Question: Distinguishing between SSH users verses SFTP users?

A discussion of Co:Z sftp, a port of OpenSSH sftp for z/OS
Post Reply
Jadon
Posts: 9
Joined: Fri Sep 11, 2015 6:46 pm

Question: Distinguishing between SSH users verses SFTP users?

Post by Jadon » Wed May 16, 2018 12:44 pm

Does anyone want to share if they have a method for distinguishing between which users login to just do SSH and which users login for SFTP?

Prior to Co:Z SFTP and its ability to interact directly with MVS datasets and JES, we had users which would perform a two step process. In the first step they would SFTP a file into USS. In the second step they would just SSH to issue commands to act on that file. We're now working to get all the users to leverage the features of Co:Z SFTP and would like to identify via system logs which users are using SSH shell commands with the goal of really shutting off SSH shell capability for most of the users; since they have the features available within SFTP now.

One approach we thought of was to look at the sshd syslogd output for when a user authenticates successfully and check if a 'subsystem request for sftp' doesn't immediately follow that authentication. That would be an indicator that they connected to just do SSH shell work and not directly for SFTP. This seems a little awkward though.

May 16 11:53:10 XXXXXXX sshd[iiiiiiiiiiiiiii]: Accepted password for user12 from xxx.xxx.xxx.xxx port xxxxx ssh2
May 16 11:53:10 XXXXXXX sshd[iiiiiiiiiiiiiii]: subsystem request for sftp by user USER12

Any suggestions/thoughts would be helpful. Thanks!

Post Reply