Authentication and SSH events in audit on AIX


I see there are  two  authentication in AIX, STD_AUTH and PAM_AUTH, I have used pam but no STD. Question:

1.  I see STD is the default, but not sure if is the best. Which is the recommended, pam or std? Pros or cons of using one of both?
2. From this link:
I found ssh audit events I'd like to use in my servers:
SSH_failnone = printf "%s"
SSH_failpasswd = printf "%s"
SSH_failkbdint = printf "%s"
SSH_failpubkey = printf "%s"
SSH_failhstbsd = printf "%s"
SSH_failgssapi = printf "%s"
SSH_invldusr = printf "%s"
SSH_nologin = printf "%s"
SSH_connclose = printf "%s"
SSH_auditknwn = printf "%s"
SSH_authsuccess = printf "%s"
SSH_rootdned = printf "%s"
SSH_exceedmtrix = printf "%s"
SSH_connabndn = printf "%s"

I added to my config I can see these events running on my AIX 6.1. Are these events part of audit on AIX6.1 Or shoud I add extra audit config?
Who is Participating?
Hello again,
1. When using PAM you'll get the flexibility to switch to alternate authentication mechanisms without modifying existing applications - the PAM library is a standard interface between applications and authentication modules. You can even use multiple authentication methods for a given service, re-using a previously entered password for all methods.
As long as you're using the standard modules (as opposed to some third-party modules), there is not much difference between PAM and STD, however.
pam_aix will just call the classic AIX authentication routines, or the DCE/NIS routines from methods.cfg, if configured via "SYSTEM=..." in /etc/security/user. The advantage of PAM is, as I said above, that you can switch to (maybe) better methods without having to mofify anything else than some config files.
2. Where is your problem? Just create a new audit class containing the sshd events, assign this class to the users you desire, and finally update the events file to store/display the audit entries correctly. Don't forget to shutdown/restart the audit subsystem
IBM-supported versions of SSH from OpenSSH-4.5p1 ( onwards are aware of auditing and will generate the appropriate events, if enabled (see above).
PAM and AUDIT are not related to each other, btw.
sminfoAuthor Commented:
Hi wmp,

1. OK
2. My problem, I want to audit or monitor logins/logoff using sshd on every AIX server. O get logins fine but no logoff events. I also need  to monitor on syslog dtlogin logins/logouts.

ssh version:
# lslpp -L  | grep ssh
  openssh.base.client    C     F    Open Secure Shell Commands
  openssh.base.server    C     F    Open Secure Shell Server
  openssh.license    C     F    Open Secure Shell License    C     F    Open Secure Shell
  openssh.msg.en_US    C     F    Open Secure Shell Messages -

sminfoAuthor Commented:

Let me give you more details, I have these services:

services           audit logs/logins        audit logs/logouts         syslog  logs/logins         syslog  logs/logins
Xwindows        USER_Login event             NO                                  NO                              NO
telnetd               USER_Exit event       USER_Exit event                     NO                              NO
sshd                 USER_Login event              NO                                 YES                            NO
su                     USER_SU                           NA                                  YES                            NA

In a couple of weeks telnet is an option on our servers, so I need at least sshd/xwindows logins/logout even on audit or syslog. Am I asking too much? :-)

thanks once more.
with my version of sshd, which is, everything works fine using the mehod we're talking about here.
I get audit messages like
SSH_failnone root OK Wed Aug 18 11:50:47 2010 sshd Global
SSH_authsuccess root OK Wed Aug 18 11:50:47 2010 sshd Global
SSH_connclose root OK Wed Aug 18 11:50:59 2010 sshd Global
 or also
SSH_invldusr    root     OK          Wed Aug 18 13:22:47 2010 sshd                            Global
SSH_invldusr    root     OK          Wed Aug 18 13:22:47 2010 sshd                            Global
SSH_failnone    root     OK          Wed Aug 18 13:22:47 2010 sshd                            Global
SSH_failpasswd  root     OK          Wed Aug 18 13:22:52 2010 sshd                            Global
SSH_failpasswd  root     OK          Wed Aug 18 13:23:00 2010 sshd                            Global
SSH_failpasswd  root     OK          Wed Aug 18 13:23:01 2010 sshd                            Global
SSH_connabndn   root     OK          Wed Aug 18 13:23:01 2010 sshd                            Global
SSH_connclose   root     OK          Wed Aug 18 13:23:34 2010 sshd                            Global
For testing I upgraded one of my machines to your sshd version ( and really had to notice that it doesn't work anymore.
I researched, but didn't find the slightest hint, neither at IBM's nor at any other forum.
So all I can say is ... downgrade, if you really need to audit sshd.
sshd for aix (all available versions) can be found here -
Still researching on X11. Never had to deal with that up to now, sorry!
sminfoAuthor Commented:
umm.. I see.. ..ok thanks..:-)
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.