HP-UX Secure Shell Getting Started Guide HP-UX 11i v1, HP-UX 11i v2, and HP-UX 11i v3 (5900-3142, June 2013)
Table 16 Behavior of the ssh, scp, and sftp commands with Different Combinations of
EnforceSecureTTY and PermitRootLogin (continued)
Behavior of the scp and sftp
Commands
Behavior of the sshCommandPermitRootLoginEnforceSecureTTY
IMPORTANT: The scp and
sftp commands, and
forced-commands are mutually
exclusive. If forced-command
execution is set, only
forced-command is executed
and no file transfers are
allowed.
Superusers can execute the
scp and sftp commands,
Host login is allowed for all
superusers. Superusers must
authenticate with a method
Without PasswordNO
regardless of the settings in the
other than password
etc/securetty file.
authentication. However this
Superusers must authenticate
requirement is not related to
EnforceSecureTTY.
Host command execution is
allowed for all users,
with a method other than
password authentication.
regardless of the setting in the
etc/securetty file.
1
Host login refers to a client directly logging into a host. Following is an example of host login:
$ ssh hostxyz
2
Host command execution refers to a client executing only one command against a server. The client logs into the server,
executes the command, and exits. Following is an example of the host command execution:
$ ssh hostxyz ls /tmp
3
The execution of the scp and sftp commands is similar to that of host command. However, no pty is allocated for
scp and sftp, and the /etc/securetty file is not checked. Any combination of EnforceSecureTTY and
PermitRootLogin that allows host command execution for ssh allows scp and sftp execution.
4
Forced-command execution refers to a client executing a command predefined in the authorized_keys file of the
client. This file is located in the home directory of the client on the server.
Behavior of EnforceSecureTTY with the UseLogin Configuration Directive
The EnforceSecureTTY configuration directive works in conjunction with the UseLogin
configuration directive. Although the login(1) function has the code to check the etc/securetty
file, this code is part of the authentication. If UseLogin is set to yes, HP-UX Secure Shell invokes
the login(1) function with the do not authenticate option. As a result, the section of the
login(1) code related to the etc/securetty file is ignored. HP-UX Secure Shell reads and
processes the etc/securetty file even if UseLogin is set to yes.
Behavioral differences between telnet and ssh logins because of EnforceSecureTTY
The addition of the EnforceSecureTTY configuration directive modifies the behavior of the ssh
login, causing it to differ from a telnet login. In telnet, a pty is allocated to a user connection
before authentication. In HP-UX Secure Shell, a user must authenticate successfully before the sshd
daemon allocates a pty. Once a user is successfully authenticated, the sshd daemon does not
prompt the user for a password. Table 17 describes the difference between a telnet and an
ssh login.
Configuring User-Specific Authentication 47