 3. When she logs in, the "login failures since last login" count is only 3. But I know for a fact that's a lie.

In my SSHD2_CONFIG file, AuthKbdInt.Retries is set to 3. PasswordGuesses is set to 3. Are these somehow multiplicative or additive in effect? (Instead of being minimized against each other as is done with certain quotas and limits when two different values apply?)


Sr. Systems Janitor
Honored Contributor
Hoff
Posts: 4,964
Registered: ‎01-29-2006
Message 2 of 5 (425 Views)

Re: SSH Logins and LGI_RETRY_LIM

Empirical evidence indicates that neither ssh nor certain other parts of TCP/IP Services (eg: mail-related components) have been integrated with the OpenVMS authentication and evasion mechanisms.

Use the local mechanisms and controls where available within the tools, use good passwords, and expect to get hit with dictionary attacks on "public-facing" servers.

Some folks have used communications with a firewall to control these; to implement breakin evasion based on ssh activity. That task is easier on various Unix boxes, as you have an on-board firewall and can use a shell script and iptables or such to adjust its settings. But it's certainly also feasible to configure OpenVMS to communicate with an outboard firewall for this purpose. (HP claims/claimed a firewall for V8.4, but few details around programmatic control of same.)

And specifically with ssh, you can also choose to trump this problem and use the no-password login via certificates.

http://labs.hoffmanlabs.com/node/1118
Trusted Contributor
David Jones_21
Posts: 222
Registered: ‎06-12-2005
Message 3 of 5 (425 Views)

Re: SSH Logins and LGI_RETRY_LIM

I'm using TCPIP 5.6 ECO3 and it seems to works correctly: login failues counted correctly in sysuaf; intrusion records added on logfail;

The early versions of the TCPIP SSH server was broken it a lot of ways. It didn't recognize mixed case passwords, for example.
I'm looking for marbles all day long.
Valued Contributor
Richard W Hunt
Posts: 288
Registered: ‎07-22-2003
Message 4 of 5 (425 Views)

Re: SSH Logins and LGI_RETRY_LIM

Unfortunately, the PKI problem is more complex than that.

This is a case of Windows Reflection 14.0.x to OpenVMS, so the secure shell parameters relating to "non-OpenVMS to OpenVMS" apply. The only PKI that I could use is part of a certificate in a government-issue Computer Access Card (CAC), with an X509v3 certificate. The CAC is in Windows IPSEC format but the PKI keys that OpenVMS wants should be in OpenSSH format and I don't have a handy utility to do the extraction and conversion. Per Dept. of Defense regulations, I cannot legally issue the user a certificate because the only legal key is the one in the CAC.

What bothers me even more is that even things like the "Password Guesses" option in the SSHD2_CONFIG file isn't being honored.

As further information, the user failed to login at least 6 or 7 times, which violates the DoD rules massively.

First, you are supposed to lose the connection after you exceed the "password guess" limit - in this case 3 for both SSH parameter PasswordGuess and SYSGEN's LGI_RETRY_LIM.

Second, you are supposed to cause evasion based on the LGI_BRKxxx parameters. The user's 6 or 7 login failures occurred in less than one minute. My parameters are set for LGI_BRK_LIM = 3, LGI_BRK_TMO=3600, so I should have had an evasion event. But that didn't happen either, because the user logged in correctly after that (also within one minute of the initial failure).

Third, DoD Regs suggest that you should get accurate counts of the failed logins since your last good login, and it reported 3 but the accurate number would have been 6 or 7. So that is not good either.

Our site is planning an upgrade to OpenVMS 8.3 and whatever is the current TCPIP services for that O/S version, but the upgrade won't occur for a couple of months yet. Does anyone know if this problem exists for that version combination?
Sr. Systems Janitor
Valued Contributor
Richard W Hunt
Posts: 288
Registered: ‎07-22-2003
Message 5 of 5 (425 Views)

Re: SSH Logins and LGI_RETRY_LIM

David, thanks. Your post and mine "crossed" I guess. I look forward to having this work better under OpenVMS 8.3
Sr. Systems Janitor
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.