Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

AIX /etc/security/lastlog not updated when login via ssh

Posted on 2003-11-13
10
Medium Priority
?
4,153 Views
Last Modified: 2013-12-04
Security auditing has led us to find that on older AIX systems, accessing the system via ssh does NOT result in /etc/security/lastlog being updated. We have about 40 systems where this is a problem; a typical one has levels:
iswhbfocd# oslevel
4.2.1.0
iswhbfocd# ssh -V
OpenSSH_3.6.1p2, SSH protocols 1.5/2.0, OpenSSL 0x0090701f
*
(Also happens with OpenSSH_2.5.2p2, OpenSSH_3.4p1,OpenSSH_3.7.1p1)
*
Can anyone point me to where/how I can enable logging to
lastlog? In later systems I can see a stanza in sshd.config:
*
PrintLastLog yes
# Specifies whether sshd should print the date and time when the
# user last logged in. The default is ``yes''.
*
Is this relevant?
Any comments would be appreciated.
Regards, Bernie.
0
Comment
Question by:bernie01
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 2
  • 2
  • +1
10 Comments
 
LVL 38

Expert Comment

by:yuzh
ID: 9745102
Did you build the openssh binary from soure or download the binary from
soemwhere?

If you built it from soure, when you run configure, did you include:
--with-lastlog=FILE will specify the location of the lastlog file.
./configure searches a few locations for lastlog, but may not find
it if lastlog is installed in a different place.

All your AIX boxes are running the same version of OS? and openssh is complied
with the same version of AIX? (if you complied on AIX 4.x, lastlog will not work under
AIX 5.x).
0
 
LVL 38

Expert Comment

by:yuzh
ID: 9745175
You can also try to download a newer version of openssh binary package from
the following site (IBM), and install and test it out, it should work.

http://www-106.ibm.com/developerworks/eserver/articles/openssh_aix.html
0
 
LVL 24

Accepted Solution

by:
shivsa earned 300 total points
ID: 9753424
when  u installed it, did u mention
--with-lastlog=/etc/security/lastlog.


0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 

Author Comment

by:bernie01
ID: 9760255
Update: found that by changing /usr/local/etc/sshd_config parm #UseLogin no, change to UseLogin yes I can get an entry placed in /etc/security/lastlog on the systems with
OpenSSH_3.6.1p2.
*
But have found that the majority of these systems run
OpenSSH_2.5.2p2, SSH protocols 1.5/2.0,
and when I try the above fix on these boxes I get error:

spwhsms# su - webaeb
$ ssh localhost
webaeb@localhost's password:
Permission denied, please try again.
webaeb@localhost's password:
/dev/pts/4: 3004-004 You must "exec" login from the lowest login shell.
*
This version of Openssh was installed long, long before my time.  I am not sure whether the insallation was from binaries or source.  
0
 
LVL 38

Expert Comment

by:yuzh
ID: 9761024
If you don't know how the old version of openssh was installed (complied), and you want to make
it to work with lastlog.  It is time to uodate it now. (download the binary from IBM site, or download
the source and complie it yourself. I thinks bianary is easy way to do it.)
0
 
LVL 38

Expert Comment

by:yuzh
ID: 9761151
"spwhsms# su - webaeb
$ ssh localhost
webaeb@localhost's password:
Permission denied, please try again.
webaeb@localhost's password:
/dev/pts/4: 3004-004 You must "exec" login from the lowest login shell."

It looks like it is a bug in the older version of openssh:

http://www.derkeiler.com/Newsgroups/comp.security.ssh/2002-06/0055.html
http://www.derkeiler.com/Newsgroups/comp.security.ssh/2002-06/0056.html

Please consider to update your openssh.
0
 

Author Comment

by:bernie01
ID: 9767422
These systems are AIX 4.1.5 and 4.2.1 level. Looking at IBM's OpenSSH download pages I dont think there is a binary version for these old levels of AIX:
http://oss.software.ibm.com/developerworks/downloads/?group_id=108
*
For now we have altered the Audit tool to ignore these errors.  
0
 
LVL 38

Assisted Solution

by:yuzh
yuzh earned 600 total points
ID: 9768294
Well, if you are using 4.x, you endup have to compile it yourself, you only need to do it
in one box, and then create a tar ball to copy it to different boxes.
0
 
LVL 62

Assisted Solution

by:gheist
gheist earned 600 total points
ID: 9769971
There are a few versions of sshd around:
one from IBM Linux Affinity Toolbox, which writes lastlog, but fails to log in users oftenly.
one from IBM, in bff format, kind of too old to be secure.
another from www.bullfreeware.com, once you configure syslog, it writes some records on connections/sessions.
none writes that lastlog, i.e. no login sessions...( try UseLogin yes in sshd_config, this may help or just lock you off the system).

oslevel of 4.2.x.x is too old ....

what do you audited about $ cat . ??? writesrv ??? portmap ??? these are nasty&unavoidable
0
 
LVL 62

Expert Comment

by:gheist
ID: 9785860
no need to secure connections, for sure vulnerable portmapper is always on...
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Users of Windows 10 Professional can disable automatic reboots using the policy editor. This tool is not included in the Windows home edition. But don't worry! Follow the instructions below to install (a Win7) policy editor on your Windows 10 Home e…
Article by: btan
The intent is not to repeat what many has know about Ransomware but more to join its dots of what is it, who are the victims, why it exists, when and how we respond on infection. Lastly, sum up in a glance to share such information with more to help…
This is my first video review of Microsoft Bookings, I will be doing a part two with a bit more information, but wanted to get this out to you folks.
Visualize your data even better in Access queries. Given a date and a value, this lesson shows how to compare that value with the previous value, calculate the difference, and display a circle if the value is the same, an up triangle if it increased…
Suggested Courses

715 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question