8. Monitoring and Controlling SSH

 

SSH for OpenVMS provides utilities for monitoring and controlling the SSH server environment. The following topics describe the utilities, their capabilities, and their use.

Controlling SSH Server Functions

The following control functions are available for the SSH servers:

·         Startup

·         Shutdown

·         Restart

·         Set debug level

The SSHCTRL Utility

The SSHCTRL utility is used to perform all but the startup function. For the startup function, the SYS$STARTUP:PSCSSH$STARTUP.COM file is used. Usage:

$ SSHCTRL operation options

The below table shows the various operations that can be used with the SSHCTRL utility.

Operation

Description

SET /DEBUG=n

Set debug level (0 = no debug)

SHOW

Show session information.

SHOW /ALL

Show all sessions. This is the default if no switch is used with the SHOW keyword.

SHOW /USER=username

Show sessions for username

SHOW /HOST=address

Show sessions for address

SHUTDOWN

Stop all SSH server sessions.

RESTART

Stop/restart SSH server.

HELP

Display help text.

VERSION

Display version information.

 

Starting the SSHD Master Process

$ @SYS$STARTUP:PSCSSH$STARTUP

Starting SSH for OpenVMS...

%RUN-S-PROC_ID, identification of created process is 22C000AD

$

Shutting down the SSHD Master Process

This function is used to stop the SSHD Master process on the system, so it won’t accept new connections. Note that shutting down the SSHD Master process will also terminate all outstanding SSH server sessions on the system. OPER privilege is required to shut down the SSHD Master process and its servers.

$ SSHCTRL SHUTDOWN

Shutting down SSH for OpenVMS...

$

 

Restarting the SSHD Master Process

Restarting the SSHD Master process is required after the CNFSSH utility is used to modify the existing configuration. Note that restarting the SSHD Master process will terminate all outstanding SSH server sessions on the system. OPER privilege is required to restart the SSHD Master process.

$ SSHCTRL RESTART

Shutting down SSH for OpenVMS...

Starting SSH for OpenVMS...

%RUN-S-PROC_ID, identification of created process is 22C000B8 $

Changing the Server Debug Level  

The server debug level is changed using SSHCTRL. The debug level controls the amount of debug information written to the SSH_LOG:SSHD.LOG file for each server instance. This may be a value from 0 (no debug) to 50 (maximum debug). Process Software recommends this value not be set above 5 without instructions from Process Software, as the amount of debug information written to the log at higher levels can severely impact both the SSH server performance and the server host disk resources.

Note that setting the debug level only affects new server processes which are started after setting the level. Currently active servers use the debug level set when they were started. OPER privilege is required to change the debug level.

$ SSHCTRL SET/DEBUG=4

SSHCTRL-S-DEBUGSET - old debug level = 2, new debug level = 4

$

Displaying SSH Server Utilization

The SSHCTRL SHOW command is used to display the active SSH server sessions on a system. It can display all users (/ALL), users with a specific username (/USER=jdoe), or users with sessions that originate from a specific host (/HOST=192.168.29.248).

Normally, a user may only display the sessions with the same UIC as his own. GROUP privilege is required to display the sessions with UICs in the same group as the user. WORLD privilege is required to display all other servers.

For each session, the display is of the following form:

Process “processname” (pid pid) - an <ssh1|ssh2> session   

  User = username

  From system address port port

  Started: date/time session was started

  Bytes in: count out: count (from child process PID)

  Child process = “process name” (pid pid) - an type session   

  PTD Device = FTAnn:

  Started date/time this child started

Note that SSH2 provides the capability for one server to handle multiple child sessions. The child sessions may be a mixture of interactive SSH2 sessions and file transfer (SCP/SFTP) sessions.

In the below example, a display of all users on the system is done. Note that server “SSHD 0003” actually has six active child processes.

$ SSHCTRL SHOW /ALL

SSHD Master PID = 22C000B8 (SSHD_MASTER)

Debug level is set to 4

Process "SSHD 0000" (pid 22C000B9) - an SSH2 session

      User = JDOE

      From system 192.168.29.52 port 49152

      Started: 01/15/2010 03:05:22

      Bytes in: 262  out: 0  (from child process: 15100)

      Child process = "JDOE_@FTA4" (pid 22C000BA) - an SSH2 session      

      PTD Device = _FTA4:

         Started: 01/15/2010 03:05:35

Process "SSHD 0003" (pid 22C000BF) - an SSH2 session

      User = ALICE

      From system 192.168.29.50 port 1129

      Started: 01/15/2010 03:07:46

      Bytes in: 0  out: 0  (from child process: 55215)

      Child process = "ALICE_@FTA9" (pid 22C000C0) - an SSH2 session           

      PTD Device= _FTA9:

          Started: 01/15/2010 03:07:54

      Child process = "SSHD 0003A SFTP" (pid 22C000C1) - an SFTP-SERVER2 session

      PTD Device = _FTA10:

          Started: 01/15/2010 03:07:55

      Child process = "ALICE_@FTA11" (pid 22C000C2) - an SSH2 session          

      PTD Device = _FTA11:

          Started: 01/15/2010 03:07:57

      Child process = "SSHD 0003B SFTP" (pid 22C000C3) - an SFTP-SERVER2 session          

      PTD Device = _FTA12:

          Started: 01/15/2010 03:08:00

      Child process = "SSHD 0003C SFTP" (pid 22C000C4) - an SFTP-SERVER2 session          

      Device = _FTA13:

          Started: 01/15/2010 03:08:07

      Child process = "ALICE_@FTA14" (pid 22C000C5) - an SSH2 session          

      PTD Device = _FTA14:

          Started: 01/15/2010 03:08:09

Process "SSHD 0004" (pid 22C000C6) - an SSH1 session

      User = BOB

      From system 192.168.29.51 port 1023

      Started: 01/15/2010 03:08:29

      Bytes in: 0  out: 537  (from child process: 17)

      Child process = "BOB_@FTA15" (pid 22C000C7) - an SSH1 session          

      PTD Device = _FTA15:

          Started: 01/15/2010 03:08:29

The below example illustrates showing the sessions that originate from a specific TCP/IP address:

$ SSHCTRL SHOW /HOST=192.168.29.51

SSHD Master PID = 22C000B8 (SSHD_MASTER)

 

Debug level is set to 4

Process "SSHD 0004" (pid 22C000C6) - an SSH1 session

      User = ALICE

      From system 192.168.29.51 port 1023

      Started: 01/15/2010 03:08:29

      Bytes in: 0  out: 537  (from child process: 17)

      Child process = "ALICE_@FTA15" (pid 22C000C7) - an SSH1 session         

      PTD Device = _FTA15:

        Started: 01/15/2010 03:08:29