bernie01
asked on
AIX /etc/security/lastlog not updated when login via ssh
Security auditing has led us to find that on older AIX systems, accessing the system via ssh does NOT result in /etc/security/lastlog being updated. We have about 40 systems where this is a problem; a typical one has levels:
iswhbfocd# oslevel
4.2.1.0
iswhbfocd# ssh -V
OpenSSH_3.6.1p2, SSH protocols 1.5/2.0, OpenSSL 0x0090701f
*
(Also happens with OpenSSH_2.5.2p2, OpenSSH_3.4p1,OpenSSH_3.7.
*
Can anyone point me to where/how I can enable logging to
lastlog? In later systems I can see a stanza in sshd.config:
*
PrintLastLog yes
# Specifies whether sshd should print the date and time when the
# user last logged in. The default is ``yes''.
*
Is this relevant?
Any comments would be appreciated.
Regards, Bernie.
iswhbfocd# oslevel
4.2.1.0
iswhbfocd# ssh -V
OpenSSH_3.6.1p2, SSH protocols 1.5/2.0, OpenSSL 0x0090701f
*
(Also happens with OpenSSH_2.5.2p2, OpenSSH_3.4p1,OpenSSH_3.7.
*
Can anyone point me to where/how I can enable logging to
lastlog? In later systems I can see a stanza in sshd.config:
*
PrintLastLog yes
# Specifies whether sshd should print the date and time when the
# user last logged in. The default is ``yes''.
*
Is this relevant?
Any comments would be appreciated.
Regards, Bernie.
You can also try to download a newer version of openssh binary package from
the following site (IBM), and install and test it out, it should work.
http://www-106.ibm.com/developerworks/eserver/articles/openssh_aix.html
the following site (IBM), and install and test it out, it should work.
http://www-106.ibm.com/developerworks/eserver/articles/openssh_aix.html
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Update: found that by changing /usr/local/etc/sshd_config
OpenSSH_3.6.1p2.
*
But have found that the majority of these systems run
OpenSSH_2.5.2p2, SSH protocols 1.5/2.0,
and when I try the above fix on these boxes I get error:
spwhsms# su - webaeb
$ ssh localhost
webaeb@localhost's password:
Permission denied, please try again.
webaeb@localhost's password:
/dev/pts/4: 3004-004 You must "exec" login from the lowest login shell.
*
This version of Openssh was installed long, long before my time. I am not sure whether the insallation was from binaries or source.
OpenSSH_3.6.1p2.
*
But have found that the majority of these systems run
OpenSSH_2.5.2p2, SSH protocols 1.5/2.0,
and when I try the above fix on these boxes I get error:
spwhsms# su - webaeb
$ ssh localhost
webaeb@localhost's password:
Permission denied, please try again.
webaeb@localhost's password:
/dev/pts/4: 3004-004 You must "exec" login from the lowest login shell.
*
This version of Openssh was installed long, long before my time. I am not sure whether the insallation was from binaries or source.
If you don't know how the old version of openssh was installed (complied), and you want to make
it to work with lastlog. It is time to uodate it now. (download the binary from IBM site, or download
the source and complie it yourself. I thinks bianary is easy way to do it.)
it to work with lastlog. It is time to uodate it now. (download the binary from IBM site, or download
the source and complie it yourself. I thinks bianary is easy way to do it.)
"spwhsms# su - webaeb
$ ssh localhost
webaeb@localhost's password:
Permission denied, please try again.
webaeb@localhost's password:
/dev/pts/4: 3004-004 You must "exec" login from the lowest login shell."
It looks like it is a bug in the older version of openssh:
http://www.derkeiler.com/Newsgroups/comp.security.ssh/2002-06/0055.html
http://www.derkeiler.com/Newsgroups/comp.security.ssh/2002-06/0056.html
Please consider to update your openssh.
$ ssh localhost
webaeb@localhost's password:
Permission denied, please try again.
webaeb@localhost's password:
/dev/pts/4: 3004-004 You must "exec" login from the lowest login shell."
It looks like it is a bug in the older version of openssh:
http://www.derkeiler.com/Newsgroups/comp.security.ssh/2002-06/0055.html
http://www.derkeiler.com/Newsgroups/comp.security.ssh/2002-06/0056.html
Please consider to update your openssh.
ASKER
These systems are AIX 4.1.5 and 4.2.1 level. Looking at IBM's OpenSSH download pages I dont think there is a binary version for these old levels of AIX:
http://oss.software.ibm.com/developerworks/downloads/?group_id=108
*
For now we have altered the Audit tool to ignore these errors.
http://oss.software.ibm.com/developerworks/downloads/?group_id=108
*
For now we have altered the Audit tool to ignore these errors.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
no need to secure connections, for sure vulnerable portmapper is always on...
soemwhere?
If you built it from soure, when you run configure, did you include:
--with-lastlog=FILE will specify the location of the lastlog file.
./configure searches a few locations for lastlog, but may not find
it if lastlog is installed in a different place.
All your AIX boxes are running the same version of OS? and openssh is complied
with the same version of AIX? (if you complied on AIX 4.x, lastlog will not work under
AIX 5.x).