Path: ...!weretis.net!feeder8.news.weretis.net!eternal-september.org!feeder3.eternal-september.org!news.eternal-september.org!.POSTED!not-for-mail
From: Chris Townley <news@cct-net.co.uk>
Newsgroups: comp.os.vms
Subject: Re: Viewing SSH users on VMS
Date: Wed, 31 Jul 2024 19:36:57 +0100
Organization: A noiseless patient Spider
Lines: 30
Message-ID: <v8e089$1isug$2@dont-email.me>
References: <v83b3h$3c2fu$1@dont-email.me>
 <dcadcb05751d075777494f05153fb7170358ef40@i2pn2.org>
 <v8dot6$1isug$1@dont-email.me>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
Injection-Date: Wed, 31 Jul 2024 20:36:58 +0200 (CEST)
Injection-Info: dont-email.me; posting-host="3807d6f0a646f04e67d8331ec60859fa";
	logging-data="1668048"; mail-complaints-to="abuse@eternal-september.org";	posting-account="U2FsdGVkX19BZnL9cVdtmfKZ35cicKcEdoVdekAzYLE="
User-Agent: Mozilla Thunderbird
Cancel-Lock: sha1:K78aoWs7I9A0pM7+W0S/TPTp/QA=
Content-Language: en-GB
In-Reply-To: <v8dot6$1isug$1@dont-email.me>
Bytes: 2041

On 31/07/2024 17:31, Chris Townley wrote:

<snip>

> What I have discovered, which could make getting the parent PID 
> unnecessary, is that a log file is created in SSH$ROOT:[VAR] named either
> 
> <this_hostname>_<remote host or IP address>_<process_PID>.log
> or
> <remote host or IP address>_<process_PID>.log
> 
> but unless the login fails, nothing is written.
> 
> No idea why or when which form is used.
> 
> Can I presume that a PID will be unique until a system reboot? If so I 
> could delete/rename these logs at system startup, then look for the 
> file, at least to get the remote node, and add to the process name.
> 
> Otherwise maybe I cold hack the client startup to create a readable file 
> with remote node and user?
> 

Interestingly SYS$REM_NODE and SYS$REM_NODE_FULLNAME are both set to the 
remote IP address, but SYS$REM_ID is set to the local, not the remote 
username.

-- 
Chris