[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now


Authentication and SSH events in audit on AIX

Posted on 2010-08-16
Medium Priority
Last Modified: 2013-11-17

I see there are  two  authentication in AIX, STD_AUTH and PAM_AUTH, I have used pam but no STD. Question:

1.  I see STD is the default, but not sure if is the best. Which is the recommended, pam or std? Pros or cons of using one of both?
2. From this link:
I found ssh audit events I'd like to use in my servers:
SSH_failnone = printf "%s"
SSH_failpasswd = printf "%s"
SSH_failkbdint = printf "%s"
SSH_failpubkey = printf "%s"
SSH_failhstbsd = printf "%s"
SSH_failgssapi = printf "%s"
SSH_invldusr = printf "%s"
SSH_nologin = printf "%s"
SSH_connclose = printf "%s"
SSH_auditknwn = printf "%s"
SSH_authsuccess = printf "%s"
SSH_rootdned = printf "%s"
SSH_exceedmtrix = printf "%s"
SSH_connabndn = printf "%s"

I added to my config I can see these events running on my AIX 6.1. Are these events part of audit on AIX6.1 Or shoud I add extra audit config?
Question by:sminfo
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
LVL 68

Accepted Solution

woolmilkporc earned 2000 total points
ID: 33444977
Hello again,
1. When using PAM you'll get the flexibility to switch to alternate authentication mechanisms without modifying existing applications - the PAM library is a standard interface between applications and authentication modules. You can even use multiple authentication methods for a given service, re-using a previously entered password for all methods.
As long as you're using the standard modules (as opposed to some third-party modules), there is not much difference between PAM and STD, however.
pam_aix will just call the classic AIX authentication routines, or the DCE/NIS routines from methods.cfg, if configured via "SYSTEM=..." in /etc/security/user. The advantage of PAM is, as I said above, that you can switch to (maybe) better methods without having to mofify anything else than some config files.
2. Where is your problem? Just create a new audit class containing the sshd events, assign this class to the users you desire, and finally update the events file to store/display the audit entries correctly. Don't forget to shutdown/restart the audit subsystem
IBM-supported versions of SSH from OpenSSH-4.5p1 ( onwards are aware of auditing and will generate the appropriate events, if enabled (see above).
PAM and AUDIT are not related to each other, btw.

Author Closing Comment

ID: 33445258
Hi wmp,

1. OK
2. My problem, I want to audit or monitor logins/logoff using sshd on every AIX server. O get logins fine but no logoff events. I also need  to monitor on syslog dtlogin logins/logouts.

ssh version:
# lslpp -L  | grep ssh
  openssh.base.client    C     F    Open Secure Shell Commands
  openssh.base.server    C     F    Open Secure Shell Server
  openssh.license    C     F    Open Secure Shell License
  openssh.man.en_US    C     F    Open Secure Shell
  openssh.msg.en_US    C     F    Open Secure Shell Messages -


Author Comment

ID: 33445603

Let me give you more details, I have these services:

services           audit logs/logins        audit logs/logouts         syslog  logs/logins         syslog  logs/logins
Xwindows        USER_Login event             NO                                  NO                              NO
telnetd               USER_Exit event       USER_Exit event                     NO                              NO
sshd                 USER_Login event              NO                                 YES                            NO
su                     USER_SU                           NA                                  YES                            NA

In a couple of weeks telnet is an option on our servers, so I need at least sshd/xwindows logins/logout even on audit or syslog. Am I asking too much? :-)

thanks once more.
LVL 68

Expert Comment

ID: 33463534
with my version of sshd, which is, everything works fine using the mehod we're talking about here.
I get audit messages like
SSH_failnone root OK Wed Aug 18 11:50:47 2010 sshd Global
SSH_authsuccess root OK Wed Aug 18 11:50:47 2010 sshd Global
SSH_connclose root OK Wed Aug 18 11:50:59 2010 sshd Global
 or also
SSH_invldusr    root     OK          Wed Aug 18 13:22:47 2010 sshd                            Global
SSH_invldusr    root     OK          Wed Aug 18 13:22:47 2010 sshd                            Global
SSH_failnone    root     OK          Wed Aug 18 13:22:47 2010 sshd                            Global
SSH_failpasswd  root     OK          Wed Aug 18 13:22:52 2010 sshd                            Global
SSH_failpasswd  root     OK          Wed Aug 18 13:23:00 2010 sshd                            Global
SSH_failpasswd  root     OK          Wed Aug 18 13:23:01 2010 sshd                            Global
SSH_connabndn   root     OK          Wed Aug 18 13:23:01 2010 sshd                            Global
SSH_connclose   root     OK          Wed Aug 18 13:23:34 2010 sshd                            Global
For testing I upgraded one of my machines to your sshd version ( and really had to notice that it doesn't work anymore.
I researched, but didn't find the slightest hint, neither at IBM's nor at any other forum.
So all I can say is ... downgrade, if you really need to audit sshd.
sshd for aix (all available versions) can be found here - http://sourceforge.net/projects/openssh-aix/files/
Still researching on X11. Never had to deal with that up to now, sorry!

Author Comment

ID: 33463735
umm.. I see.. ..ok thanks..:-)

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Let's say you need to move the data of a file system from one partition to another. This generally involves dismounting the file system, backing it up to tapes, and restoring it to a new partition. You may also copy the file system from one place to…
My previous tech tip, Installing the Solaris OS From the Flash Archive On a Tape (http://www.experts-exchange.com/articles/OS/Unix/Solaris/Installing-the-Solaris-OS-From-the-Flash-Archive-on-a-Tape.html), discussed installing the Solaris Operating S…
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…
This video shows how to set up a shell script to accept a positional parameter when called, pass that to a SQL script, accept the output from the statement back and then manipulate it in the Shell.
Suggested Courses

649 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question