Managing Auditing

 » Table of Contents

 » Glossary

 » Index

The following sections describe the SSH server auditing functions and the configuration parameters that you can use to modify SSH auditing functions. For more information about the configuration parameters, see Appendix B.

How the Server Performs Auditing

When auditing is enabled for the specified authentication method, the SSH server performs the following functions depending on the type of login and whether the login attempt is successful.

When an interactive login is successful:

  • The login failure count is set to 0.

  • The last interactive login date is updated to the current date and time.

  • If the user's password has expired but the user is not forced to change it before logging in, a warning message is displayed and the pwd_expired flag is not set in the user's SYSUAF record.

  • The user is allowed three failed attempts to log in. If all three attempts fail, the login failure count is incremented by three.

  • If the AccountingAuthentications keyword includes the current authentication method, the accounting data is updated.

When a remote command execution is successful, no updates are made to the user's SYSUAF record; thus:

  • The login failure count is not changed.

  • The last noninteractive login date is not updated.

If the user's password has expired but the user is not forced to change it before logging in, a warning message is displayed and the pwd_expired flag in the user's SYSUAF record is not set.

When the login or remote command execution fails:

  • The login failure count in the user's SYSUAF record is incremented.

  • If the IntrusionAuthentications keyword includes the current authentication method, the intrusion database is updated with text controlled by the IntrusionIdentSsh and IntrusionIdentMethod keywords in the server configuration file.

  • If the AccountingAuthentications keyword includes the current authentication method, the accounting data is updated.

Auditing Options for the Server Configuration File

You can include the following options in the server configuration file (TCPIP$SSHD_CONFIG.) to control auditing functions.

  • AccountingAuthentications

  • AllowNonvmsLoginWithExpiredPw

  • IntrusionAuthentications

  • IntrusionIdentMethod

  • IntrusionIdentSsh

  • LogfailAuthentications

  • PubkeyPassphraseGuesses

  • UserLoginLimit

Auditing Options for the Client Configuration File

You can include the following options in the client configuration file (TCPIP$SSH_CONFIG.) to control auditing functions.

  • NumberOfHostkeyCopyPrompts

  • NumberOfPasswordVerificationPrompts

  • PubkeyPassphraseGuesses

The configuration parameters are described in Appendix B.