Does anyone want to share if they have a method for distinguishing between which users login to just do SSH and which users login for SFTP?
Prior to Co:Z SFTP and its ability to interact directly with MVS datasets and JES, we had users which would perform a two step process. In the first step they would SFTP a file into USS. In the second step they would just SSH to issue commands to act on that file. We're now working to get all the users to leverage the features of Co:Z SFTP and would like to identify via system logs which users are using SSH shell commands with the goal of really shutting off SSH shell capability for most of the users; since they have the features available within SFTP now.
One approach we thought of was to look at the sshd syslogd output for when a user authenticates successfully and check if a 'subsystem request for sftp' doesn't immediately follow that authentication. That would be an indicator that they connected to just do SSH shell work and not directly for SFTP. This seems a little awkward though.
May 16 11:53:10 XXXXXXX sshd[iiiiiiiiiiiiiii]: Accepted password for user12 from xxx.xxx.xxx.xxx port xxxxx ssh2
May 16 11:53:10 XXXXXXX sshd[iiiiiiiiiiiiiii]: subsystem request for sftp by user USER12
Any suggestions/thoughts would be helpful. Thanks!
A discussion of Co:Z sftp, a port of OpenSSH sftp for z/OS
1 post • Page 1 of 1