06-24-2009 06:57 AM
LGI_RETRY_LIM is set to 3. A user attempts to enter the system, fat-fingers the password several times. She then logs in correctly. Problem is, I watched her do it. She gets at least 6 or 7 retries instead of just 3. When she logs in, the "login failures since last login" count is only 3. But I know for a fact that's a lie.
In my SSHD2_CONFIG file, AuthKbdInt.Retries is set to 3. PasswordGuesses is set to 3. Are these somehow multiplicative or additive in effect? (Instead of being minimized against each other as is done with certain quotas and limits when two different values apply?)
Solved! Go to Solution.
06-24-2009 07:18 AM
Use the local mechanisms and controls where available within the tools, use good passwords, and expect to get hit with dictionary attacks on "public-facing" servers.
Some folks have used communications with a firewall to control these; to implement breakin evasion based on ssh activity. That task is easier on various Unix boxes, as you have an on-board firewall and can use a shell script and iptables or such to adjust its settings. But it's certainly also feasible to configure OpenVMS to communicate with an outboard firewall for this purpose. (HP claims/claimed a firewall for V8.4, but few details around programmatic control of same.)
And specifically with ssh, you can also choose to trump this problem and use the no-password login via certificates.
06-24-2009 08:24 AM
The early versions of the TCPIP SSH server was broken it a lot of ways. It didn't recognize mixed case passwords, for example.
06-24-2009 08:30 AM
This is a case of Windows Reflection 14.0.x to OpenVMS, so the secure shell parameters relating to "non-OpenVMS to OpenVMS" apply. The only PKI that I could use is part of a certificate in a government-issue Computer Access Card (CAC), with an X509v3 certificate. The CAC is in Windows IPSEC format but the PKI keys that OpenVMS wants should be in OpenSSH format and I don't have a handy utility to do the extraction and conversion. Per Dept. of Defense regulations, I cannot legally issue the user a certificate because the only legal key is the one in the CAC.
What bothers me even more is that even things like the "Password Guesses" option in the SSHD2_CONFIG file isn't being honored.
As further information, the user failed to login at least 6 or 7 times, which violates the DoD rules massively.
First, you are supposed to lose the connection after you exceed the "password guess" limit - in this case 3 for both SSH parameter PasswordGuess and SYSGEN's LGI_RETRY_LIM.
Second, you are supposed to cause evasion based on the LGI_BRKxxx parameters. The user's 6 or 7 login failures occurred in less than one minute. My parameters are set for LGI_BRK_LIM = 3, LGI_BRK_TMO=3600, so I should have had an evasion event. But that didn't happen either, because the user logged in correctly after that (also within one minute of the initial failure).
Third, DoD Regs suggest that you should get accurate counts of the failed logins since your last good login, and it reported 3 but the accurate number would have been 6 or 7. So that is not good either.
Our site is planning an upgrade to OpenVMS 8.3 and whatever is the current TCPIP services for that O/S version, but the upgrade won't occur for a couple of months yet. Does anyone know if this problem exists for that version combination?