Monitoring and Controlling SSH
SSH for OpenVMS provides utilities for monitoring and controlling the SSH server environment. The following topics describe the utilities, their capabilities, and their use.
The following control functions are available for the SSH servers:
• Startup
• Shutdown
• Restart
The SSHCTRL utility is used to perform all but the startup function. For the startup function, the SYS$STARTUP:PSCSSH$STARTUP.COM file is used.
Usage: SSHCTRL <operation> [options]
Table 8-1 shows the various operations that can be used with the SSHCTRL utility.
Table 8-1
|
Operation |
Description |
|
SET /DEBUG=n |
Set debug level (0 = no debug) |
|
SHOW |
Show session information. |
|
SHOW /ALL |
Show all sessions. This is the default if no switch is used with the SHOW keyword. |
|
SHOW /USER=username |
Show sessions for <username>. |
|
SHOW /HOST=address |
Show sessions for <address>. |
|
SHUTDOWN |
Stop all SSH server sessions. |
|
RESTART |
Stop/restart SSH server. |
|
HELP |
Display help text. |
|
VERSION |
Display version information. |
$ @SYS$STARTUP:PSCSSH$STARTUP
Starting SSH for OpenVMS...
%RUN-S-PROC_ID, identification of created process is 22C000AD
$
This function is used to stop the SSHD Master process on the system, so it won’t accept new connections. Note that shutting down the SSHD Master process will also terminate all outstanding SSH server sessions on the system. OPER privilege is required to shut down the SSHD Master process and its servers.
$ SSHCTRL SHUTDOWN
Shutting down SSH for OpenVMS...
$
Restarting the SSHD Master process is required after the CNFSSH utility is used to modify the existing configuration. Note that restarting the SSHD Master process will terminate all outstanding SSH server sessions on the system. OPER privilege is required to restart the SSHD Master process.
$ SSHCTRL RESTART
Shutting down SSH for OpenVMS...
Starting SSH for OpenVMS...
%RUN-S-PROC_ID, identification of created process is 22C000B8
$
The server debug level is changed using SSHCTRL. The debug level controls the amount of debug information written to the SSH_LOG:SSHD.LOG file for each server instance. This may be a value from 0 (no debug) to 50 (maximum debug). Process Software recommends this value not be set above 5 without instructions from Process Software, as the amount of debug information written to the log at higher levels can severely impact both the SSH server performance and the server host disk resources.
Note that setting the debug level only affects new server processes which are started after setting the level. Currently active servers use the debug level set when they were started. OPER privilege is required to change the debug level.
$ SSHCTRL SET/DEBUG=4
SSHCTRL-S-DEBUGSET - old debug level = 2, new debug level = 4
$
The SSHCTRL SHOW command is used to display the active SSH server sessions on a system. It can display all users (/ALL), users with a specific username (/USER=dogbert), or users with sessions that originate from a specific host (/HOST=192.168.29.248).
Normally, a user may only display the sessions with the same UIC as his own. GROUP privilege is required to display the sessions with UICs in the same group as the user. WORLD privilege is required to display all other servers.
For each session, the display is of the following form:
Process "<processname>" (pid<pid>) - an <ssh1|ssh2>session
User = <login username>
From system <originating address>port<originating port>
Started: <date/time session was started>
Bytes in: <count> out: <count> (from child process <count>)
Child process = "<process name>"(pid<pid>) - an <type> session
PTD Device = <_FTAnn:>
Started <date/time this child started>
Note that SSH2 provides the capability for one server to handle multiple child sessions. The child sessions may be a mixture of interactive SSH2 sessions and file transfer (SCP/SFTP) sessions. Currently, only the F-Secure SSH Client for Windows has this capability.
In Example 8-1, a display of all users on the system is done. Note that server "SSHD 0003" actually has six active child processes.
Example 8-1 Showing All Active Server Sessions
$ SSHCTRL SHOW /ALL
SSHD Master PID = 22C000B8
Debug level is set to 4
Process "SSHD 0000" (pid 22C000B9) - an SSH2 session
User = dilbert
From system 192.168.29.52 port 49152
Started: 05/03/2002 03:05:22
Bytes in: 262 out: 0 (from child process: 15100)
Child process = "DILBERT_@FTA4" (pid 22C000BA) - an SSH2 session
PTD Device = _FTA4:
Started: 05/03/2002 03:05:35
Process "SSHD 0003" (pid 22C000BF) - an SSH2 session
User = DOGBERT
From system 192.168.29.50 port 1129
Started: 05/03/2002 03:07:46
Bytes in: 0 out: 0 (from child process: 55215)
Child process = "DOGBERT_@FTA9" (pid 22C000C0) - an SSH2 session
PTD Device= _FTA9:
Started: 05/03/2002 03:07:54
Child process = "SSHD 0003A SFTP" (pid 22C000C1) - an SFTP-SERVER2 session
PTD Device = _FTA10:
Started: 05/03/2002 03:07:55
Child process = "DOGBERT_@FTA11" (pid 22C000C2) - an SSH2 session
PTD Device = _FTA11:
Started: 05/03/2002 03:07:57
Child process = "SSHD 0003B SFTP" (pid 22C000C3) - an SFTP-SERVER2 session
PTD Device = _FTA12:
Started: 05/03/2002 03:08:00
Child process = "SSHD 0003C SFTP" (pid 22C000C4) - an SFTP-SERVER2 session
Device = _FTA13:
Started: 05/03/2002 03:08:07
Child process = "DOGBERT_@FTA14" (pid 22C000C5) - an SSH2 session
PTD Device = _FTA14:
Started: 05/03/2002 03:08:09
Process "SSHD 0004" (pid 22C000C6) - an SSH1 session
User = CATBERT
From system 192.168.29.51 port 1023
Started: 05/03/2002 03:08:29
Bytes in: 0 out: 537 (from child process: 17)
Child process = "CATBERT_@FTA15" (pid 22C000C7) - an SSH1 session
PTD Device = _FTA15:
Started: 05/03/2002 03:08:29
Example 8-2 illustrates showing the sessions that originate from a specific TCP/IP address:
Example 8-2 Showing Sessions From a Specific Address
$ SSHCTRL SHOW /HOST=192.168.29.51
SSHD Master PID = 22C000B8
Debug level is set to 4
Process "SSHD 0004" (pid 22C000C6) - an SSH1 session
User = CATBERT
From system 192.168.29.51 port 1023
Started: 05/03/2002 03:08:29
Bytes in: 0 out: 537 (from child process: 17)
Child process = "CATBERT_@FTA15" (pid 22C000C7) - an SSH1 session
PTD Device = _FTA15:
Started: 05/03/2002 03:08:29