Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Remote host identification: Telnet vs SSH

39 views
Skip to first unread message

Alan Frisbie

unread,
Mar 11, 2004, 1:27:33 PM3/11/04
to
On VMS v7.3-2, the SHOW USERS/FULL command displays the remote
host if the connection came in via Telnet, but not if it came
in via SSH. Is there any way to find/extract/display this
information?

Example:

FLORES Maria Flores 0000139F LTA5378: (YELLOW/PORT_3)
FREZZA Angelica Frezza 00001746 TNA904:
(Host: quality1.nelsonusa.com Port: 1207)
FRISBIE Alan Frisbie 00001664 FTA43:

In the first case (LTA5378:), the user is on a terminal server
port, which makes it easy to track them down.

In the second case (TNA904:), the user is connected via Telnet
and the host identification makes it easy to track them down.

In the third case (FTA43:), the user is connected via SSH, but
there is no indication of where the connection came from.

Any help would be appreciated. I would really like to use this
information in SYLOGIN.COM so connections from outside our local
network can be treated differently.

Thanks,
Alan

Wilm Boerhout

unread,
Mar 11, 2004, 1:50:35 PM3/11/04
to
The remote port identification is given to LOGINOUT.EXE, and hence to
the user process, by the internet ACP "demon" on VMS. Depending on the
TCPIP stack used, various versions of the remote port info strings may
be generated. I'm not too familiar with SSH, but apparently when the
incoming connection is made via SSH, no information at all is passed to
LOGINOUT and the user process environment.

Does your SSH implentation have (hidden) features (logical names etc.)
to direct the remote port info behaviour? UCX doesn't, Multinet does,
others ???

Wilm Boerhout

--
Wilm Boerhout

wil...@PAINTboerhout.nl
(remove OLD PAINT from reply address)

VAXman-

unread,
Mar 11, 2004, 2:09:16 PM3/11/04
to

Alan, FT terminals so not support the access port name by default.

I hacked up some code a few years back to allow the FT to employ an
access port name. This code is now used by Process Software in the
Multinet and TCPware implementations of SSH to provide the informa-
tion you seek.

You could use the code I devised to add access port information but
you'll need to figure out how to relate the FT devices back to the
remote system somehow first.

--
http://www.legacy-2000.com for the *best* OpenVMS system security
solutions that others only claim to be.
--
VAXman- A Bored Certified VMS Kernel Mode Hacker VAXman(at)TMESIS(dot)COM

"Well my son, life is like a beanstalk, isn't it?"

Bob Koehler

unread,
Mar 11, 2004, 2:13:39 PM3/11/04
to
In article <4050AF9...@Flying-Disk.com>, Alan Frisbie <Usenet0...@Flying-Disk.com> writes:
>
> In the third case (FTA43:), the user is connected via SSH, but
> there is no indication of where the connection came from.
>
> Any help would be appreciated. I would really like to use this
> information in SYLOGIN.COM so connections from outside our local
> network can be treated differently.

You need a better IP stack. Multinet, for example, provides this:

KOEHLER KOEHLER 00004292 FTA842: (ssh/<node>:<number>)

mcki...@cpva.saic.com

unread,
Mar 11, 2004, 2:21:20 PM3/11/04
to
In article <c2qcjq$l7r$1...@reader10.wxs.nl>,

Wilm Boerhout <w.boer...@PAINTplanet.nl> writes:
> The remote port identification is given to LOGINOUT.EXE, and hence to
> the user process, by the internet ACP "demon" on VMS. Depending on the
> TCPIP stack used, various versions of the remote port info strings may
> be generated. I'm not too familiar with SSH, but apparently when the
> incoming connection is made via SSH, no information at all is passed to
> LOGINOUT and the user process environment.
>

Or perhaps LOGINOUT is not run. It all depends upon how the process is
created. At least some SSH implementations do not execute LOGINOUT.

Alan Frisbie

unread,
Mar 11, 2004, 3:57:44 PM3/11/04
to
Bob Koehler wrote:
> In article <4050AF9...@Flying-Disk.com>, Alan Frisbie
> <Usenet0...@Flying-Disk.com> writes:

>> In the third case (FTA43:), the user is connected via SSH, but
>> there is no indication of where the connection came from.

> You need a better IP stack. Multinet, for example, provides this:


>
> KOEHLER KOEHLER 00004292 FTA842: (ssh/<node>:<number>)

I'm beginning to get the hint(s) that I should ditch HP's
implementation and switch to Multinet:

1. HP can't handle expired passwords
2. HP doesn't let me know the remote node
3. ???

Darn, just when I was getting comfortable with it. How difficult
is it to switch?

Alan

David Jones

unread,
Mar 11, 2004, 4:20:57 PM3/11/04
to
In article <c2qcjq$l7r$1...@reader10.wxs.nl>,
Wilm Boerhout <w.boer...@PAINTplanet.nl> writes:
> The remote port identification is given to LOGINOUT.EXE, and hence to
> the user process, by the internet ACP "demon" on VMS. Depending on the
> TCPIP stack used, various versions of the remote port info strings may
> be generated.

In the server I wrote, the SSH daemon uses Brian's FT hack to set the
accpornam field of the pseudo-terminal before it even creates the user process
that attaches to it. There is nothing loginout.exe has to do.

David L. Jones | Phone: (614) 292-6929
Ohio State University | Internet:
140 W. 19th St. Rm. 231a | jon...@er6s1.eng.ohio-state.edu
Columbus, OH 43210 | vm...@osu.edu

Disclaimer: I'm looking for marbles all day long.

Martin Vorlaender

unread,
Mar 12, 2004, 3:13:19 AM3/12/04
to
Alan Frisbie wrote:

> Bob Koehler wrote:
>> Alan Frisbie <Usenet0...@Flying-Disk.com> writes:
>>> In the third case (FTA43:), the user is connected via SSH, but
>>> there is no indication of where the connection came from.
>>
>> You need a better IP stack. Multinet, for example, provides this:
>>
>> KOEHLER KOEHLER 00004292 FTA842: (ssh/<node>:<number>)
>
> I'm beginning to get the hint(s) that I should ditch HP's
> implementation and switch to Multinet:
>
> 1. HP can't handle expired passwords
> 2. HP doesn't let me know the remote node
> 3. ???
>
> Darn, just when I was getting comfortable with it. How difficult
> is it to switch?

Not very difficult. There's a product called "SSH for OpenVMS" that
effectively is the MultiNet SSH implementation for use with TCP/IP
Services. See http://www.process.com/tcpip/ssh.html

You should even be able to re-use your config files and keys.

cu,
Martin

--
OpenVMS: | Martin Vorlaender | OpenVMS rules!
The operating system | work: m...@pdv-systeme.de
God runs the | http://www.pdv-systeme.de/users/martinv/
earth simulation on. | home: mar...@radiogaga.harz.de

Bob Koehler

unread,
Mar 12, 2004, 8:36:20 AM3/12/04
to
In article <4050D2C8...@Flying-Disk.com>, Alan Frisbie <Usenet0...@Flying-Disk.com> writes:
>
> Darn, just when I was getting comfortable with it. How difficult
> is it to switch?

I've actually done this at home. After temporarily installing UCX
I simply installed Multinet and updated sysytartup_vms.com. I'm
probably wasting a little disk space as I don't recall whether I
actually removed UCX.

Alan Frisbie

unread,
Mar 12, 2004, 1:30:40 PM3/12/04
to
Martin Vorlaender wrote:
> Alan Frisbie wrote:
>
>>Bob Koehler wrote:

>>> Alan Frisbie <Usenet0...@Flying-Disk.com> writes:

>>>> In the third case (FTA43:), the user is connected via SSH, but
>>>> there is no indication of where the connection came from.

>>> You need a better IP stack. Multinet, for example, provides this:

>>Darn, just when I was getting comfortable with it. How difficult
>>is it to switch?

> Not very difficult. There's a product called "SSH for OpenVMS" that
> effectively is the MultiNet SSH implementation for use with TCP/IP
> Services. See http://www.process.com/tcpip/ssh.html
>
> You should even be able to re-use your config files and keys.

Cool, it looks like it is worth checking out. Unfortunately,
I couldn't find any pricing information on their web site. Do
you have any idea what it costs?

Alan

VAXman-

unread,
Mar 12, 2004, 1:43:03 PM3/12/04
to
From an email I received from Process:

The SSH client server lic is $1200 / lic and $240 annually for support. The
server-only lic is $995 / lic and $200 annually for support.

John Brandon

unread,
Mar 12, 2004, 3:08:57 PM3/12/04
to
>
> Cool, it looks like it is worth checking out. Unfortunately,
> I couldn't find any pricing information on their web site. Do
> you have any idea what it costs?
>
> Alan

I believe it is about $1,200 per server.


J*o*h*n B*r*a*n*d*o*n
VMS Systems Administrator
firstname.lastn...@dalsemi.com

John Smith

unread,
Mar 12, 2004, 10:17:55 PM3/12/04
to

<VAXman- @SendSpamHere.ORG> wrote in message
news:00A2EBC0...@SendSpamHere.ORG...

> In article <405201D0...@Flying-Disk.com>, Alan Frisbie
<Usenet0...@Flying-Disk.com> writes:
> >Martin Vorlaender wrote:
> >> Alan Frisbie wrote:
> >>
> >>>Bob Koehler wrote:
> >
> >>>> Alan Frisbie <Usenet0...@Flying-Disk.com> writes:
> >
> >>>>> In the third case (FTA43:), the user is connected via SSH, but
> >>>>> there is no indication of where the connection came from.
> >
> >>>> You need a better IP stack. Multinet, for example, provides this:
> >
> >>>Darn, just when I was getting comfortable with it. How difficult
> >>>is it to switch?
> >
> >> Not very difficult. There's a product called "SSH for OpenVMS" that
> >> effectively is the MultiNet SSH implementation for use with TCP/IP
> >> Services. See http://www.process.com/tcpip/ssh.html
> >>
> >> You should even be able to re-use your config files and keys.
> >
> >Cool, it looks like it is worth checking out. Unfortunately,
> >I couldn't find any pricing information on their web site. Do
> >you have any idea what it costs?
> >
> >Alan
> >
> From an email I received from Process:
>
> The SSH client server lic is $1200 / lic and $240 annually for support.
The
> server-only lic is $995 / lic and $200 annually for support.


Cheap at twice the price


0 new messages