HP NonStop SSH Reference Manual HP Part Number: 544701-016 Published: February 2014 Edition: HP NonStop SSH 4.4 G06.21 and subsequent G-series RVUs H06.07 and subsequent H-series RVUs J06.
© Copyright 2014 Hewlett-Packard Development Company, L.P. Confidential computer software. Valid license from HP required for possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor’s standard commercial license. The information contained herein is subject to change without notice.
Contents Preface 13 Who Should Read This Guide................................................................................................................ 13 Related Reading ..................................................................................................................................... 13 Document History .................................................................................................................................. 15 Introduction 25 The SSH2 Solution .......
Configuration Overview ........................................................................................................................ 47 The Configuration File ............................................................................................................ 48 PARAM Commands ................................................................................................................ 48 Startup Line Parameters ...........................................................................
INTERFACE ........................................................................................................................... 84 INTERFACEOUT ................................................................................................................... 84 INTERVALLIVEPRIVATEUSERKEY ................................................................................. 85 INTERVALLIVEPUBLICUSERKEY ....................................................................................
SOCKETRCVBUF ................................................................................................................ 116 SOCKETSNDBUF ................................................................................................................ 116 SOCKTCPMINRXMT .......................................................................................................... 117 SOCKTCPMAXRXMT ........................................................................................................
TCP/IPv6 Migration and Backout ........................................................................................................ 141 Start Using TCP/IPv6 ............................................................................................................ 141 Reverting Back to Pre-IPv6 SSH2 Release............................................................................ 141 Multiple IP Process, Multiple IP Address Considerations ..............................................................
DELETE RESTRICTION-PROFILE .................................................................................... 189 INFO RESTRICTION-PROFILE.......................................................................................... 189 RENAME RESTRICTION-PROFILE .................................................................................. 189 Client Mode Commands - Overview ................................................................................................... 190 ASSUME USER ...............
Command-Line Reference ..................................................................................................... 220 Using the SSH client to create a shell controlling a remote system ....................................... 224 Using the SSH client to create a port forwarding daemon ..................................................... 225 Using the SSH client to create an FTP port forwarding daemon ........................................... 226 SFTP Client Command Reference ...................
BANNER Y | N ..................................................................................................................... 262 BANNER_TIMEOUT ......................................................................................... 262 BLAST ................................................................................................................ 262 BREAK_ON_DISCON Y|N ..................................................................................................
SSH_DEFAULT_SVC | *NONE* .............................................................. 275 START SERVICE | *.................................................................................. 276 START WINDOW <#window-name> | * ............................................................................. 276 STATUS SERVICE [ | * ]........................................................................... 276 STATUS SESSION [ | * ] .................
Summary .............................................................................................................................................. 329 Troubleshooting 331 Introduction .......................................................................................................................................... 331 Information Needed By Support .......................................................................................................... 331 General SSH2 Error Messages .........
Preface Who Should Read This Guide This document is for system administrators who are responsible for installing, configuring and maintaining SSH2 components, including those delivered with the HP NonStop™ SSH product (T0801), and those that come with comForte's SecurSH or SecurFTP/SSH product.
The following reading is recommended documentation for NonStop users of SSH/SFTP clients and users connecting to NonStop using remote ssh/sftp/scp clients: • HP NonStop documentation “Guardian User’s Guide” • HP NonStop documentation “Open System Services Shell and Utilities Reference Manual”, if using OSS • HP NonStop documentation “HP NonStop TACL Reference Manual” • HP NonStop documentation “File Utility Program (FUP) Reference Manual” Generally, users should get familiar with Guardian name space
Document History Version 4.4 Describes changes in SSH release 97. Documentation for the following new features has been added: • Added STNCOM/SSHCOM OUT command and STNCOM UAIPADDR command • Changed the range for STNCOM MAX_OPENERS, and the max continuation command length for STNCOM/SSHCOM. • Added description for new parameter DAEMONMODEOWNERPOLICY controlling access to Daemon mode commands.
• Added additional information for parameter SHELLENVIRONMENT. • Added additional information for authentication with password on procedure USER_AUTHENTICATE_. • Various additions and changes in the STN Reference section. Version 4.1 Describes changes in the SSH2 release 93. Documentation for the following new features has been added: • Added Migration Considerations section • Added description of new parameter SFTPDISPLAYGUARDIAN controlling the format of filenames in SFTP informational messages.
• Added description for new support for creation of format 2 files in an SFTP session. • Added description for support of option -oBindAddress for SFTP[OSS] and SSH[OSS] clients. • Added description of option LIKE for SSHCOM command ADD RESTRICTION-PROFILE. • Updated section "Starting SSH2" with new run modes. • Added documentation of additional commands in section "Statistics Related Commands". • Added sections "Transfer Progress Meter" and "Controlling Transfer Summary".
• Alphabetically sorted help items displayed within SFTP and SFTPOSS when 'help' command entered. Version 3.8 Describes changes in SSH2 release 90. Documentation for the following new features has been added: • Added description for new parameters ENABLESTATISTICSATSTARTUP, INTERFACEOUT, LOGEMSKEEPCOLLECTOROPENED, LIFECYCLEPOLICYPRIVATEUSERKEY, INTERVALPENDINGPRIVATEUSERKEY and INTERVALLIVEPRIVATEUSERKEY.
• Added section for SSHCOM client mode commands RENAME KNOWNHOST and RENAME PASSWORD Changes in SSH2 release 89 that are incompatible with previous releases: • Previous client mode owner policy was to use the Guardian user id to store client mode records. This corresponds to value GUARDIANNAME for new parameter CLIENTMODEOWNERPOLICY. The default value for this parameter is BOTH, i.e. in order to get the previous behavior the parameter CLIENTMODEOWNERPOLICY must be explicitly set to GUARDIANNAME.
• Description for SSH2 log message memory cache related parameters LOGCACHESIZE, LOGLEVELCACHE and LOGCACHEDUMPONABORT have been added, • Log cache related SSHCOM commands SET LOGCACHESIZE, SET LOGLEVELCACHE, SET LOGCACHEDUMPONABORT, FLUSH LOGCACHE and CLEAR LOGCACHE were described, • Added description for SSHCOM commands STATUS SSH2, STATUS SESSION, STATUS CHANNEL and STATUS OPENER, • The document now contains a description for file retention related SSHCOM commands ROLLOVER LOGFILE and ROLLOVER AUD
Version 3.1 Describes changes in SSH2 release 0084. Documentation for the following new features has been added: • New environment variable INQUIREUSERNAMEIFNOTSUPPLIED checked by ssh/sftp clients. • New ADD USER option LIKE. • New SSH2 parameter DISCONNECTIFUSERUNKNOWN. Version 3.0 Describes changes in SSH2 release 0083. Documentation for the following new features has been added: • New database object RESTRICTION-PROFILE. • New SSHCOM commands for manipulating of RESTRICTION-PROFILE records.
Version 2.7 Manual has been revised to correctly reflect the way HP NonStop SSH is delivered. Version 2.6 Describes changes in SSH2 release 0080. Documentation for the following new features has been added: • Configuration of an alternate command interpreter or a service menu for USERs working with a 6530 SSH sessions • Granting access without SSH user authentication The chapter "STN Reference" has been added, documenting the STN pseudo TTY server.
Version 1.8 The new SFTP-PRIORITY attribute of user entity allows administrators to specify the priority of the SFTPSERV process started by SSH2. This feature enables SSH2 to run at a high priority, while SFTPSERV runs at a priority below other critical application or system processes. This will minimize the impact SFTP transfers have on overall system performance, while ensuring fast response times of SSH2 during SSH session establishment.
Version 1.2a • Some general improvements in layout have been implemented. • The heading structure has been slightly revised in various places. • Two parameters, ALLOWIP and DENYIP, have been deleted. Version 1.2 Describes changes in SSH2 release 0036. Starting with this release, SecurFTP also supports running as an SFTP client under OSS. Documenting this new capability resulted in changes throughout the manual. Version 1.1 Describes changes in SSH2 release 0025.
Introduction The SSH2 Solution SSH2 is a set of programs delivered when the customer purchases one of the following products: • HP NonStop SSH. HP NonStop SSH is a comprehensive, enterprise Secure Shell solution for HP NonStop servers. In the fall of 2010, it became available from HP with the purchase of the NonStop™ Operating System Kernel for H Series and J Series NonStop platforms.
Central Key Store Instead of storing keys in the file system, SSH2 includes a key and password store with central access control, providing maximum security for user credentials. This enables the easy and secure implementation of batch processes without requiring the use of passwords in batch files. Secure SFTP Transfer SSH2 includes an OSS and a Guardian SFTP client, as well as an SFTP server that provides remote SFTP client access to both Guardian and OSS files.
Components of the SSH2 Software Package The SSH2 software package consists of the following components: • The SSH2 component is the central component of the implementation. Depending on the mode it is started in, it can serve different purposes: o It implements a server process for the SSH2 protocol. It listens for incoming connections on a specific TCP/IP port (typically port 22), authenticates the user and the service and then spawns other processes it communicates with.
Architecture Overview This section shows how the various components work together in different usage scenarios. SSH2 Running as SSH Daemon (Server) The following figure shows how the components of SSH2 work together to implement SSH server processes (often referred to as a “daemon” in UNIX environments) on the NonStop system.
SSH2 Running as SSH Client The following figure shows how the components of SSH2 work together to implement an SSH client running on the NonStop platform: Figure 2: SSH2 running as SSH client SSH2 can interface with a range of client components, including SSH, SFTP or the equivalent OSS programs, such as SSHOSS or SFTPOSS. With SSH2, a client component opens the SSH2 component and forwards the user commands and the startup configuration.
• Introduction HP NonStop SSH Reference Manual
Installation & Quick Start System Requirements To run SSH2 components, associated systems must meet the following requirements: HP NonStop™ host: • G-Series: G06.21 or later. • H-Series: H06.07 or later. • J-Series: J06.03 or later • OSS is not required. If present, OSS is fully supported. Partner systems: • An SSH client and/or daemon supporting version 2 of the SSH protocol.
Installation on the NonStop™ Server Note(s): • For SSH2 as part of HP NonStop SSH, the installation procedures are different and the steps outlined in sections "Installing the SSH Components on the NonStop System" and "Quick-starting the SSH2 System" should be skipped. • HP NonStop SSH will be pre-installed with your H-series RVU, J-series RVU, or G-series RVU (G06.32 or later). This enables SSH connectivity on the default TCP/IP stacks.
On H- and J-Series FUP ALTER SSHINST, CODE 800 3. Extract the archive by issuing the following command: RUN SSHINST The SSH program files will now be copied to the assigned subvolume. 4. For the Safeguard versions T9750G07^AFO/T9750H04^AFJ and later set the PRIV-LOGON bit for objects SSH2, SFTPSERV and STN (if not already executed by DSM/SCM), e.g.: SAFECOM ADD DISKFILE $SYSTEM.ZSSH.SSH2, PRIV-LOGON ON SAFECOM ADD DISKFILE $SYSTEM.ZSSH.SFTPSERV, PRIV-LOGON ON SAFECOM ADD DISKFILE $SYSTEM.ZSSH.
SSH2 License and Version Information The SSH2 release provides a TACL macro that retrieves license and version information. After changing the current subvolume to a subvolume containing an SSH2 installation the macro is started using the RUN command, e.g.: VOLUME $SYSTEM.ZSSH RUN SSH2INFO The SSH2INFO macro will display the content of the license file (if found). First the default subvolume will be checked when looking for the license file, then the standard installation subvolume $SYSTEM.ZSSH.
In case the new version of SSH2 creates unexpected problems, revert to the old object files. Where configuration data is stored Other than any macros you have created, there are two data files which you want to keep in order to keep your existing database/configuration entries: HOSTKEY stores the host key SSHCTL stores all users and configuration done through SSHCOM.
Quick-Starting the SSH2 System This section illustrates how to quickly start the SSH2 system and provides an overview of the functionality available. For production installation, you will need to consider availability, load balancing and security related issues. Please refer to the "Configuring and Running SSH2" chapter for details.
With this parameter set to false, users will be prompted if they want to continue a connection to an unknown host. Note: When you start SSH2 in NOWAIT mode, make sure you have disabled logging to the home terminal. To do so, set the following PARAM: PARAM LOGCONSOLE * 2. SSH2 will now start with the parameters specified in the command line. It will output initialization messages to your terminal. Please check these messages for any errors.
[def [def [def [def [def [def [def [def [def [def [def [def [expl [def [def [def [def [def [def [def [def [def [def [file [file [def [file [file [def [def [def [file [def [def [def [def [file [def [file [def [def [def [run [def [file [file [def [file [def [def [def [def [file [def [def [def [def [def [def [def [def [def [def [def [def [def [def [def [def [def [file ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ]
[file ] SSHCTLAUDIT [def ] SSHKEEPALIVETIME <60> [def ] STOREDPASSWORDSONLY [file ] STRICTHOSTKEYCHECKING [run ] SUBNET <$ZTC1> [def ] SUPPRESSCOMMENTINSSHVERSION [def ] TCPIPHOSTFILE <*> [def ] TCPIPNODEFILE <*> [def ] TCPIPRESOLVERNAME <*> $SSH01|20Jan14 15:34:01.55|10|CRYPTOPP version T9999H06_12Dec2013_comForte_CRYPTOPP_0028 $SSH01|20Jan14 15:34:01.57|20|TCP/IP process is $ZTC1 $SSH01|20Jan14 15:34:05.35|20|Converted INTERFACE: 0.0.0.0 $SSH01|20Jan14 15:34:05.
auditlog bashhist bench benchcpu benchs2k benchs3k cryptand $ ftps fupcstm osstest osstzip rand1mio rs120157 scfcstm sftpserv shhistor stna48 t1000 t10000 t100000 t1000000 taclcstm test test101 testbin testbin2 testbin3 testbin4 tracecap z1000000 z1mio z1mio2 z1mio3 z1mioftp z50mio zz10mio zz1mio zzsa1894 zzsa7884 zzz10m zzz1mio Please note that the Guardian userid is specified on the SSH command line.
/home/mh: /G/data1/mhssh/sshoss comf.mh@10.0.0.201 SSH client version T9999H06_22Jan2014_comForte_SSHOSS_0097 WARNING: REMOTE HOST IDENTIFICATION UNKNOWN! The host public key fingerprint is babble: xelol-vifez-cefis-gimiv-nepof-zemid-latut-zahoz-hyrun-hipop-hixex MD5: 04:bb:3c:a0:66:d4:bf:e3:60:b8:f3:31:49:d9:86:a6 Continue and add the host to the knownhost store(yes/no)? yes Trying password authentication. Enter m.horst@10.0.0.201's password: Add password for m.horst@10.0.0.
$US SSH90A 48> run ssh -N -R 5021:localhost:23 testusr@10.0.0.234 SSH client version T9999H06_22Jan2014_comForte_SSH_0097 The –N option suppresses the start of a remote shell. The –R option tells the remote SSH daemon on host 10.0.0.234 to listen on port 5021 and forward any incoming connection on that port to the local SSH2 process and this local process will further forward to a telnet server on the local host, listening on loopback address, port 23.
$DATA1 MHSSH 20> run sftp m.horst@10.0.0.201 SFTP client version T9999H06_22Jan2014_comForte_SFTP_0097 Connecting to 10.0.0.201... You have no private keys in the key store. Trying password authentication. Enter m.horst@10.0.0.201's password: Add password for m.horst@10.0.0.201 to the password store (yes/no)? no sftp> ls -l drwxr-xr-x 0 509 100 824 Jan 19 15:03 . drwxr-xr-x 0 0 0 688 Nov 24 19:57 .. -rw-r--r-0 509 100 6340 Jun 19 2003 .
remote SSH daemon must support the forwarding of FTP sessions (not all SSH daemon implementations are able to handle FTP forwarding). Similar to the example under “Forwarding Remote Port to Local Port” in section "To Establish a Port Forwarding Tunnel with the NonStop SSH Client", the -R option can be used to forward an FTP connection from a remote host to the local host.
To Add the Public Key to the NonStop SSH2 User Database Before a user can connect using public key authentication, the public key needs to be added to the user database. Using the SSHCOM component on the NonStop server, add the public key to the user as shown in the following example (note that the fingerprint was copied from the output of the previous step): $DATA1 SSH2 12> sshcom $ssh01 SSHCOM T0801H01_22JAN2014_ABK - 2014-01-24 15:42:47.440 OPEN $ssh01 % ALTER USER comf.
OK, key comf.tb:test1 exported % Note: If you are executing SSHCOM as SUPER.SUPER, you will need to switch to CLIENT mode before exporting the key. Please issue following command before the EXPORT KEY command: MODE CLIENT The file $data1.tbtmp.tbkey now needs to be transferred to the remote system in BINARY mode. Note that the file contains only the public key and therefore contains no sensitive information. The public key exported to the tbkey file can now be transferred to the remote system.
Configuring and Running SSH2 Configuration Overview Administrators can specify configuration parameters of SSH2 processes through each of the following means: • A configuration file • PARAM commands • Startup command line parameters These different options enable system administrators to easily manage installations with multiple SSH2 processes, including those running on multiple TCP/IP processes and ports as well as in different modes.
The Configuration File Configuration files can be modified with a standard NonStop editor, such as TEDIT. The name of the file that a SSH2 process should use as the configuration source is passed to the program during startup. (See the "Starting SSH2" section for details.) The file contains entries in the following form: parameter-name parameter-value Like in the standard TCP/IP configuration files, any lines starting with a "#" character are interpreted as comments.
Startup Line Parameters SSH2 configuration parameters can be passed on the startup line as follows: ; ; ...
SSH2 Parameter Reference This section describes all available SSH2 parameters in alphabetical order. Note that parameter names are case insensitive, regardless of the source in which they appear. Some of the parameters are also valid for clients, please reference section "FILE I/O parameters for SFTP/SFTPOSS".
Parameter Meaning CLIENTALLOWEDAUTHENTICATIONS Allows restriction of possible authentication methods used by NonStop ssh clients CLIENTMODEOWNERPOLICY Defines security granularity for client mode SSH2 database. COMPRESSION Specifies whether compressed SSH sessions are supported. CONFIG Specifies the file name of an SSH2 configuration file. CONFIG2 Specifies the file name of a second configuration file for an SSH2 process.
Parameter Meaning LIFECYCLEPOLICYPRIVATEUSERKEY Controls life cycle of user generated private keys. LIFECYCLEPOLICYPUBLICUSERKEY Controls the life-cycle of user public keys. LOGCACHEDUMPONABORT Determines if the internal log cache is written to the log file in case of process aborting. LOGCACHESIZE Determines the size of the internal log cache. LOGCONSOLE Determines whether log messages are written to a console. LOGEMS Determines whether log messages are written to EMS.
Parameter Meaning SFTPEDITLINEMODE Controls handling of Guardian edit lines that are longer than the maximum Guardian edit line length. SFTPEDITLINENUMBERDECIMALINCR Controls the Guardian edit line number decimal increment. SFTPEDITLINESTARTDECIMALINCR Defines at which line decimal incrementing of Guardian edit line numbers starts. SFTPENHANCEDERRORREPORTING Can be used to get more detailed file transfer error information.
ALLOWEDAUTHENTICATIONS Use this parameter to specify the authentication mechanisms that are allowed for system users that are automatically added to the SSHCTL database upon first login. Parameter Syntax ALLOWEDAUTHENTICATIONS (method[,method,...]) Arguments method Specifies an SSH authentication method to be allowed. Valid values are… o password Password for the NonStop system's authentication mechanism. The password is validated against the SYSTEM-USER's password.
Arguments subsystem Specifies an SSH subsystem to be allowed for incoming connections. Valid values are… o tacl o sftp Default If omitted, ALLOWEDSUBSYSTEMS will be set to "sftp,tacl". Considerations • In an environment with more than one SSH2 process accessing the same SSHCTL database this parameter can be used to force users to use one SSH2 process for SFTP sessions and the other SSH2 process for TACL sessions.
ALLOWFROZENSYSTEMUSER FALSE ALLOWINFOSSH2 This parameter defines the set of users that are allowed to execute the SSHCOM command INFO SSH2. Parameter Syntax ALLOWINFOSSH2 ALL|PARTIALSSHCOMACCESS|FULLSSHCOMACCESS Arguments ALL|PARTIALSSHCOMACCESS|FULLSSHCOMACCESS Valid values are: o ALL: Every user is allowed to execute SSHCOM command INFO SSH2. o PARTIALSSHCOMACCESS: Only users configured with partial SSHCOM access are allowed to execute SSHCOM command INFO SSH2.
• If ALLOWPASSWORDSTORE is set to TRUE, passwords can be added manually to the user's password store using the SSHCOM ADD PASSWORD command. Passwords can also be added interactively, when users are prompted after a successful SSH password authentication with a remote SSH daemon. Example ALLOWPASSWORDSTORE TRUE ALLOWTCPFORWARDING Use this parameter to specify whether the SSH2 daemon will completely reject TCP port forwarding through SSH or allow TCP port forwarding depending on user configuration.
Log messages are written the given device (e.g. $DEV.#SUBDEV). Default By default, no audit messages will be written ("*"). Considerations • Although it is possible to specify a collector setting AUDITCONSOLE to a collector name is not recommended because a collector will cut long messages after 108 characters. • If writing audit messages to a collector is required, then use parameter AUDITEMS instead.
AUDITFILE * | filenameprefix Arguments * Means that no audit log messages are written to a file. filenameprefix Specifies the prefix of the audit message file set. The actual audit file names are constructed from filenameprefix, which is appended by a number controlled by the AUDITFILERETENTION parameter. Default By default, no audit messages are written to a file ("*").
Arguments format A number is used to represent a bit mask that controls the format. Following are the values and their corresponding format: bit 1 (decimal 1): Date bit 2 (decimal 2): header (log messages a pre-fixed with "[log]") bit 3 (decimal 4): Time bit 4 (decimal 8): Milliseconds bit 5 (decimal 16): Process name bit 7 (decimal 64) Log level of message Default The default audit log format is 21 (date, time, process name).
See also • AUDITCONSOLE, AUDITFORMATEMS, AUDITFORMATFILE • "Audit Messages" in the chapter entitled "Monitoring and Auditing" AUDITFORMATEMS Use this parameter to control the format of the audit messages that are written to EMS. Parameter Syntax AUDITFORMATEMS format Arguments format A number is used to represent a bit mask that controls the format.
Default The default log format is 21 (date, time, process name). See also • AUDITFILE, AUDITFORMATCONSOLE, AUDITFORMATEMS • "Audit Messages" in the chapter entitled "Monitoring and Auditing" AUDITMAXFILELENGTH Use this parameter to control the maximum size of an audit file. Parameter Syntax AUDITMAXFILELENGTH length Arguments length A number representing the maximum log file length in kilobytes. Values must fall within the following constraints: Maximum: 40.
o TRUE: PRINCIPAL will be added if and only if either the 'password' or the 'keyboard-interactive' authentication method was successful and only if the 'gssapi-with-mic' authentication was executed successfully on Kerberos level. o FALSE: PRINCIPAL will not be added even when either the 'password' or the 'keyboard-interactive' authentication method was successful and the 'gssapi-with-mic' authentication was executed successfully on Kerberos level.
AUTOADDSYSTEMUSERS TRUE See also AUTOADDSYSTEMUSERSLIKE, USETEMPLATESYSTEMUSER AUTOADDSYSTEMUSERSLIKE Use this parameter to specify a user whose configuration in SSHCTL is used as default configuration when automatic adding of users to SSHCTL is enabled (i.e. if parameter AUTOADDSYSTEMUSERS has a value of TRUE). Parameter Syntax AUTOADDSYSTEMUSERSLIKE Arguments The name of a user.
To learn more about how SSH2 can help users leverage the fundamentals of the NonStop system to provide NonStop SSH access, please refer to the "NonStop Availability" section. Default If omitted, BACKUPCPU is set to NONE. Example BACKUPCPU ANY BANNER Use this parameter to configure an authentication banner message to be displayed to SSH clients connecting to the SSH2 daemon. Parameter Syntax BANNER * | filename Arguments * Means no authentication banner is displayed.
On the other hand when BURSTSUPPRESSION is FLASE the log targets settings, enabled via target specific boolean parameters called EMSBURSTSUPPRESSION, CONSOLEBURSTSUPPRESSION, FILEBURSTSUPPRESSION and CACHEBURSTSUPPRESSION are used. When BURSTSUPPRESSION is TRUE and the BURSTSUPPRESSIONMAXLOGLEVEL is smaller than the log level assigned to a log message, then duplicates of that log message (targets of either cache, console, EMS or file) are not suppressed. Default If omitted, BURSTSUPPRESSION is set to FALSE.
Parameter Syntax BURSTSUPPRESSIONMAXLOGLEVEL detail Arguments detail A number is used to represent the level of suppression desired. A valid number must be between -1 indicating no suppression, and 100 indicating to suppress all duplicate log messages. Considerations Burst suppression (BURSTSUPPRESSION) is ignored for log messages with a log level greater than a maximum log level defined by parameter BURSTSUPPRESSIONMAXLOGLEVEL. Default If omitted, BURSTSUPPRESSIONMAXLOGLEVEL is set to 40.
CIPCOMPATERROR In case there is no support for DEFINEs in the kernel (older OS releases), then a PARAM CIPCOMPATERROR can be set to SUPPRESS for a kernel process. Parameter Syntax CIPCOMPATERROR { SUPPRESS | * } Arguments SUPPRESS DEFINE =CIP^COMPAT^ERROR will be set to SUPPRESS. * DEFINE =CIP^COMPAT^ERROR will not be set. Default The default for this parameter is *.
Default If omitted, SSH2 will accept all ciphers mentioned above. Example CIPHERS 3des-cbc This will enforce the use of only 3DES-encryption. CLIENTALLOWEDAUTHENTICATIONS Use this parameter to restrict the authentication methods the NonStop ssh clients (SSH[OSS], SFTP[OSS]) can try.
can not add/read/manipulate entries for associated aliases. In other words, a Guardian or alias user can add/manipulate entries for that Guardian or alias user only. The value LOGINNAME is recommended if different people are using the various aliases configured with the same Guardian user identifier. GUARDIANNAME The default owner is the Guardian user identifier, independent if the logon name is an alias or a Guardian user. Entries are read using the Guardian user ID only.
The following arguments can be used to specify whether compression of the SSH session will be supported: o TRUE: allows compressed sessions. o FALSE: denies compressed sessions. Default If omitted, SSH2 will allow compressed sessions. Example COMPRESSION FALSE CONFIG Use this parameter to specify a configuration file for an SSH2 process. Parameter Syntax CONFIG file Arguments file Specifies the name of the configuration file. Default If omitted, SSH2 will not use a configuration file.
Considerations • The second configuration file has precedence over the first one. • This parameter can only be specified as PARAM or on the startup line. It is not valid within a configuration file. • Parameters specified in the configuration file can be overwritten by PARAM or startup line settings. CONSOLEBURSTSUPPRESSION Use this parameter to configure burst suppression for log message duplicates of log target console (home terminal).
Example CPUSET 2,4-6,9 Considerations • A value configured in USER attribute CPU-SET has higher priority than the value defined in the SSH2 parameter CPUSET. • CPU restrictions for processes dynamically started by STN can be established using option CPU of the ADD SERVICE STNCOM command. Please refer to the "STNCOM Commands" section for further details. See also SFTPCPUSET CUSTOMER Use this parameter to set the customer name or overwrite the customer name in the license file.
DAEMONMODEOWNERPOLICY Defines security granularity for daemon mode USER records in the SSH2 database based on the OWNER field of the configured SSH user. Access to the daemon mode USER records in the SSH2 database will be granted in the same fashion as for PARTIALSSHCOMACCESSUSER/ PARTIALSSHCOMACCESSGROUP which is defined as partial access.
Also, SUPER.SUPER would have partial access rights for all USER records configured with a super group user as OWNER (if the policy is GUARDIANNAME or BOTH) Default The default value is NONE. Examples DAEMONMODEOWNERPOLICY LOGINNAME See also • FULLSSHCOMACCESSGROUP, FULLSSHCOMACCESSUSER, PARTIALSSHCOMACCESSGROUP and PARTIALSSHCOMACCESSUSER • See "Security within SSHCOM" in section "SSHCOM Command Reference" about full and partial access rights.
Arguments FIRST|ALL Specifies whether all IP addresses returned from a DNS server or only the first one are considered. Valid values are: o FIRST for using just the first IP address. o ALL for using all returned IP addresses. Default If omitted, FIRST is the default value, ensuring the DNS name resolving is handled as before introduction of this parameter.
Default If omitted, EMSBURSTSUPPRESSION is set to FALSE. Example EMSBURSTSUPPRESSION TRUE See also BURSTSUPPRESSION, BURSTSUPPRESSIONEXPIRATIONTIME, BURSTSUPPRESSIONMAXLOGLEVEL ENABLESTATISTICSATSTARTUP This Boolean parameter allows enabling gathering statistics at startup of the SSH2 process. Parameter Syntax ENABLESTATISTICSATSTARTUP TRUE|FALSE Arguments TRUE Statistics will be gathered immediately after the SSH2 process has started.
Default If omitted, FILEBURSTSUPPRESSION is set to FALSE. Example FILEBURSTSUPPRESSION TRUE See also BURSTSUPPRESSION, BURSTSUPPRESSIONEXPIRATIONTIME, BURSTSUPPRESSIONMAXLOGLEVEL FULLSSHCOMACCESSGROUP This parameter set allows granting administrative SSHCOM command privileges to groups rather than just than super.super. Admin groups are defined via the parameter set FULLSSHCOMACCESSGROUP where is a number between 1 and 99.
Arguments . The Guardian logon name of the account that will have full SSHCOM access. Logon ids and alias names are not supported. Default By default, none of the parameters are set, i.e. only users configured in the Safeguard OBJECTTYPE USER record (if such exists) and super.super (unless explicitly denied in OBJECTTYPE USER) can access privileged commands. Example FULLSSHCOMACCESSUSER1 admin.joe FULLSSHCOMACCESSUSER2 admin.jim FULLSSHCOMACCESSUSER3 super.
• The GSSAUTH interface process is part of the Kerberos installation on your NonStop Server. See also • GSSKEX, GSSGEXKEX, ALLOWEDAUTHENTICATIONS • Section "Single Sign-on with GSSAPI Authentication". GSSGEXKEX Use this parameter to enable GSSAPI key exchange with group exchange, in accordance with the RFC 4462 standard (gss-gex-sha1-* key exchange algorithms). Parameter Syntax GSSGEXKEX TRUE|FALSE Arguments TRUE GSSAPI kex with group exchange is enabled.
• GSSKEX only takes effect if GSSAPI authentication is enabled. GSSKEX is ignored if GSSAUTH is set to “*” (disabled). See also • GSSAUTH, GSSGEXKEX, ALLOWEDAUTHENTICATIONS • Section "Single Sign-on with GSSAPI Authentication". GUARDIANATTRIBUTESEPARATOR The value (which should only consist of one character) is used as additional separator character between Guardian file name and Guardian file attributes.
• The host key is the private key that is used to authenticate the host against the clients. The fingerprint of the host key will need to be configured on the remote systems that connect to the SSH2 process running on the NonStop system. The fingerprint of the host key file is displayed during startup of the process. It can also be seen via SSHCOM command INFO HOST-KEY. • In order to prevent unauthorized usage of the host key file (i.e.
Considerations • If a HOSTKEY file exists, then no new local host key is generated. In this case the value of parameter HOSTKEYBITS is not relevant. • During startup, the key length of the local host key is now logged. • In case a local host key is generated at startup of the SSH2 process, then the supported key size depends on the host key type: For type RSA key sizes 1024 and 2048 are supported, for type DSA only 1024 is supported.
INTERFACE Use this parameter to specify the local IP address(es) SSH2 should listen on for incoming SSH connections. Parameter Syntax INTERFACE ip-address [, ip-address, ...] Arguments ip-address IP address or host name SSH2 should listen on. Default If omitted, SSH2 will listen on all local IP addresses of the configured TCPIP process(es) (SUBNET), which corresponds to INTERFACE value 0.0.0.0 or, in case of IPv6, 0::0. Examples INTERFACE 10.0.0.196 INTERFACE fe80::a00:8eff:fe00:d14e INTERFACE ::FFFF:222.
Considerations • The value must be set consistent with the value of parameter IPMODE. • If a host name is resolved to multiple IP addresses, then only those IP addresses are used that occur in the subnet configuration of the configured TCP/IP processes (parameter SUBNET). • If the any address (0.0.0.0 or 0::0) is listed in INTERFACEOUT, then the ANY address is used as bind address only for those IP processes that aren’t configured with any of the other listed non-ANY addresses.
INTERVALLIVEPUBLICUSERKEY This parameter is related to a user public key’s life-cycle (configuration of database entity USER). It determines the length of the interval a user public key stays in state ‘LIVE’. Parameter Syntax INTERVALLIVEPUBLICUSERKEY number-of-days Arguments number-of-days The number of days a user public key will be in state ‘LIVE’ after leaving state ’PENDING’ and before reaching state ‘EXPIRED’. Default The default value for this parameter is 730, i.e. 2 years.
Considerations • The life-cycle configuration of existing user private keys will not be modified due to this parameter. If existing keys need to participate in life-cycle control, then they must be configured via ALTER KEY command specifying the LIVE-DATE and EXPIRE-DATE command options. • Parameter value is ignored if life-cycle for user private keys is disabled (i.e. if LIFECYCLEPOLICYPRIVATEUSERKEY is set to DISABLED).
Parameter Syntax IPMODE ip-mode Arguments ip-mode The IP mode the SSH2 process will be running in. The following IP modes are supported: o IPV4 – TCP/IP version 4 is supported only o IPV6 – TCP/IP version 6 is supported only o DUAL – Both TCP/IP versions 4 and 6 are supported Default The default value for this parameter is IPV4. Example IPMODE IPv6 Considerations • The IPMODE parameter of SSH2 corresponds to the TCP/IP monitor process option FAMILY.
• Please see the section on the SSHCTL parameter for more information on the interaction of the license file with the SSH2 database. Default If omitted, an SSH2 process will search for a file named "LICENSE" on the subvolume where the SSH2 object resides. LIFECYCLEPOLICYPRIVATEUSERKEY This parameter controls the life-cycle of user generated private keys. If enabled, a ‘not valid before date’ and a ‘not valid after date’ can be defined for each individual key.
time period after key addition and length of the period a key is in ‘LIVE’ state. Only a key in ‘LIVE’ state may be part of a public key authentication of the user configured with the key. Parameter Syntax LIFECYCLEPOLICYPUBLICUSERKEY DISABLED|FIXED|VARIABLE Arguments DISABLED Life-cycle control for user public keys will not be enabled. When a public key is added, it is immediately in state ‘LIVE’ and it will never expire.
The default for this parameter is TRUE. Considerations • The log cache content can be written to the log file at any time via SSHCOM command FLUSH LOGCACHE. See also • LOGCACHESIZE, LOGLEVELCACHE, LOGFILE • "Log Messages" in the "Monitoring and Auditing" chapter. • Commands FLUSH LOGCACHE and CLEAR LOGCACHE in the "SSHCOM Command Reference" chapter. LOGCACHESIZE Use this parameter to define how many lines of log messages are held in log cache.
Considerations • The LOGLEVELCONSOLE parameter controls what messages are produced by SSH2. • Log messages are automatically cut by the collector when using value $0 for LOGCONSOLE. Please use LOGEMS to enable logging to an EMS collector. Default By default, log messages are written to the home terminal ("%"). See also • LOGEMS, LOGFILE, LOGLEVELCONSOLE • "Log Messages" in the "Monitoring and Auditing" chapter. LOGEMS Use this parameter to define whether SSH2 log messages are written to EMS.
Arguments TRUE The EMS collector will be opened once (and re-opened after errors only) FALSE The EMS collector will be opened and closed for each log message written to the EMS collector (configured via parameter LOGEMS) Default The default for this parameter is TRUE. Example LOGEMSKEEPCOLLECTOROPENED TRUE Considerations • Keeping the EMS collector open instead of opening and closing it for every log message will reduce overhead.
LOGFILERETENTION n Arguments n Specifies the number of log files to keep. Default By default, 10 files are kept. Considerations • Setting the parameter to a value 0 disables log file retention. • If log file retention is enabled, a minimum of 10 is enforced by this parameter. • See section "Logfile/Auditfile Rollover" in the "Monitoring and Auditing" chapter for details on file rollover. • The file security set for the current log file (e.g.
• This parameter is retained for downward compatibility only and has been replaced by the parameters LOGFORMATCONSOLE and LOGFORMATFILE. • If no value is set for the parameters LOGFORMATCONSOLE or LOGFORMATFILE, they will inherit their value from the parameter LOGFORMAT. • If both LOGFORMATCONSOLE and LOGFORMATFILE are set with a value, the parameter of LOGFORMAT becomes meaningless.
format A number is used to represent a bit mask that controls the format. Following are the values and their corresponding format: bit 1 (decimal 1) Date bit 2 (decimal 2) Header (log messages a pre-fixed with "[log]") bit 3 (decimal 4) Time bit 4 (decimal 8) Milliseconds bit 5 (decimal 16) Process ID (name or PIN) bit 7 (decimal 64) Log level of message Default The default log format is 93 (date, time, milliseconds, process ID, and log level).
Display date and time only: LOGFORMATFILE 5 See also LOGFORMATCONSOLE, LOGFORMATEMS LOGLEVEL Use this parameter to control the level of detail of messages that are written to the console or log file. Parameter Syntax LOGLEVEL detail Arguments detail A number is used to represent the level of detail desired. Following is more information about the values allowed: • A valid number must be between 0, indicating no messages, and 100. The value of 100 indicates the maximum amount of messages.
• Using the LOGLEVELCACHE parameter allows users to set a different log level for the log messages written to the log cache than for the output written to LOGFILE. • Writing log messages to the log cache and writing the current content to the log file sporadically as required can reduce the number of disk operations needed for logging. • The size of the log cache can be configured. • The content of the log cache can be written to the configured LOGFILE.
• Using the SSHCOM command interpreter, you can change parameters without having to restart SSH2. See also LOGEMS, LOGLEVELCONSOLE, LOGLEVELFILE, LOGFORMATEMS LOGLEVELFILE Use this parameter to control which messages are written to the log file. Parameter Syntax LOGLEVELFILE detail Arguments detail A number specifying the detail level. Default For downward compatibility, the default log level is taken from the LOGLEVEL parameter, if present. Otherwise, a default of 50 is used.
• LOGFILE, LOGLEVELFILE, LOGFILERETENTION • "Log Messages" in the "Monitoring and Auditing" chapter. LOGMEMORY Use this parameter to include SSH2 memory usage statistics in the log output at regular intervals. Parameter Syntax LOGMEMORY number_of_ios Arguments number_of_ios A number that represents how many I/O operations are to be conducted before SSH2 includes its memory usage in the log output Default The default is 0, meaning that memory usage will not be logged.
PARTIALSSHCOMACCESSGROUP This parameter set allows granting limited administrative SSHCOM command privileges to users that have the configured group as PRIMARY-GROUP in the Safeguard USER configuration. Admin groups with limited SSHCOM access are defined via the parameter set PARTIALSSHCOMACCESSGROUP where is a number between 1 and 99. Limited administrative SSHCOM access includes viewing and altering USER records, i.e. execution of daemon mode commands INFO USER and ALTER USER.
Limited administrative SSHCOM access includes viewing and altering USER records, i.e. execution of daemon mode commands INFO USER and ALTER USER. All USER attributes can be modified but the most critical ones, which are ALLOWED-AUTHENTICATIONS and SYSTEM-USER, can only be modified by users with full SSHCOM access.
Arguments TRUE|FALSE Specifies whether the IP address must be suppressed in USER_AUTHENTICATE_ calls or not. Valid values are: o TRUE: The IP address gets suppressed. o FALSE: The IP address is supplied. Default If omitted, value FALSE is the default value. Example PAUTHSUPPRESSIPADDRESS TRUE PORT Use this parameter to specify the port number a SSH2 server should listen on for incoming connections. Parameter Syntax PORT number Arguments number Refers to the decimal number of a TCP/IP port.
If omitted, PROPAGATEDEFINES will be set to TRUE. This is consistent with the behavior since introduction of define propagation. Considerations • The =_DEFAULTS DEFINE is always propagated to other processes regardless of the setting of the PROPAGATEDEFINES parameter. Example PROPAGATEDEFINES FALSE See also PTCPIPFILTERKEY PTCPIPFILTERKEY Use this parameter to specify a filter key to enable round-robin filtering with parallel library TCP/IP or TCP/IPV6.
A port range from startport to endport that restricts shared ports to the configured port range. The configuration is only effective if round-robin is enabled, i.e. if either the DEFINE =PTCPIP^FILTER^KEY or the SSH2 parameter PTCPIPFILTERKEY is set. * Shared ports will not be limited. However, any DEFINE =PTCPIP^FILTER^TCP^PORTS passed to SSH2 at startup will remain in effect. Default The default for this parameter is *.
End of Record is indicated by an LF (hexadecimal 0A, escape character \n) CR End of Record is indicated by a CR (hexadecimal 0D, escape character \r). CRLF End of Record is indicated by a CR followed by an LF (hexadecimal 0D0A, escape characters \n\r). ANY End of Record can be CR (0D), LF (0A) or CRLF (0D0A). Considerations: • In SSH2 versions before 0085 the default processing was ANY. If files transferred and directly stored in a structured NonStop use other end-of-record delimiters, i.e.
SAFEGUARD-PASSWORD-REQUIRED For G-Series and H-Series RVU prior to H06.11, set this parameter according to the Safeguard PASSWORDREQUIRED configuration. Parameter Syntax SAFEGUARD-PASSWORD-REQUIRED TRUE|FALSE Arguments TRUE Safeguard PASSWORD-REQUIRED is ON. FALSE Safeguard PASSWORD-REQUIRED is OFF. Considerations • G-Series and H-Series RVU prior to H06.11 do not support PRIV logon of a Safeguard ALIAS. Hence, SSH2 can only impersonate an ALIAS if a password is provided.
Example SFTPALLOWGUARDIANCD TRUE SFTPCPUSET This parameter allows configuring the default set of CPUs the SSH2 process starts SFTPSERV user processes in. Parameter Syntax SFTPCPUSET cpu-set Arguments cpu-set A comma separated list of CPU numbers or CPU number ranges defining allowed CPUs. Default If omitted, SSH2 will start all SFTPSERV processes in the CPU the SSH2 process is running in unless the USER record specifies a different CPU set for a specific user via attribute SFTP-CPU-SET.
SFTPEDITLINEMODE Use this parameter to control the handling of Guardian edit lines that are too long when a file transfer is made to a Guardian edit file on the NonStop server. Parameter Syntax SFTPEDITLINEMODE none | cut | wrap Arguments none No special handling is done. A long line is treated as an error. cut The long line will be cut to ensure a maximum line length of 239 characters. wrap The long line will be wrapped, i.e.
The default value is 1000, i.e. the line numbers are incremented by 1) Examples Increment by 0.003: SFTPEDITLINENUMBERDECIMALINCR 3 Increment by 0.1: SFTPEDITLINENUMBERDECIMALINCR 100 Considerations • The setting of this parameter is only relevant if parameter SFTPEDITLINESTARTDECIMALINCR is set to a number between 0 and 99999999. • Previously, all Guardian edit files were written starting with line number 1 and increment 1.000, which allowed a maximum of 99999 lines.
• The setting of this parameter is only relevant if parameter SFTPEDITLINESTARTDECIMALINCR is set to a number between 0 and 99999999. • Previously, all Guardian edit files were written starting with line number 1 and increment 1.000, which allowed a maximum of 99999 lines. This behavior is still the default. • The default increment (1.000) is used for all lines less than the value of parameter SFTPEDITLINESTARTDECIMALINCR.
Parameter Syntax SFTPEXCLUSIONMODEREAD Arguments The file open exclusion mode for read operations. Valid values are SHARED, EXCLUSIVE and PROTECTED Considerations • If a file is open for write by anther process (shared or protected) and this file is to be read by SFTP or SFTPSERV, then reading this file will only fail if parameter is set to a different value than SHARED.
Arguments maxextents Specifies the value to be used. Considerations • The value can be overridden in "put" and "get" commands using the extended syntax described in "SFTP Client Reference" chapter, in the section entitled "Extended Syntax for Creation of New Guardian Files". Default If omitted, SSH2 will use a value of 900. Example SFTPMAXEXTENTS 950 SFTPPRIMARYEXTENTSIZE Use this parameter to specify the primary extent size for files that are created on the NonStop system.
o FALSE: File attributes will be stripped by realpath function. Default If omitted, SSH2 will use value FALSE. Example SFTPREALPATHFILEATTRIBUTEECHOED TRUE Considerations • One SFTP client that is known to call realpath() before accessing the remote file is PuTTY. Special processing has been implemented for PuTTY: The SFTP server checks the client version string to detect a PuTTY client.
o FALSE: Target file names will be downshifted. Default If omitted, SSH2 will use a value FALSE. The resulting behavior is the same as before this parameter was added. Example SFTPUPSHIFTGUARDIANFILENAMES TRUE Considerations • If the parameter is used as SSH2 parameter with value TRUE, then all Guardian file names displayed by the ls command appear in upper case. The SSH2 parameter is relevant for incoming connections.
mode • 1 (on) for sending keep alive messages • 0 (off) no messages are sent Default By default, keep alive messages are sent (1). SOCKETRCVBUF Use this parameter to control the size of the TCP/IP receive buffer. When setting this parameter to a non-zero value the specified parameter is used on a socket level. Parameter Syntax SOCKETRCVBUF bytes Arguments bytes A number representing the size of the TCP/IP receive buffer in bytes.
SOCKTCPMINRXMT Use this parameter to control the minimum time for TCP retransmission timeout. When setting this parameter to a nonzero value the specified parameter is used on socket level. Parameter Syntax SOCKTCPMINRXMT time Arguments time A number representing the minimum time for TCP retransmission timeout. A value of 0 means the minimum time for TCP retransmission timeout configured in the TCP/IP monitor process is used.
SOCKTCPRXMTCNT Use this parameter to control the maximum number of continuous retransmissions prior to dropping a TCP connection. When setting this parameter to a non-zero value the specified parameter is used on socket level. Parameter Syntax SOCKTCPRXMTCNT count Arguments count A number representing the maximum number of continuous retransmissions prior to dropping a TCP connection.
SSHAUTOKEXBYTES Use this parameter to control the frequency of automatic key re-exchange in SSH sessions. Parameter Syntax SSHAUTOKEXBYTES bytes Arguments bytes Provides a number representing the amount of bytes after which a key re-exchange should be initiated. A value of 0 disables key re-exchange based on data volume. Default The default is 1073741824 (1GB). This is the value recommended in RFC 4253.
• In order to prevent unauthorized access, the user database is stored in a proprietary format and encrypted. The database file is secured as "----". • The customer name configured via parameter CUSTOMER or, if that does not exist, the customer name held within the license file for the SSH2 program is used as an input for host-based key encryption.
o FALSE: file will not be created as audited file. Considerations • See parameter "SSHCTL" for details about the user data base. Default If omitted, SSH2 will use a value of TRUE. Example SSHCTLAUDIT FALSE SSHKEEPALIVETIME Use this parameter to control the frequency of SSH "keepalive" messages. Parameter Syntax SSHKEEPALIVETIME seconds Arguments seconds Defines the idle time in seconds after which an SSH_MSG_IGNORE message is sent to the remote client.
Considerations • This parameter is only relevant for outgoing connections, i.e. with ssh clients SSH[OSSS] and SFTP[OSS] running on a NonStop™ server. • In a scenario of ssh clients running in batch mode where password authentication is a requirement the password prompt does not make sense. STRICTHOSTKEYCHECKING This option controls whether to restrict client access to remote systems to only those cases in which the host’s public key is explicitly configured as a KNOWNHOST entity in the SSHCTL.
• If you added a DEFINE =TCPIP^PROCESS^NAME to the TACL environment you use to start SSH2, this setting will override the SUBNET parameter.
Default The default for this parameter is *. Considerations • Use this parameter to pass the value for the DEFINE =TCPIP^HOST^FILE to SSH2 servers configured as generic processes. This can also be achieved by adding the define =TCPIP^HOST^FILE for the generic process (possible since G06.28/H06.06). • In case the define =TCPIP^HOST^FILE causes unwanted behaviour, it is possible to disable the propagation of defines completely, see parameter PROPAGATEDEFINES • An entry TCPIPHOSTFILE $system.ztcpip.
TCPIPRESOLVERNAME Use this parameter as an alternative to setting a DEFINE =TCPIP^RESOLVER^NAME. Parameter Syntax TCPIPRESOLVERNAME filename Arguments filename Specifies the name of the RESCONF file to be used by SSH2. The filename will override the value of the DEFINE =TCPIP^RESOLVER^NAME, which may have been passed to SSH2 at startup. * Indicates no RESCONF file will be set. However, any DEFINE =TCPIP^RESOLVER^NAME passed to SSH2 at startup will remain in effect.
Enabling Full TTY Access SSH2 allows remote SSH clients to establish fully functional OSS shell sessions. This includes the allocation of pseudo terminals (PTYs), which allow remote users to execute full screen applications, such as vi or Emacs. PTYs are not natively supported by OSS on the NonStop™ server. To overcome this limitation, SSH2 comes bundled with a component named STN. The STN component is also used in another comForte product, SecurTN.
Configuring an Alternate Command Interpreter TACL is the default command interpreter that SSH2 starts on a 6530 pseudo terminal. You can use the CI-PROGRAM and CI-COMMAND attributes to assign a different program as the 6530 command interpreter. For example, you can use PATHCOM to run a PATHWAY PROGRAM directly on the pseudo 6530 terminal.
SSHCOM T0801H01_22JAN2014_ABK - 2014-01-24 14:42:45.368 OPEN $ssh01 % ALTER USER SERVICE.USER, SHELL-PROGRAM *MENU* srvc1 OK, user SERVICE.USER altered. % ALTER USER WINDOW.USER, SHELL-PROGRAM *MENU* #win1 OK, user WINDOW.USER altered. % The pre-selected service or window ('srvc1' and '#win1' in the examples above) must exist in the STN configuration. STN services and windows can be added with STNCOM, using the ADD SERVICE and ADD WINDOW commands.
Using TELSERV as Service Provider 6530 shell channels can also be forwarded to a TELSERV process. This enables a fast and easy migration of an existing complex TELSERV environment to SSH, such as an environment with static windows. To forward 6530 shell requests to TELSERV, specify the CI-PROGRAM as follows: >SSHCOM %ALTER USER telnetuser, CI-PROGRAM telnet This assumes that TELSERV is listening on port 23 for the same TCPIP process as SSH2.
>RUN SSHCOM $SSH01 SSHCOM T0801H01_22JAN2014_ABK - 2014-01-24 14:42:45.368 OPEN $ssh01 % ADD USER serviceuser, ALLOWED-AUTHENTICATION (none), & % SYSTEM-USER *NONE*, CI-PROGRAM *MENU*, & % ALLOW-SHELL NO, ALLOWED-SUBSYTEMS (), ALLOW-TCP-FORWARDING NO OK, user serviceuser added. % In the above example, "serviceuser" does not require an individual SSH authentication. Hence, this user represents a logical service that accesses the system via the STN service menu.
Enabling GSSAPI Authentication for a User Account As any other authentication method, GSSAPI authentication can be enabled or disabled on a per user basis. The following SSHCOM command illustrates how GSSAPI authentication can be added to the list of allowed authentication methods for a user: >RUN SSHCOM $SSH01 SSHCOM T0801H01_22JAN2014_ABK - 2014-01-24 14:42:45.368 OPEN $ssh01 % ALTER USER SUPER.OPERATOR, ALLOWED-AUTHENTICATIONS (gssapi-with-mic,password) OK, user SUPER.OPERATOR altered.
If the SSH2 AUTOADDSYSTEMUSER option is disabled, the ALIAS must also be added to the NonStop SSH database using the SSHCOM ADD USER command. Otherwise, if the SSH2 AUTOADDSYSTEMUSER option is TRUE and gssapi-with-mic is enabled for automatically added users, then creating a Safeguard ALIAS for the Kerberos user principal will be sufficient to grant SSO access.
attribute defines a list of host/port combinations that a user is allowed to reach via a specific SSH2 instance. No pattern matching is allowed but several hosts can be defined and several ports can be specified per host. If the user attribute RESTRICTION-PROFILE is defined and the CONNECT-TO attribute of the restriction profile is set, the SSH2 process limits access to the configured host/port combinations only when starting an outgoing connection for that user.
Load Balancing With SSH2, it is possible to distribute the CPU load generated by the encryption of SSH sessions across multiple processors of a NonStop system. This is true for both inbound and outbound sessions. Load-Balancing Outbound SSH Sessions For outbound sessions, CPU load balancing can be achieved by starting multiple SSH2 instances and distributing client processes across processors.
allow defining default values for these USER attributes on a global level. If multiple CPUs are configured, then these will be used in a round-robin fashion. Another way of load balancing of incoming SSH connections is to configure multiple IP processes for one SSH2 process (see parameter SUBNET) and let users connect to different IP addresses of the NonStop system. In this way the TCP/IP traffic load is distributed over the CPUs if the configured TCP/IP processes run in different CPUs.
Likewise, you can use the TCPIPHOSTFILE, TCPIPNODEFILE, and TCPIPRESOLVERNAME parameters to configure TCPIP settings or the corresponding DEFINEs. Please refer to the SCF Reference Manual for the Kernel Subsystem in the HP NonStop™ documentation set for further details. Choosing a Persistence Mechanism Determining whether it is more effective to configure SSH2 as a NonStop process pair or as a generic process depends on your system environment and the expected SSH transfer volume.
correctly configured and the define =TCPIP^HOST^FILE is set to the default value. A warning is logged in this case ("Disabling incorrectly configured DNS resolving"). A new define =SSH2^PROCESS^NAME will be created and propagated. It contains the name of the SSH2 process, which started the TACL or shell process. The SSH clients (objects SSH, SSHOSS, SFTP and SFTPOSS) make use of this define to look up the SSH2 server process before the CPU dependent lookup using SSH2PREFIX is tried.
LOGNAME=test.us LOGNAME=mike SSH_TTY The pseudo terminal allocated for the session. Example: SSH_TTY=/G/pty35/#zwn0001 SSH2_PROCESS_NAME The SSH2 process that started the shell process. Example: SSH2_PROCESS_NAME=$SSH35 HOME The shell home directory of the user. Example: HOME=/home/test SSH_ORIGINAL_COMMAND The command that was specified in an exec request. This can be different to the actually executed command, in case a “forced command” is defined (USER attribute SHELL-COMMAND).
TCP/IPv6 Configuration The IPv6 standard differs from the IPv4 standard in many ways. The TCP/IP configuration for IPv4 and IPv6 on NonStop servers is different in several aspects as well, see documents and links listed in section "Related Reading". But from NonStop SSH and comForte SecurSH/SecurFTP product’s standpoint the differences are mainly related to the new address formats of IPv6, new defines and different modes the NonStop TCP/IP processes with IPv6 support can run in.
Entity RESTRICTION-PROFILE fields: • CONNECT-FROM • CONNECT-TO • PERMIT-LISTEN • PERMIT-OPEN • FORWARD-FROM Entity KNOWNHOST fields: • Name (identifier) of a KNOWNHOST record • ADDRESSES Entity PASSWORD fields: • Name (identifier) of a PASSWORD record IP Mode Similar to the FAMILY configuration of TCP/IP monitor process and subnets, the SSH2 process supports control over the IP mode the SSH2 process is running in. A new SSH2 parameter IPMODE has been added.
TCP/IPv6 Migration and Backout Start Using TCP/IPv6 After the TCP/IP processes have been prepared for IPv6 support the SSH2 processes can be enabled for IPv6 by restarting them with parameter IPMODE set to IPv6 or DUAL. The default for this parameter is value IPv4, i.e. the SSH2 process does not automatically switch to IPv6. This is done because errors would occur when an SSH2 process starts in IPMODE IPv6 or DUAL against a TCP/IP process not supporting IPv6.
PASSWORD entries cannot be modified or deleted using an SSH2 release without IPv6 support. But again, an SSH2 process that supports IPv6 started in ADMIN mode can be used to do that, if needed. Multiple IP Process, Multiple IP Address Considerations Multiple IP Process Configuration If the define =TCPIP^PROCESS^NAME is used to specify the TCP/IP process SSH2 should use, then it is not possible to configure multiple IP processes.
The same IP address may be configured in more than one IP process. If that IP address is configured in INTERFACE, then a listen on such an IP address is issued against each of the configured IP processes. There may be the requirement to listen on specific IP addresses of some IP processes but to listen on the ANY address for other IP processes. This can be achieved by specifying the ANY address in INTERFACE, in addition to the specific IP addresses. Example: A listen is required on IP address 1.2.3.
TACL Subsystem and Command Interpreter Configuration Enhanced EXEC Processing The processing of EXEC requests (ssh client started with a remote command on the ssh command line) has been enhanced in version 0097 to add flexibility. It is now possible to let a user execute single TACL commands or TACL macros or a command interpreter other than TACL even though the subsystem TACL is not allowed for the user (ALLOWED-SUBSYSTEMS does not contain tacl).
or TN6530-8, then a TACL process is started as well. For any other terminal type a shell request will start a shell under OSS. The user may request a specific command interpreter by specifying a remote command “tacl -p ”, e.g.: ssh usr@host tacl -p fup With a 6530 terminal on the client side the program $SYSTEM.SYSTEM.FUP is started (actual object FUP found on the SYSnn subvolume) and the user sees a FUP prompt and can enter any number of FUP commands.
?TACL MACRO #OUTPUT Macro %0% started with parameters: >%*%< That macro could be started, for example, using the command below: ssh usr@host ci -c $TEMP.TEMP.MYMACRO The TACL process that gets started will display something like the following: … $TEMP.TEMP.MYMACRO abc def 123 Macro $TEMP.TEMP.MYMACRO started with parameters: >abc def 123< It is also possible to set CI-COMMAND to “$TEMP.TEMP.MYMACRO abc def 123” to avoid the requirement to specify the macro name on the client side.
The SSH User Database Overview of SSH Operation Modes As explained in the Introduction, the SSH2 process accesses a database to … • discover allowed operations for remote users as well as their logon credentials when running as SSH daemon, allowing remote systems running an SSH or SFTP client to connect to the local NonStop system. This mode of operation is referred to as "daemon mode" within this chapter.
Database for Daemon Mode Format and Content of the Database In daemon mode, the SSH2 database contains USER and RESTRICTION-PROFILE entities controlling the way incoming ssh connections are processed. The USER records mainly define the allowed authentication methods and the mapping from SSH user to a local Guardian user or alias but also contain other attributes, e.g. for defining access restrictions and use of resources.
• ALLOW-MULTIPLE-REMOTE-HOSTS: Indicating if the ssh user is allowed to connect from multiple remote hosts (a remote host is identified by its IP address). • RESTRICTION-PROFILE: Name of restriction profile defining restrictions regarding incoming connections for the ssh user. • PRIORITY: Priority for a specific ssh user’s non-SFTPSERV processes. If omitted, the priority of the SSH2 process is used as default value. • CPU-SET: List of CPUs ssh user’s non-SFTPSERV processes are started in.
The RESTRICTION-PROFILE entity has the following properties: • RESTRICTION-PROFILE: The name for the restriction profile, referenced by a USER entity. • COMMENT: Comment text for the restriction profile. • CONNECT-FROM: IP addresses the user is allowed to connect from. • CONNECT-TO: IP addresses a user is allowed to connect to. • PERMIT-LISTEN: Local ports the user is allowed to use for port forwarding.
• LIFE-CYCLE-STATE: the life-cycle state the user private key is in. Possible values are ‘PENDING’, ‘LIVE’ and ‘EXPIRED’. This is actually not an explicit database field but its value will be determined by the three database fields CREATION-DATE, LIFE-DATE and EXPIRE-DATE. The database also contains some additional information collected by SSH2 about each key record: • LAST-USE: Record usage: Last time the record was used. • LAST-MODIFIED: Record maintenance: Last time the record was modified.
Creating and Accessing the Database The database is contained in a single Enscribe file. To create a new database, SSH2 needs to be started with the SSHCTL parameter pointing to a non-existing file. In that case, the SSHCTLAUDIT parameter will control whether the database will be created as an audited file or not. To reuse an existing database, SSH2 needs to be started with SSH2 parameter SSHCTL pointing to an existing file.
SSHCOM Command Reference SSHCOM Overview SSHCOM is a command interpreter delivered with the SSH2 component. It is used to view and maintain the SSH2 user database. Using SSHCOM is similar to working with the HP PATHCOM utility. You connect to an existing SSH2 process using the OPEN command, then you issue commands against that instance of SSH2, which will access the corresponding area in the database.
| INFO RENAME THAW | | | | General Commands | | ---------------------| | INFO SSH2 INFO SYSTEM-USER | | | | Miscellaneous Commands | | ---------------------| | ASSUME EXIT MODE OBEY | | PAUSE PROMPT TIME | | | +------------------------------SecurFTP/SSH Modes-----------------------------+ | | | CLIENT DAEMON | | | +-----------------------------------------------------------------------------+ % Use command HELP MODE to find out more about modes.
• Processing of a file through the standard TACL way of RUN SSHCOM /IN file/. • Pausing the display with the PAUSE command. • Line continuation through the usage of the "&" character. Standard behavior is that for each command entered a message is displayed about the outcome, i.e. if the command succeeded or failed (if no message is displayed it should be assumed that the command could not be parsed successfully). It is possible to add comments in IN files, OBEY files and at the interactive prompt.
Dependency on Safeguard OBJECTTYPE USER Record Every administrator that configures an OBJECTTYPE USER record is highly aware of the importance and relevance of USER configuration on NonStop systems. But some may not be fully aware that the SSH configuration is a highly critical, security-relevant task as well: A user that is allowed to configure SSH USER records can create access to the NonStop system without Safeguard authentication, i.e.
The user super.super can execute any client mode commands for all users unless explicitly configured in the OBJECTTYPE USER with DENY Create authority. The parameter sets FULLSSHCOMACCESSUSER and FULLSSHCOMACCESSGROUP are ignored.
As each alias has its own password it is possible to create a NonStop environment where different persons use different aliases pointing to the same Guardian user identifier. In such an environment storing KEY, PASSWORD and KNOWNHOST records under the same user id represents a security problem: Assuming aliases a1 and a2 exist, both configured with underlying Guardian user identifier grp1.usr1. If alias a1 stored a password for remote host h1 and remote user u1 in the client mode database (under grp1.
alias are read first, then entries of the guardian id). The value BOTH is only recommended if a guardian user and all aliases configured for this guardian user are solely used by one person and client mode records are to be stored under Guardian user identifier as well as alias names. Example: Assume, an alias entry is present, but not an entry for the associated Guardian ID, and the user is logged on as the alias.
Client Mode Owner Policy and Processing of SSHCOM Commands The processing of the CLIENT mode SSHCOM commands has been enhanced in release 89 to support the new CLIENTMODEOWNERPOLICY values LOGINNAME and BOTH. If the value is set to either LOGINNAME or BOTH the following applies: • Entries can be added with alias user names. A user logged on using an alias can only display, add, and manipulate entries for that alias. • A guardian user can display, add, and manipulate entries for the Guardian user.
SET The SET command allows you to change some configuration parameters during runtime. Currently the following parameters are supported: Parameter Meaning AUDITCONSOLE Determines whether audit messages are written to the console. AUDITEMS Determines whether audit messages are written to EMS. AUDITFILE Determines whether audit messages are written to a file. AUDITFORMATCONSOLE Controls the format of the audit messages that are written to the console.
[def ] ALLOWPASSWORDSTORE [file ] ALLOWTCPFORWARDING [def ] AUDITCONSOLE <*> [def ] AUDITEMS <*> [file ] AUDITFILE <$QAHPSSH.T0801ABK.
[def [file [def [def [def [run [def [def [file [file [def [file [def [def [def [def [file [def [def [def [def [def [def [def [def [def [def [def [def [def [def [def [def [def [def [file [file [def [def [file [run [def [def [def [def [def [expl ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] MACS OWNER PARTIALSSHCOMACCESSGROUP1 <> PARTIALSSHCOMACCESSUSER1 <> PAUTHSUPPRESSIPADDRESS PORT <12229> PTCPIP
AUDITFILE AUDITFORMATCONSOLE AUDITFORMATEMS AUDITFORMATFILE AUDITMAXFILELENGTH AUDITFILERETENTION $QAHPSSH.T0801ABK.ZTC1AUD 0 0 21 1000 10 % CLEAR LOGCACHE If a log cache is written (see parameters LOGLEVELCACHE, LOGCACHESIZE), the command CLEAR LOGCACHE can be used to clear the cache. It has the following syntax: CLEAR LOGCACHE The original content of the log cache is lost when executing this command.
may contain any displayable character except quote ("), and may be 1 to 64 characters long. Certain embedded commands (case independent) in are replaced as follows: • $P – the target process name • $X – the target expand node name • $T – target system LCT time in format HH:MM • $D – target system LCT date in format yyyy/mm/dd Example: PROMPT "$X.$P $D $T STN> " \DEV.
EXPORT SSHCTL The EXPORT SSHCTL command will export the content of the SSH User Database into as many as six text files. All attributes of the various objects are written in the CSV (comma-separated value) format. The command has the following syntax: EXPORT SSHCTL, SUBVOL [, WIDTH ] The individual attributes have the following meaning and syntax: SUBVOL The files are stored in a subvolume specified by the SUBVOL attribute.
The MD5 fingerprint is logged at SSH2 process startup as well. The fingerprint information can be used to configure a known host entry on a remote system. EXPORT HOST-KEY The EXPORT HOST-KEY command will export the public key part of the host key that is stored in the HOSTKEY file.
Daemon Mode Commands Operating on the USER Entity ADD USER The ADD USER command adds a new user to the database and has the following syntax: ADD USER [,ALLOW-CI yes|no ] [,ALLOW-CI-PROGRAM-OVERRIDE yes|no ] [,ALLOW-GATEWAY-PORTS yes|no ] [,ALLOW-MULTIPLE-REMOTE-HOSTS yes|no ] [,ALLOW-PTY yes|no ] [,ALLOW-SHELL yes|no ] [,ALLOW-TCP-FORWARDING yes|no ] [,ALLOWED-AUTHENTICATIONS ( , , ...) | ] [,ALLOWED-SUBSYSTEMS ( , , ...
This attribute controls whether a TACL or a specific command interpreter given by CI-PROGRAM should be started upon a shell request of a client that allocated a 6530 pseudo TTY (such as 6530 SSH clients, MR-Win6530, and J6530). ALLOW-CI-PROGRAM-OVERRIDE This attribute controls if a user is allowed to override the configured CI-PROGRAM via "tacl -p" or "ci -p" command. If the CI-PROGRAM is set to *DEFAULT*, i.e.
CAUTION: When specifying ALLOWED-AUTHENTICATIONS (none) user access should be properly locked down to avoid security breaches that bypass any authentication (e.g. by setting SYSTEM-USER *NONE*). ALLOWED-SUBSYSTEMS This attribute is used to control access to specific subsystems. is one of the following subsystems provided by SSH2: • SFTP: The SFTP subsystem allows the user to transfer files with the SFTP transfer protocol.
If no value is specified, the value will be reset to the default. The default is to use the value of SSH2 parameter CPUSET to determine a CPU or, if that is not set, the CPU the SSH2 process is running in is used. EXPIRE-DATE This optional attribute of an ssh user’s PUBLICKEY entry is used to set the EXPIRE-DATE (not-valid-after date) for the public key. This attribute can only be set if the life-cycle policy for User Public Keys is enabled (determined by SSH2 parameter LIFECYCLEPOLICYPUBLICUSERKEY).
• *@ This pattern will authorize any principal in the given REALM to access this user account • *@* This pattern will authorize any principal in any REALM (i.e. anybody with a valid service ticket) to access this user account Note: Specifying a wildcard pattern as principal is useful when delegating authorization to the resource started for this user (i.e. CI-PROGRAM or SHELL-PROGRAM).
Specifies the name of a RESTRICTION-PROFILE entity. If configured for a user, then the restrictions defined in the RESTRICTION-PROFILE record will be applied for all of a user’s incoming and outgoing connections. SFTP-CPU-SET Defines a set of CPUs used when SFTPSERV processes are invoked directly by SSH2 (for non-SFTPSERV processes the attribute CPU-SET is used instead). CPUs are assigned via a round-robin algorithm among all the configured CPUs that are available. The value can be a CPU number (e.g.
• RENAME: allows renaming of files on the NonStop system • MKDIR: allows creation of directories on the NonStop system • RMDIR: allows removal of directories on the NonStop system • SYMLINK: allows creation of symbolic links on the NonStop system • ALL: shortcut for all operations • NONE: shortcut for no operation Operations can be abbreviated as long as the abbreviation is unambiguous.
In this example, the script /home/xyz/myPATH contains: export PATH=$PATH:/usr/bin The third step is to create an executable shell script /usr/bin/test-script, for example: echo echo echo echo echo echo echo Entering $0 Parameters=\>$*\< ---------------------------------------\$SSH_ORIGINAL_COMMAND: $SSH_ORIGINAL_COMMAND ---------------------------------------Leaving $0 Now the actual test is executed by starting an ssh client: C:\WINDOWS>ssh -oPort=15022 xyz@10.0.0.194 test-script xyz@10.0.0.
COMMENT ""] | LIVE-DATE ] | EXPIRE-DATE ] | ( [ FINGERPRINT ] [, FILE ] [, COMMENT ""] [, LIVE-DATE ] [, EXPIRE-DATE ] ) ]... [,RESET { SFTP-INITIAL-DIRECTORY | SYSTEM-USER | SFTP-SECURITY | SFTP-GUARDIAN-FILESET | SFTP-PRIORITY } ] [,RESTRICTION-PROFILE [] ] [,SFTP-CPU-SET [ | | ( ) ] ] [,SFTP-GUARDIAN-FILESET ( , , ...
This attribute is used to grant or deny shell access to the user. ALLOW-TCP-FORWARDING This attribute is used to grant or deny port forwarding for a user. The value of this user attribute is ignored if the global SSH2 parameter ALLOWTCPFORWARDING is set to FALSE. ALLOWED-AUTHENTICATIONS This attribute is used to specify the authentication mechanisms that are allowed for this user.
ALLOW-PTY must be set to YES for this attribute to be accepted for 6530 SSH clients, such as MR-Win6530 or J6530. If *MENU* is followed by a service or window name, the corresponding service or window is automatically selected. If the service or window does not exist, the STN menu will be displayed. If the option FORCE is appended, then the user is forced to use the pre-configured STN service or window.
Similar to the Safeguard USER/ALIAS field OWNER and to base new access rules on that field. This allows an existing local user to modify all USER records that are configured with that local user as value for new USER attribute OWNER. The allowed actions will be the same as defined by PARTIALSSHCOMACCESSUSER/GROUP parameters. The OWNER field for existing USER records will be assumed to be *NONE*.
This attribute is used to add or alter a public key with the provided . For details on the syntax of that attribute, please see the "ADD USER" command. To delete a specific public key for a user use the DELETE PUBLICKEY attribute syntax. To delete all public keys for a user, use the DELETE PUBLICKEY * attribute syntax. Both the PUBLICKEY and the DELETE PUBLICKEY attributes can be repeated multiple times within a single ALTER USER command.
"/home" or "/usr" or "/" will not be allowed. Specifying option LOCKED results in a pseudo root visible for the user, i.e. a pwd command will show "/" as current directory. If a value /G LOCKED is used, then the user can only access Guardian files and no OSS files. SFTP-PRIORITY A number specifying the priority of the SFTPSERV processes for this user.
Default for this parameter: empty string, i.e. no shell script will be executed that prepares the user environment for nonlogin shells (which do not execute the standard login scripts). This is relevant for an SCP configuration where the SCP program must be in a directory that is listed in environment variable PATH for getting file transfers using SCP to work. SHELL-PROGRAM This attribute specifies the path to the shell program to be used to start a shell or execute a command.
At least one of , * or ‘*’ is mandatory in the command. If followed by an asterisk is specified, the user records are displayed when the first part of the user name matches the specified prefix. If a ‘*’ is used, information for all users will be displayed. Otherwise, information for a single user will be displayed. For unconventional user names which must be put in in double quotes, please see the description under ADD USER.
PRIORITY -1 CPU-SET *DEFAULT* SFTP-INITIAL-DIRECTORY /G LOCKED SFTP-GUARDIAN-FILESET ($temp.us*.*, $us.*.
RENAME USER , Both and are mandatory in the command; no wild cards are allowed in either one. Please see description of under the ADD USER command for unconventional names that must be put in double quotes. THAW USER The THAW USER command thaws a user and has the following syntax: THAW USER The is mandatory in the command, no wild cards are allowed in the user name.
CONNECT-FROM The attribute CONNECT-FROM restricts the host systems a user can connect from. Whenever an incoming connection for the user is accepted, the CONNECT-FROM restrictions are applied. The value can be one host pattern or a list of patterns used to match the address or name of the client system connecting SSH2 on NonStop™ server. The format of each pattern and the pattern matching done is the same as in OpenSSH for parameter from=. If a list is specified, it must be enclosed in parentheses.
Only the configured host/port combinations are allowed for and when port forwarding is specified, such as in the following example: ssh -L :: @ ssh -R :: @ The PERMIT-OPEN attribute corresponds to the OpenSSH parameter permitopen=. If localhost or 127.0.0.1 is specified as , then the specified is used for restriction checking.
The value can be one host pattern or a list of patterns used to match the address or name of the client system connecting to SSH2 on the NonStop server. The format of each pattern and the pattern matching done is the same as in OpenSSH for parameter from=. If a list is specified, it must be enclosed in parentheses. One pattern represents a host name or its IP address and can include wildcard characters '*' (matching any number of characters) and '?' (matching exactly one character).
The PERMIT-OPEN restrictions are applied whenever the user tries to establish a local port forwarding channel via SSH2 using the SSH and SSHOSS clients. For formats and examples of the attribute value, please see the CONNECT-TO section. The format of values for PERMIT-OPEN and CONNECT-TO are the same. The values are just interpreted differently.
Client Mode Commands - Overview The SSH2 user base is maintained using the following commands: • • • • Commands operating on the KEY, PASSWORD, and KNOWNHOST entity: o ASSUME USER: sets a default user for the following commands. o INFO SYSTEM-USER: Displays KEY, PASSWORD, KNOWNHOST information for a specified system user. Commands operating on the KEY entity: o ALTER KEY: changes properties of a key. o DELETE KEY: deletes a key. o EXPORT KEY: exports a key into a file.
ASSUME USER The KEY, KNOWNHOST and PASSWORD entities are associated with a single Guardian system user. In the case of the KNOWNHOST entity, the reserved user name ALL is also allowed to specify that a KNOWNHOST can be accessed by all Guardian users. The ASSUME user command sets a user name as default for the following commands. Subsequent commands that allow the specification of a user name can therefore be abbreviated.
Client Mode Commands Operating on the KEY Entity ALTER KEY The ALTER KEY command changes one or more attributes of an existing user private key and has the following syntax: ALTER KEY [:] [, COMMENT ""] [, LIVE-DATE ] [, EXPIRE-DATE ] The individual attributes have the following meaning and syntax: This refers to a valid GUARDIAN user who owns the key in the SSH key store.
DELETE KEY The DELETE KEY command deletes a key from the database and has the following syntax: DELETE KEY [ :] The individual attributes have the following meaning and syntax: This refers to a valid GUARDIAN user who owns the key in the SSH key store. If is omitted, either the user being set in a previously issued ASSUME USER command or the issuer of the ALTER KEY command will be used as the default.
If this attribute is specified, the full private key will be exported, otherwise only the public part of the key will be exported. Note: Exporting a private key may result in a compromise of security. Only the SUPER.SUPER user (unless explicitly denied in OBJECTTYPE USER record) or those configured with full SSHCOM access can export private keys. FREEZE KEY The FREEZE KEY command freezes a key. A local SFTP client cannot connect to a remote host using a key that has a status set as frozen.
• DD Mon YYYY • DDMonYY The second format requires surrounding quotes because it contains a comma (commas are separators in SSHCOM). TYPE Specifies the type of the key to be generated. Users can choose from RSA and DSA. BITS Optional attribute to set the key length. If this attribute is omitted, the generated key will have a default length of 1024 bits. Allowed values are 1024 and 2048 bits only. COMMENT This optional attribute is used to associate additional textual information with the generated key.
The name of the file that holds the private key to be imported. PASSPHRASE The optional passphrase associated with the private key file. The passphrase must be enclosed in double quotes (i.e. "..."). If the PASSPHRASE attribute is not specified, it is assumed that the key file is accessible without a passphrase.
The name of the key owned by the current user. A '*' as part of the key name will be interpreted as a wildcard character, and information about all key names matching the wildcard character will be displayed. OUTPUT format of INFO KEY command If used without the DETAIL modifier, INFO KEY will provide a brief summary for each key displayed.
CREATION-DATE This attribute contains the creation date of a key and is automatically set when a key is generated or imported. If a key was generated or imported before the introduction of the CREATION-DATE attribute, the value will be shown as *NONE*, meaning ‘not set’. LIVE-DATE This optional attribute contains the date the key has gone or will go into state ‘LIFE’. The key is not valid before that date and will not be used for authentication.
A valid GUARDIAN user who will own the key entry in the SSHCTL database after the rename. Only SUPER.SUPER users (unless explicitly denied in OBJECTTYPE USER record) or those configured with full SSHCOM access can issue a RENAME command where is different from .
Client Mode Commands Operating on the PASSWORD Entity ADD PASSWORD The ADD PASSWORD command adds a new password to the database and has the following syntax: ADD PASSWORD [:]@[:] , { | " ..." }] The individual attributes have the following meaning and syntax: A valid local GUARDIAN user who owns the password entry in the user database.
A valid local GUARDIAN user who owns the password entry in the user database. If is omitted, either the user being set with a previously issued ASSUME USER command or the issuer of the ADD PASSWORD command will be used as the default. If is specified, it MUST be followed by a ':' to separate it from the known host name that follows. Only the SUPER.
If used with the DETAIL modifier, INFO PASSWORD will provide some detailed information about each password displayed. The following is an example of the output of INFO PASSWORD, DETAIL: % info password comf.us@[fe80::a00:8eff:fe00:d14e]:55022,detail info password comf.us@[fe80::a00:8eff:fe00:d14e]:55022,detail PASSWORD comf.us@[fe80::a00:8eff:fe00:d14e]:55022 USER superulrich STATUS THAWED USERID@HOST comf.
A valid GUARDIAN user who owns the password entry in the user database before renaming it. If is omitted, either the user being set with a previously issued ASSUME USER command or the issuer of the RENAME PASSWORD command will be used as the default. If is specified, it MUST be followed by a ':' to separate it from the password name. A user name of the targeted system. The IP address or the DNS name of the targeted system.
Client Mode Commands Operating on the KNOWNHOST Entity ADD KNOWNHOST The ADD KNOWNHOST command adds a new known host to the database and has the following syntax: ADD KNOWNHOST [:] , ADDRESSES { | ( [,,]...) } , PORT , PUBLICKEY {FINGERPRINT | FILE } , ALGORITHM {SSH-DSS | SSH-RSA} [, COMMENT { | " ...
ALTER KNOWNHOST The ALTER KNOWNHOST command changes one or more attributes of an existing known host and has the following syntax: ALTER KNOWNHOST [:] [, ADDRESSES [,,]...] [, PORT ] [, PUBLICKEY {FINGERPRINT | FILE } ] [, ALGORITHM {SSH-DSS | SSH-RSA} ] [, COMMENT { | " ..." }] The individual attributes are identical as in the ADD KNOWNHOST command, please see that section for details.
The name of the known host to be frozen. INFO KNOWNHOST This command provides information about a single known host or a set of known hosts in the SSH2 key store. It has the following syntax: INFO KNOWNHOST [:]{ | *} [, DETAIL] The individual attributes have the following meaning and syntax: A valid GUARDIAN user who owns the known host in the SSH key store.
KNOWNBY The system user who is allowed to connect to the known host. ADDRESSES Specifies a comma separated list of IP addresses or DNS names that identify the target host, from which the public key associated with this known host entry is accepted. PORT The target port number of the remote host associated with this known host entry ALGORITHM The key exchange algorithm to be used. Valid values are SSH-DSS and SSH-RSA. PUBLICKEY The MD5 and/or bubble-babble fingerprint of the known host's public key.
If and/or is omitted, either the user being set with a previously issued ASSUME USER command or the issuer of the RENAME KNOWNHOST command will be used as the default user. If is specified, it MUST be followed by a ':' to separate it from the key name. The new name of the knownhost entry. A knownhost entry with this name owned by the specified GUARDIAN user must NOT already exist in the user database.
DETAIL If the DETAIL flag is set, detailed information is displayed. WIDTH The number is the maximum number of characters per output line. If WIDTH is not specified the default value 80 is assumed. In order to avoid a new line when the terminal is configured with line wrapping on, the line will only be filled with one character less than the specified width. RECURSIVE This attribute controls if the sessions, channels and opener are displayed as well.
Normally the output of the STATUS command will be displayed at the terminal the SSHCOM was started. With LOGONLY flag set, the output will be written to the log file, if logging to a file is enabled. SELECT The SELECT option allows defining a specific set of attributes that will be displayed instead of the default attribute set (there are two default sets, one for detailed output and one for non-detailed output).
The SELECT option allows defining a specific set of attributes that will be displayed instead of the default attribute set (there are two default sets, one for detailed output and one for non-detailed output). An attribute name specified for must be one of the names displayed in the detailed status output. WHERE The WHERE option can be used to filter channels. Only those channels that fulfill all listed filter conditions will be displayed.
WHERE The WHERE option can be used to filter openers. Only those openers that fulfill all listed filter conditions will be displayed. Each attribute filter must have the following format (the space characters surrounding the field are mandatory): For information about , please see under option SELECT.
DISABLE STATISTICS Disables gathering of statistics data. Syntax: DISABLE {STATISTICS | STATS} ENABLE STATISTICS Enables gathering of statistics data. Syntax: ENABLE {STATISTICS | STATS} RESET STATISTICS Resets statistics counters/rates. Syntax: RESET {STATISTICS | STATS} STATUS STATISTICS Displays status of statistics, e.g. if gathering statistics is enabled. If the DETAIL flag is set, detailed information is displayed.
• SSHCOM Command Reference HP NonStop SSH Reference Manual
SSH and SFTP Client Reference Introduction The SSH2 package provides an SSH and SFTP client program to interact with SSH daemons on other systems. The clients programs will communicate with the SSH2 process, which will create the actual SSH session to the remote daemon. This chapter describes the usage of the SSH and SFTP client and assumes an SSH2 process is already running.
A typical command to establish an SFTP session with a remote SSH daemon will look as follows: $DATA1 MHSSH 20> run sftp m.horst@10.0.0.201 SSH client version T9999H06_22Jan2014_comForte_SSH_0097 Connecting to 10.0.0.201... You have no private keys in the key store. Trying password authentication. Enter m.horst@10.0.0.201's password: Add password for m.horst@10.0.0.201 to the password store (yes/no)? no sftp> Example using IPv6 address: > run sftp comf.
-q Quiet; don't display any warning messages. -H string Set prefix used for error messages. Default: no prefix. -J string Set prefix used for info/warning messages. Default: no prefix. -K string Set prefix used for prompt/query messages. Default: no prefix. -c cipher Select encryption algorithm -m macs Specify MAC algorithms for protocol version 2. -p port Connect to this port. Server must be on the same port.
sftposs u.sauer@[fe80::250:56ff:fea7:4bdc] SFTPOSS client version T9999H06_22Jan2014_comForte_SFTPOSS_0097 Connecting to fe80::a00:8eff:fe00:d14e via SSH2 process $SSH01 ... GSSAPI authentication disabled. You have no private keys in the key store. Trying password authentication. Enter comf.us@fe80::a00:8eff:fe00:d14e's password: Add password for comf.
Suppressing the Banner printed by Clients When SSH[OSS] and SFTP[OSS] clients print a banner containing the version and name of the ssh client, e.g. like: comForte SSH client version T9999G06_22Jan2014_SSH_0097 This banner can be suppressed by setting Boolean parameter SUPPRESSCLIENTBANNER in the client environment, i.e.
Parameter Used when Sending Used when Receiving Dependency on SFTP Server RECORDDELIMITER Yes Yes Yes. The SFTP client prompt command ASCII can be used to achieve the same configuration. SFTPEDITLINEMODE No Yes No. Only relevant when files are written locally SFTPEDITLINENUMBERDECIMALINCR No Yes No. Only relevant when files are written locally SFTPEDITLINESTARTDECIMALINCR No Yes No.
-p port Connect to this port. Server must be on the same port. -L listen-port:host:port Forward local port to remote address -R listen-port:host:port Forward remote port to local address These cause ssh to listen for connections on a port, and forward them to the other side by connecting to host:port. -C Enable compression. -N Do not execute a shell or command. -g Allow remote hosts to connect to forwarded ports. -o 'option' Process the option as if it was read from a configuration file.
• hmac-sha1: HMAC-SHA1 (digest length=key length=20 bytes=160 bits) • hmac-md5: HMAC-MD5 (digest length=key length=16 bytes=128 bits) • hmac-sha1-96: first 96 bits of HMAC-SHA1 (digest length=12 bytes=96 bits, key length=20 bytes=160 bits) • hmac-md5-96: first 96 bits of HMAC-MD5 (digest length=12 bytes=96 bits, key length=16 bytes=128 bits) If this option is not specified, the client will negotiate a cipher from list configured for the SSH2 server using the MACS parameter.
Specify the authentication methods that are allowed for user authentication. The value is a comma separated list of method names (without any spaces). See SSH2 parameter CLIENTALLOWEDAUTHENTICATIONS for the possibility to restrict the ssh clients' authentication methods. -S process Connect using a specific SSH2 process. See section "Configuring the SSH2 Process to Use" for further details. Runtime options relevant only when creating a shell -t Force pseudo-tty allocation.
Set specific string used as prefix for error messages displayed by the SSH client during the connection phase. Double quotes can be used to define strings containing a space or special characters. The prefix for errors can also be specified via PARAM/environment variable SSHERRORPREFIX (the -H option takes precedence over the PARAM/environment variable). There is no specific error prefix defined as default.
$TB TBSSH79 10> Note that the password for the remote system is stored after the first issuing of the command and that the next time entering the password is no longer needed. Using the SSH client to create a port forwarding daemon The following example shows how to use port forwarding to tunnel a Telnet session between two NonStop systems through SSH to encrypt the network traffic.
Using the SSH client to create an FTP port forwarding daemon To tunnel FTP connections through a SSH connection, the SSH implementation must apply additional logic to ensure that the data port is also encrypted. The following example shows the encryption of an FTP connection between two NonStop systems by tunneling it over an SSH session. The example is based on the following assumptions: • An SSH2 daemon is installed on the remote NonStop system with Port forwarding allowed.
-rwxrwxrwx 1 COMF.TB -rwxrwxrwx 1 COMF.TB -rw-rw-rw1 COMF.TB -rwxrwxrwx 1 COMF.TB -rwxrwxrwx 1 COMF.TB drwxr-xr-x 1 COMF.TB drwxrwxrwx 1 COMF.TB -r--r--r-1 COMF.TB -r--r--r-1 COMF.TB -rw-rw-rw1 COMF.TB drwxrwxrwx 1 COMF.TB -r-------1 COMF.TB -rw-rw-rw1 COMF.TB -rw-rw-rw1 COMF.TB drwxrwxrwx 1 COMF.TB -rw-rw-rw1 COMF.TB 226 Transfer Complete. 2674 bytes received in ftp> bye 221 Goodbye.
-B Specify the size of the buffer that sftp uses when transferring files. Larger buffers require fewer round trips at the cost of higher memory consumption. The default is 29696 bytes (29kB). The maximum buffer size is 57344 bytes (56kB). The transfer buffer size can also be set by specifying a PARAM/environment variable SFTPBUFFERSIZE. -C Requests compression of the transfer data. The compression algorithm is the same used by gzip.
Specify how many requests may be outstanding at any one time. Increasing this may slightly improve file transfer speed but will increase memory usage. The default is 16 outstanding requests. The number of outstanding requests can also be set by specifying a PARAM/environment variable SFTPNUMREQUESTS. -S This option is used to set the SSH2 process to communicate with. Please refer to the section "Configuring the SSH2 Process to Use" earlier in this chapter.
sftp> help Available commands: ap local-path [remote-path] append local-path [remote-path] ascii [dos|unix|mac] Upload local file and append to remote file Upload local file and append to remote file Change transfer mode to ascii and optionally change the remote newline convention aslinemode [cut|wrap|none] Cut, wrap or do nothing to long ascii lines binary Change the transfer mode to binary cd path Change remote directory to 'path' chgrp grp path Change group of file 'path' to 'grp' chmod mode path Change
SFTP Commands Once you are connected to a remote system, the SFTP client issues a prompt "sftp>" and from then on supports the standard set of commands implemented in the SFTP protocol. The "help" command gives a brief syntax summary: > run sftp -S $zss1 -oPort=51022 comf.us@10.0.0.196 SFTP client version T9999H06_22Jan2014_comForte_SFTP_0097 Connecting to 10.0.0.196 via SSH2 process $zss1 ...
List files on remote system (detailed output): sftp> ls -l drwxr-xr-x drwxr-xr-x drwxr-xr-x drwxr-x--drwxr-xr-x -rw-r--r-sftp> 0 0 0 0 0 0 513 0 513 513 513 513 100 0 100 100 100 100 1200 608 80 48 48 1011018 Feb Dec Feb Feb Feb Feb 11 31 27 27 9 9 15:10 12:04 2004 2004 20:45 20:40 . .. public_html pubs put putfiles Change to directory "put", list the files there (note that the directory is empty): sftp> cd put sftp> ls -l drwxr-xr-x drwxr-xr-x sftp> 0 513 0 513 100 100 72 Feb 14 07:31 .
Controlling Transfer Summary Summary information about each file transfer gets generated, e.g.: 165527760 bytes transferred in 86 seconds ( 1.8MB/s) By default the number of bytes transferred is set to the EOF value of a file. This ensures consistency between the size of a file displayed by the ls -l command and the summary information. But the size of the actual content of a Guardian edit or structured file can differ greatly from the EOF value.
For structured files the file-attributes list is as follows: The [[filetype],[filecode],[primary],[secondary],[maxextents], [record-len],[pri-key-len],[key-offset],[index-blk-len ]] The file attributes, which must be specified exactly in the order shown above, are: • filecode – the file code (integer from 0 through 32767) • primary – primary extent size in pages (integer from 1 through 65535) • secondary – secondary extent size in pages (integer from 1 through 65535) • maxextents – maximum number of
structured files (STRUCT R). Additionally, the following two transfer modes are supported: transparent transfer of records, and unstructured transfer of structured files. The transparent transfer mode allows transferring records containing LF (“\n”) characters inside a record. These files cause problems when being transferred in delimited record transfer mode as this character is used as end-of-record delimiter.
• binary changes to binary transfer mode. The following sample illustrates how ASCII files can exchanged with an SSH daemon on a Windows server: sftp> ascii dos Newline convention is now dos File transfermode is now ascii sftp> put textfile textfile.txt Uploading textfile to /test/textfile.txt sftp> get textfile.txt editfile Fetching /test/textfile.
Possible values for HISTORYMODE are SFTP (the default value) and TACL. If HISTORYMODE is set to TACL the history list behaves like the one in TACL.
It is possible to force string matching for a given number by enclosing the number in single or double quotes: sftp> history 1> ls -l k* 2> get file678 3> put report89 4> cd $disk.subvol 5> cd $data1.reports 6> get fil56789 7> get fl456789 8> cd $data1.report1 9> pwd sftp> fc "4" get fl456789 ...// sftp> The FC command without parameter causes the last command being retrieved for fix command processing. A modified command is not executed (i.e.
Controlling SSH and SFTP Clients on NonStop via an API Customers who need to access SSH and SFTP clients programmatically can use additional API modules, which are separately licensed: • The SFTPAPI module allows an FTPAPI application to establish an SFTP session instead of an FTP session. Minor changes in the FTPAPI application code converts the application to an SFTPAPI application. This is possible because the same header file ($SYSTEM.ZTCPIP.FTPEXTH) and library file ($SYSTEM.ZTCPIP.
For transferring files via SFTP rather than FTP, the application still uses the same APILIB, which is part of the HP NonStop TCP/IP applications and utilities. However, APILIB is directed to start an SFTP rather than an FTP client. The SFTP client will support the same inter-process communication messages like FTP, mapping the programmatic commands it to the appropriate SFTP operations. SSHAPI with SSHLIB SSHLIB describes the external interface offered by the SSH application program interface (API).
SSH Protocol Reference The SSH Protocol SSH is a protocol for encrypted network traffic and a set of associated programs which have its roots in the Unix domain. The first version of SSH (SSH version 1 or SSH1) became popular in 1995 and was replaced by an improved version (SSH version 2 or SSH) in 1997. In 2006, SSH version 2 became a proposed internet standard with the publication of a group of RFCs by the Internet Engineering Task Force (IETF).
• a small part of the OpenSSL project, see www.openssl.org. • a small part of the OpenSSH project, see www.openssh.com. comForte has combined this standard code with its own source code targeted specifically for the NonStop™ platform and has added additional functionality. See the copyright statements in chapter "Appendix". Authentication using User Names and Passwords The SSH protocol allows for the authentication using user names and passwords.
• have their own private key stored in the safe location • send over the public key belonging to their private key to the peer system for authentication • have the public key of the peer system configured in order to be able to verify its authenticity Dealing with two key pairs for any two partners communicating can be a bit confusing, therefore we go over the two key pairs in a bit more detail in the next subsections.
• By providing a username and a public key • By other means, such as Kerberos or X.509 certificates When operating as a daemon, SSH2 currently supports the following authentication methods: • password (RFC 4252) The password sent by the client is verified against the SYSTEM-USER’s password contained in the NonStop system user base.
STN Reference Introduction The STN component is a pseudo TTY server providing full-screen shell access to remote SSH clients. Running STN as Pseudo TTY Server for SSH2 Note: For cases in which SSH2 was delivered with HP NonStop SSH as part of the RVU or as an independent product for G-Series prior to G06.32, an STN PTY server will be pre-installed as a generic process: SSH-ZPTY ($ZPTY). Starting STN from TACL STN can be started using standard TACL commands. It can also be configured as a generic process.
PARAM BACKUPCPU cpu Specifies the backup CPU number. The default is NONE. See the STNCOM BACKUP/BACKUPCPU command for a description of available options. PARAM GWN^TEMPLATE #AAAnnn Controls session and window names. Refer to section "Session and Window Naming". PARAM GWN^INITIAL RANDOM Controls session and window names. Refer to section "Session and Window Naming". PARAM GWN^FILE filename Controls session and window names. Refer to section "Session and Window Naming".
the letter M (megawords), which multiplies by 1,048,576. The default is 100K. PARAM TRACE^SIZE should precede PARAM TRACE^FILE. Tracing is normally started using STNCOM commands, so this parameter is rarely used. 5 – run stn … STN does not use the OUT parameter, example: run stn / name $stn , out $zhome / • <--- not allowed If OUT is not defaulted to the home terminal, the following EMS event zstn-ems-evt-misc (9) is now generated: “$STN OUT parameter is not used, OUT ignored.
Running STN as Persistent Process STN can be started as kernel persistent process from SCF. The IN field of the RUN STN command is used to convey PARAM and STNCOM configuration information, as shown in the following example: ADD PROCESS , , , , , STN1 NAME PROGRAM INFILE STARTMODE USERID $STN1 $SYSTEM.STN.STN $SYSTEM.STN.STN1KIN SYSTEM -or- APPLICATION SUPER.
G007I \T.$STN 1,835 G000I STN B15 15NOV2011 G001I Copyright 1984-2011 Gemini Communications Inc. % All rights reserved.
STNCOM Commands Note: STN is also delivered as component of comForte's SecurTN product, a fully functional, secure Telnet server. STN supports several commands and features related to the Telnet server functionality. For clarity, these commands and features are not part of this manual. STNCOM supports the following abbreviated keywords in commands: Command Abbreviation SERVICE SER SESSION SESS WINDOW WIN ABEND Immediately stops the STN process, creating a ZZSA dump file.
• a.*.*.* a.b.*.* a.b.c.* This form specifies the first 1, 2, or 3 bytes of an IP address which must match, with the remaining 3, 2, or 1 byte(s), respectively, allowed to have any value. 192.*.*.* matches only 192.0.0.0 through 192.255.255.255 192.7.*.* matches only 192.7.0.0 through 192.7.255.255 161.114.87.* matches only 161.114.87.0 through 161.114.87.255 • a.b.c.d-e.f.g.h This form defines two specific IP addresses; the first must be numerically less than or equal to the second. 192.1.2.3-192.1.2.
,PARAM "param-text" ,IPRANGE iprange-name ,HOME home-terminal-name ,LIMIT max-sessions ,RESILIENT YES | NO ,DEBUGOPT OFF | ,LOGAUDIT YES | NO ,LOGON REQ | NONE ,SCRIPT script-name ,WIN_PAT "pattern" The service-name and the TYPE field are required; all others are optional.
• No WINDOW pre-configuration required. • No application pre-configuration required. • Workstations can have identical configurations. • Unique window names are difficult to track and manage. • Application process creation slows window startup. • Can be awkward for Pathway and other applications that allocate CPU and other resources using their own algorithms.
MODE CONV | BLOCK Default is CONV. At the beginning of a session, the terminal (client) and the WINDOW are placed into the selected mode. MENU HIDDEN | VISIBLE Default is VISIBLE. Service menus are built using the names of services with MENU VISIBLE. MENU HIDDEN suppresses the service name on the menu, but the service name can still be entered by the remote user. See the command "BANNER", which can disable menus and other messages. LIB lib-file-name Default is no LIB file.
If no IPRANGE parameter is specified, then the service does not perform any checking on the IP address of the remote workstation attempting to connect to the service. If IPRANGE is defined for the service, then the IP address of the remote workstation must match one of the IP addresses or IP address ranges in the specified IPRANGE. If the address matches, then the session is allowed to proceed.
RESILIENT YES | NO RESILIENT is an option for TYPE DYNAMIC services that allows the application to remain active after the terminal session is disconnected. The STN implementation of RESILIENT is similar in general functionality to that of HP Telserv, but with some key differences. RESILIENT NO, the default setting, defines a traditional dynamic service. Upon session disconnect, file system errors are returned to the application, and most applications, like TACL, will detect this and stop.
window #ZWNnnnn added When a RESILIENT session disconnects, there are certain differences from non-resilient dynamic sessions: • No error code (140, 60, etc) is returned to the application, and no BREAK or SIGHUP sent. Any active application I/O request is left outstanding indefinitely. The application never notices that the session has disconnected. • KILL_DYNAMIC does not apply. • The window is not automatically deleted.
• @T - Time (LCT) in 6 digit format hhmmss • @U - The external user name (alphabetic and numeric characters only). • @X - STN expand node name (without \ prefix) • @Y - STN expand node number Substitution parameters @1 through @6 reference values returned by WSINFO. WSINFO is supported by Win6530 and some other terminal emulators. STNCOM WSINFO must be set to QUERY, REQUIRED or MATCH. Any fields not returned by the workstation are set to the null string.
Explanation of example settings: MENU HIDDEN - this service is for use only by system administrators and only in case of emergency. General users won't see the service on the STN02 Services menu, avoiding confusion and minimizing undesired access attempts. USER SUPER.SUPER - keeps unauthorized users away from this service, minimizes denial of service. PRI 199 - high priority is sometimes essential for systems maintenance tasks, such as stopping a looping application.
TYPE DYNAMIC Normally used only internally by the dynamic window mechanism. SERVICE and TERM_TYPE are required, and IPADDR is not allowed. The window will be automatically deleted when the session terminates. TYPE STATIC SERVICE is required. IPADDR is not allowed. Typically some number of static windows are defined for a given static service, creating a pool of windows to allocate to sessions requesting that service.
AUDITCOLL OFF | AUDITCOLL names an EMS collector to receive EMS events for Audit-type events. OFF is the default. No Audit-type EMS events are generated. Also used to stop generation of events. Audit-type EMS events are written to the specified collector . AUDITCOLL specifies an EMS collector for "audit" EMS events (only). This is independent of $0 which always receives other EMS events. $emscol is the name of an EMS collector which may specify $0 or an alternate collector.
ANY Uses any available CPU for the backup process. The first attempt is with the buddy CPU; if that fails, other CPUs are then used starting with CPU numbers closest to the primary until a backup is successfully started. This method assures that a backup will be created any time two CPUs are available. If a backup process is already running, it is stopped. A new backup process is created in the appropriate CPU. BANNER Y | N The BANNER command controls the display of menus on remote session initiation.
BREAK_ON_DISCON Y|N If this parameter is set to "Y", when a dynamic window session is disconnected, and there are no active I/O operations (e.g. WRITEREAD), a BREAK is simulated. No BREAK is sent if there is an active I/O. Default is "N". BUFFER_SIZE BUFFER_SIZE displays the size of internal STN buffers, which is useful in configuring STN memory via PARAM POOL^SIZE. The BUFFER_SIZE command has no parameter.
DELETE IPRANGE | * Deletes a specific IPRANGE or all IPRANGEs. The IPRANGE is immediately deleted. If any SERVICEs refer to this IPRANGE, then those services will reject any new connection attempts until a subsequent ADD IPRANGE is done.
DYN_CPU (cpu,cpu) Sets default CPU for subsequent ADD SERVICE TYPE DYNAMIC. Default is DYN_CPU (0,15). DYN_WIN_MAX The existing DYN_WIN_MAX command is generally superseded by the features of GWN^TEMPLATE (introduced in T0801^ABE), but it is still allowed. is the maximum number of window names, including zero (0). must be in the range 100 to 100000, default is 100000. DYN_WIN_MAX may be used to reduce the number of windows allowed by GWN^TEMPLATE.
GWN [ALLOC] STNCOM displays the GWN filename and details about the window name and option, and optionally a new block of names. This new command was introduced in T0801^ABE. The following current information is always displayed: GWN File name (or blank ) Blocksize Next window name Last window name allocated (same as next if no GWN File) Maxmium window number If ALLOC is specified, a new block of session names is allocated from GWN^FILE.
INFO PROCESS INFO PROCESS displays the setting of global parameters. The following example shows a typical result: Config \BWNS02.
Otherwise, a list of PARAMs is shown, example: PARAM BACKUPCPU ANY As of T0801^ABE, the GWN window and session parameters are displayed as well. See section "Session and Window Naming". INFO SCRIPT | * Displays configuration information for the specified script or for all configured scripts. INFO SER[VICE] | * Displays configuration information for the specified service or for all configured services. Only parameters which are different from the default are displayed.
auth method cipher mac compression executed program kerberos principal local IP address local IP port TCP/IP process keyboard-interactive aes256-cbc hmac-sha1 none /bin/sh nam 192.168.1.145 22 $ZTCP5 The attributes have the following meaning: • TYPE: The window type. PTY is displayed for windows allocated by an SSH2 process. • pty-command: The command that the SSH2 process used to allocate the window. • Vproc: The version of the SSH2 process that allocated the window.
If IDLE_WARNING is set to a non-zero value, then a warning message will be displayed once a minute when the terminal is idle, and fewer than IDLE_WARNING minutes remain until INPUT_TIMEOUT expires. The following message appears: STN35 **WARNING** Terminal will be disconnected if it stays idle... If terminal activity occurs after this warning, the timer is reset and the session continues.
OTX (open table index)=2. Each opener has an entry in the open table. The unnamed process running on node \CENTDIV with cpu,pin=1,50 has opened the application with terminal name #COMMAND.COMMAND as file number 3. The #COMMAND.COMMAND terminal name indicates a STNCOM requester. The program is running under group,user=255,255 (SUPER.SUPER) from object program file name $SYSTEM.SYSTEM.STNCOM with home terminal $OSP. Note: the LISTOPENS command can generate a very long response.
OPEN OPEN opens the specified STN process for subsequent commands. specifies the process to be opened. If another process is already open, that process is closed. If the OPEN fails, all STNCOM commands requiring an application are rejected until a successful OPEN is completed. The STN version and vproc are displayed after a successful OPEN, before the STNCOM prompt.
POOL POOL verifies the integrity of STN's internal buffer pool and provides useful information for tuning PARAM POOL^SIZE. POOL • TOTAL SIZE—Shows word size of pool. • IN USE—Shows words currently in use in the user buffer area. • HIGH—Shows the highest value of IN USE since process startup or the most recent backup takeover. • GETS—Shows total number of buffer allocation requests. • PUTS—Shows total number of buffer releases.
PTY_REPLY_LEN Byte length of reply from STN to SSH. can be in the range from 1 to 16384. Default is 4096. RECV_SIZE Specifies the byte length of socket receive buffers used to accept incoming session data. is in the range 100-4095, default 1000. Larger values offer some improvement in performance, but only when large input messages are common. Smaller values conserve buffers in the memory pool which may be necessary with a large number of simultaneous sessions.
If the file already exists, it is purged. A new file is created. The file will contain commands suitable for direct input to STNCOM, including process parameters such as IDLE_TIMEOUT and WELCOME, as well as ADD commands for services, windows (types STATIC, SU, and DEDICATED only), scripts, and ip ranges.
START SERVICE | * Activates a service previously STOPPED or ABORTED. New session requests for the service will be accepted. START is automatically performed by ADD SERVICE, and is generally not used. START WINDOW <#window-name> | * Activates a window previously STOPPED. New session requests for the window will be accepted. START is automatically performed by ADD WINDOW, and is generally not used.
For TN6530 sessions, line mode has been established, and the STN is waiting for TERMTYPE. This state usually lasts for less than a second. • NEGOT_TT For TN6530 sessions, TERMTYPE has been established, and the STN is waiting for line mode. This state usually lasts for less than a second. • MENU_NEEDED TERMTYPE has been established, and, for TN6530, line mode has been established. This state is usually immediately replaced by MENU. • RESIL_RECON A resilient window has been reconnected to a new session.
Window name e.g. #ZWN0002. STARTED (not in session), STOPPED, or IN SESSION. Indicates that either "no" or "1 or more" applications have this window open. Detailed information such as term_rows, term_columns, client IP address, etc. STIX [RESET] Displays cumulative statistics on the number of sessions. STIX displays the counters; STIX RESET displays then resets. STNCOM_PROMPT "" This command redefines the prompt sent by STNCOM to the terminal for new command input.
• Is overridden by STNCOM_PROMPT. STNCOM_PROMPT • Redefines the prompt for all future STNCOM openers to an STN process. • Does not take effect until the next STNCOM open (see note below). • Is stored in the configuration of the running STN process, which is convenient. • Is maintained on a backup takeover of STN. • Must be re-entered every time STN is started. • Overrides PROMPT. • Is included in SAVECFG output.
STOP SESSION | * The specified session, or all active sessions, will be terminated. STOP WINDOW <#window-name> | * The specified window, or all configured windows, will be stopped. If a session is active on the window, it will be immediately terminated. Dynamic windows and automatically added windows will be deleted. The window will no longer be available for new sessions. Use START WINDOW to resume normal operation. This command is not normally used.
Starting with STN version B08, trace files will include INFO STN output at the beginning. Warning: Tracing can noticeably affect response time and CPU usage. UAIPADDR Y | N STNCOM command UAIPADDR controls the inclusion of the workstation remote IP address on USER_AUTHENTICATE_ calls. This IP address is included in certain Safeguard records. UAIPADDR should only be used on Guardian releases H06.26 (or later) or J06.15 (or later).
WIN_AVAIL_ALWAYS Y | N Controls availability of dedicated windows to connect to a new session. Default N means availability is determined by WIN_AVAIL_C11. When set to Y, a DEDICATED window is always available for connection to a new remote session request, even if there is no active open from any application to that window. WIN_AVAIL_C11 Y | N Determines availability of a window when a static service is selected from the STN02 menu, or a session attempts to connect to a dedicated window.
The current setting is shown by INFO STN. Session and Window Naming Session (and dynamic window) names always began at 0000 when STN was started. This resulted in the same session name being used for different STN processes or for restarts of an STN process. The session names should be unique. Starting with SPR T0801^ABE, a new optional naming scheme was introduced for sessions and dynamic windows. The default still uses names like #ZWN0001.
If the file exists but an error occurs while opening or reading the file, or the file does not contain valid GWN data, STN closes the file, generates an EMS warning and runs without GWN^FILE for the duration of the STN process. No recovery is attempted. If it cannot be created or written, the default of #ZWN0001 is used. If is OFF, or the PARAM is omitted, then the default of #ZWN0001 is used.
This command always displays current information. • GWN File name (or blank) • Blocksize • Next window name • Last window name allocated (same as next if no GWN File) • Maximum window number If ALLOC is specified, a new block of session names is allocated from GWN^FILE. Since allocation is normally done automatically, ALLOC is intended for development use only. Any window names reserved by a previous GWN^FILE allocation but not yet used are discarded.
EMS Events The STN installation subvolume contains standard EMS files which provide additional details: • ZSTNDDL • ZSTNTMPL template output file for EMSDIST DDL for event names It is recommended that ZSTNTMPL be installed using standard procedures. Note: In the following event descriptions, event name and number are given, followed by the EMS template for this event. All references to <1> refer to the STN process that issued the event.
"<1> AUDITCOLL stopped" • CAUSE: STNCOM command AUDITCOLL OFF was used. This event is written to the specified AUDITCOLL collector, not to the standard $0 EMS event collector. • EFFECT: Events are no longer written to the audit collector. Normal EMS event processing to $0 continues. • RECOVERY: None; informational only. zstn-evt-auditcoll-sslmiscerr value is 1022 "<1> AUDITCOLL sslmiscerr <2> <3> <4> <5>" <2>, <3>, <4> zero. Used only for SecurTN where this event has an alternate meaning.
• EFFECT: None. • RECOVERY: None; informational only. zstn-evt-auditcoll-disconnect value is 1025 "<1> AUDITCOLL disconnect <2> <3> <4>" <2> full name of the window (\node.#stn.#window). <3> remote IP address. <4> remote IP port. • CAUSE: A session has terminated. This event is written to the specified AUDITCOLL collector, not to the standard $0 EMS event collector. • EFFECT: None. • RECOVERY: None; informational only.
"<1> STN window <2> stopping process <3> status <4>" <2> name of window <3> process name <4> status code • CAUSE: STN is automatically stopping the process previously created for a dynamic window at session termination when KILL_DYNAMIC=Y. • EFFECT: The specified process is stopped. • RECOVERY: None; informational only. zstn-evt-pool-used value is 1033 “<1> STN Buffer pool used <2> <3>% , used=<4>kw size=<5>kw” Indicates STN memory pool usage goes above 80%, or back down below 80%.
• EFFECT: The affected terminal session may hang. • RECOVERY: None. Recovery is automatic. If other symptoms are noted, such as hanging sessions, include this EMS event when reporting the problem. Recovery is automatic. zstn-evt-gwn-file-err value is 1058 "<1> GWN File <2> error <3> on <4>" <2> - GWN file name <3> - Guardian file error code <4> - File operation where error occured • CAUSE: An error occured on the GWN file. • EFFECT: STN will attempt to recover.
zstn-evt-gwn-disabled value is 1062 "<1> GWN File disabled - using <2> session/window names" <2> - Number of session/window names • CAUSE: STN encountered an error with GWN processing as detailed in a previous event. This event also occurs once at STN startup, when no PARAM GWN^FILE is present. • EFFECT: Future window names for this STN process use the traditional #ZWNnnnn scheme. If this error occurs for multiple STN processes, then duplicate #ZWN names can occur.
zstn-evt-starting value is 3 "<1> <2> program starting <3>" <2> program name and version information <3> additional copyright information • CAUSE: The STN process has started. • EFFECT: None. • RECOVERY: None; informational only. zstn-evt-param-error value is 4 "<1> Error in PARAM <2> <3>" <2> parameter name <3> value • CAUSE: During STN startup, an error was found. • EFFECT: The param is ignored, and STN startup proceeds without the param.
zstn-evt-backup-stopped value is 7 "<1> Backup stopped" • CAUSE: The STN backup process stopped. Another EMS event may give additional information. • EFFECT: STN runs without a backup. In some cases, STN will automatically restart the backup process immediately or after a backup CPU becomes available. • RECOVERY: If backup operation is required, make the backup CPU available or use the STNCOM command BACKUPCPU to select another backup CPU.
"<1> Checkallocatesegment err <2>" <2> error code • CAUSE: STN could not allocate its internal buffer pool in the backup process due to an error condition. • EFFECT: STN runs without a backup. STN will automatically restart the backup process. • RECOVERY: If backup operation is required, use the STNCOM command BACKUPCPU to select another backup CPU. zstn-evt-backup-loop value is 11 "<1> Backup creation loop - BACKUPCPU NONE assumed" • CAUSE: The backup process repeatedly failed.
zstn-evt-trace-stop value is 15 "<1> Trace stopped" • CAUSE: An STN trace was stopped. • EFFECT: None. • RECOVERY: The binary trace file may now be forwarded to Support, or may be formatted using the GTRED program. zstn-evt-trace-segment value is 16 "<1> Trace not started to <2> size <3> allocatesegment error <4>" <2> extended segment file name <3> size of the file <4> error code • CAUSE: An error was encountered when allocating an extended segment file. • EFFECT: Tracing is not enabled.
zstn-evt-trace-size-file value is 20 "<1> PARAM TRACE^SIZE must precede PARAM TRACE^FILE" • CAUSE: PARAM TRACE^SIZE followed PARAM TRACE^FILE • EFFECT: PARAM TRACE^SIZE is ignored, so the trace file is opened with the default size. • RECOVERY: Reorder the PARAM list. STNCOM commands can be used to stop and restart the trace using the desired size without shutting down STN.
zstn-evt-exit-debug value is 25 "<1> Process exiting debug" • CAUSE: An inspect session from a previous DEBUG command finished. • EFFECT: STN operation continues. Active sessions may timeout if the time spent in inspect mode was too long. • RECOVERY: None; informational only. Client Messages at the Remote Workstation When a TN6530 client (terminal emulator) such as Win6530 or J6530 first connects to STN, several messages are displayed as the session is initiated.
STN07 SU Window not found User entered #WINDOW name in response to the menu, but the specified window is not configured. STN08 Window is not Type SU User entered #WINDOW name in response to the menu, but the specified window is not configured as type SU. STN09 Window is stopped by system operator User entered #WINDOW name in response to the menu, but the specified window was stopped by STNCOM STOP/ABORT WINDOW command.
STN17 Input error; proper syntax is group.user Improper response to STN15 prompt. STN18 Unknown userid or incorrect password; please wait ... This follows the response to the STN16 prompt. After a delay to discourage hackers and automated logon attacks, the STN15 prompt is repeated. After three STN18 consecutive logon failures, the session is terminated.
STN28 PROGRAM file format error PROCESS_CREATE_ error 12: PROGRAM file error, see detail. STN29 LIB file format error PROCESS_CREATE_ error 13: LIB file error, see detail. STN30 no pcb available PROCESS_CREATE_ error 15: no pcbs available. STN31 unlicensed privileged program PROCESS_CREATE_ error 17. STN32 library conflict PROCESS_CREATE_ error 18. STN33 PROG and LIB files the same PROCESS_CREATE_ error 19.
STN39 Session terminated - application request (control 12)
STN51 Workstation IP address not in range for requested service The IP address of the remote workstation is not defined in the IPRANGE, or the IPRANGE is not defined. STN54 session timed out waiting for user logon response A session connected to a SERVICE with LOGON REQ, but the user did not respond to the logon prompt. STN57 This 6530 emulator does not support required WSINFO See STNCOM command WSINFO. STN58 WSINFO address does not match network address See STNCOM command WSINFO.
STN71 Userid not allowed for this service The selected service included a USER parameter, and the userid entered at the keyboard (or automatically supplied) does not match. The session is terminated. STN72 Using userid from SSH SYSTEM-USER is being used instead of STN15/STN16 prompt. STN73 Using SSH_Default_Svc CI-PROGRAM *MENU* (without anything following *MENU*) and the service specified by SSH_DEFAULT_SVC is used.
STN94 Userid provided by SSH not valid SSH sessions with *MENU* and an SSH Guardian system user in group.user format that do not match SERVICE USER are now terminated with this message.
205 Only used with special terminals. p1=1 disables echo of ascii EOT (hex 04). p1=0 (default) is compatible with previous releases and handles EOT like other characters for echo purposes 206 Only used with special terminals.
• STN Reference HP NonStop SSH Reference Manual
Monitoring and Auditing Introduction The SSH2 process writes two kinds of messages that allow users to analyze its operation: • Log messages are intended to show the overall functioning of such processes as startup, normal operation, and error conditions. Log messages can be written to a file, to a console device, or an event collector process. • Audit messages are intended to provide a view of operations executed from an auditor’s perspective.
$SSH42|09Dec09 20:00:18.23|30|Host key MD5 fingerprint: b0:c7:86:e6:63:b8:2d:4b:b7:78:84:ec:dc:33:ed:c9 $SSH42|09Dec09 20:00:18.23|30|Host key Bubble-Babble: xetig-fegyg-pidyn-babyl-kefodsigeh-danyb-gykyl-sebuc-curul-fuxyx $SSH42|09Dec09 20:00:18.23|10|SSH2 Server listening on interface 0.0.0.0, port 42022 The following example shows some log messages when an SFTP client connects, issues some commands, and disconnects: $SSH42|09Dec09 20:15:42.96|50|10.0.0.
Destinations for Log Messages The SSH2 component can log to the following destinations: • A file configured with the LOGFILE parameter. • An process-internal memory cache for log message (parameters LOGLEVELCACHE, LOGCACHESIZE) • A device configured with the LOGCONSOLE parameter. • An event collector process configured with the LOGEMS parameter. By default, the SSH2 component logs messages only to the home terminal. Logging to a file or EMS is not enabled by default.
For details about the parameters controlling the log behavior please refer to the LOG parameters in the chapter titled "Configuring and Running SSH2". See the section on "Log File/Audit File Rollover", on how to look at the content of a log file. Customizing the Log Format SSH2 allows users to customize certain aspects of the appearance of log messages. Using the LOGFORMAT parameter, you can add the current date to the log message header.
$SSH49|22Dec10 15:43:07|172.16.123.103:1831: wronguser@172.16.123.103 authentication failed (method none): System user 'wronguser' does not exist. The following shows an audit message for a user trying to access the system with an existing user name, yet with an invalid public key: $SSH49|23Dec10 15:57:23|172.16.123.110:3945: comf.us@172.16.123.110 terminated session $SSH49|23Dec10 15:57:23|172.16.123.110:3945: comf.us@172.16.123.
Event Id Event Name Conditions Pattern Token Values 1 Authenticatio nEvent Authentication successful, method not publickey and not gssapi-with-mic "%sessionId: %user@%remoteAddress %action %outcome (method %method): %reason.
Event Id 5 6 Event Name SftpOpenFile Event SftpTouchFil eEvent Conditions Pattern Token Values Failed, error detail available "%sessionId: %user@%remoteAddress %action %object %outcome (error %error)" %sessionId: SESSION-LOG-ID %user: SSH username %remoteAddress: remote IP address %action: ‘subsystem %object: name of subsystem %outcome: ‘denied’ or ‘failed’ %error: error detail Failed, error detail not available "%sessionId: %user@%remoteAddress %action %object %outcome" %sessionId: SESSION-LO
Event Id Event Name Conditions Pattern Token Values %mode: file open mode (‘read’ if file exists or ‘write’ if file does not exist) 7 SftpReadFile Event Failed, error detail available "%sessionId: %user@%remoteAddress %action %object (mode %mode) %outcome (error %error)" %sessionId: SESSION-LOG-ID %user: SSH username %remoteAddress: remote IP address %action: ‘touch’ %object: file name %mode: file open mode (‘read’ if file exists or ‘write’ if file does not exist) %outcome: ‘denied’ or ‘failed’ %er
Event Id Event Name Conditions Pattern Token Values 8 SftpWriteFil eEvent Successful "%sessionId: %user@%remoteAddress %action %object %outcome" %sessionId: SESSION-LOG-ID %user: SSH username %remoteAddress: remote IP address %action: ‘write’ %object: file name %outcome: ‘granted’ Failed, error detail available "%sessionId: %user@%remoteAddress %action %object %outcome (error %error)" %sessionId: SESSION-LOG-ID %user: SSH username %remoteAddress: remote IP address %action: ‘write’ (remote error)
Event Id Event Name Conditions Pattern Token Values %remoteAddress: remote IP address %action: ‘close’ %object: file name %size: file size %bytes_read: number of bytes read %bytes_written: number of bytes written 10 11 SftpPurgeFil eEvent SftpRename Event Successful "%sessionId: %user@%remoteAddress %action %object %outcome" %sessionId: SESSION-LOG-ID %user: SSH username %remoteAddress: remote IP address %action: ‘purge’ %object: file name %outcome: ‘granted’ Failed, error detail available "%se
Event Id 12 13 Event Name SftpListDirE vent SftpMkDirE vent Conditions Pattern Token Values Failed, error detail not available "%sessionId: %user@%remoteAddress %action %object to %newname %outcome" %sessionId: SESSION-LOG-ID %user: SSH username %remoteAddress: remote IP address %action: ‘rename’ %object: old file name %newname: new file name %outcome: ‘denied’ or ‘failed’ Successful "%sessionId: %user@%remoteAddress %action %object %outcome" %sessionId: SESSION-LOG-ID %user: SSH username %rem
Event Id Event Name Conditions Pattern Token Values %action: ‘mkdir’ %object: directory name %outcome: ‘denied’ or ‘failed’ 14 15 SftpRmDirE vent SftpSymlink Event Successful "%sessionId: %user@%remoteAddress %action %object %outcome" %sessionId: SESSION-LOG-ID %user: SSH username %remoteAddress: remote IP address %action: ‘rmdir’ %object: directory name %outcome: ‘granted’ Failed, error detail available "%sessionId: %user@%remoteAddress %action %object %outcome (error %error)" %sessionId: SES
Event Id Event Name Conditions Pattern Token Values %outcome: ‘denied’ or ‘failed’ 16 17 18 PtyEvent ShellEvent ExecEvent Successful "%sessionId: %user@%remoteAddress %action %object %outcome" %sessionId: SESSION-LOG-ID %user: SSH username %remoteAddress: remote IP address %action: ‘ptyallocate’ %object: pty name %outcome: ‘granted’ Failed "%sessionId: %user@%remoteAddress %action %object %outcome" %sessionId: SESSION-LOG-ID %user: SSH username %remoteAddress: remote IP address %action: ‘pty
Event Id Event Name Conditions Pattern Token Values %outcome: ‘granted’, ‘denied’ or ‘failed’ %forcedCommand: forced command 19 ForwardEven t Direct "%sessionId: %user@%remoteAddress %action %object %outcome (%fromAddr:%fromPort>%toAddr:%toPort)" %sessionId: SESSION-LOG-ID %user: SSH username %remoteAddress: remote IP address %action: ‘forward’ %object: ‘direct-tcpip’ %outcome: ‘granted’ or ‘denied’ or ‘failed’ %fromAdd: from address %fromPort: from port %toAdd: to address %toPort: to port Not Dir
Event Id Event Name Conditions Pattern Token Values %action: ‘terminate’ %object: ‘SFTP process’ %errInfo: error detail %processType: ‘SFTPSERV’ %processName: process name Log File/Audit File Rollover When logging to a file, SSH2 uses a round-robin mechanism to switch to a new file. Log file rollover applies both to auditing (to the file configured with the AUDITFILE parameter) and logging (to the file configured with the LOGFILE parameter).
Viewing File Contents from Guardian with SHOWLOG SSH2 servers may be configured to write log or audit files to disk. For performance reasons, those log files are created as unstructured files: 15> fileinfo SSH2log $data1.comfSSH2 CODE SSH2log 0 16> EOF LAST MODIFIED OWNER RWEP 5044 25sep2003 15:14 110,111 aaaa PExt 4 Sext 28 While the program is running, the log file is always open, however it may be concurrently opened for viewing.
[def ] AUDITFORMAT <21> [def ] AUDITMAXFILELENGTH <20000> [def ] AUTOADDAUTHPRINCIPAL [run ] AUTOADDSYSTEMUSERS [run ] AUTOADDSYSTEMUSERSLIKE [def ] BACKUPCPU [def ] BANNER <*> [def ] BURSTSUPPRESSION [def ] BURSTSUPPRESSIONEXPIRATIONTIME <300> [def ] BURSTSUPPRESSIONMAXLOGLEVEL <40> [def ] CACHEBURSTSUPPRESSION [def ] CIPCOMPATERROR <*> [def ] CIPHERS
[par ] SFTPEDITLINEMODE [def ] SFTPEDITLINENUMBERDECIMALINCR <1000> [def ] SFTPEDITLINESTARTDECIMALINCR <-1> [par ] SFTPEXCLUSIONMODEREAD [def ] SFTPIDLETIMEOUT <-1> [def ] SFTPMAXEXTENTS <900> [def ] SFTPPRIMARYEXTENTSIZE <2> [def ] SFTPREALPATHFILEATTRIBUTEECHOED [def ] SFTPSECONDARYEXTENTSIZE <100> [def ] SFTPUPSHIFTGUARDIANFILENAMES [def ] SHELLENVIRONMENT <> [def ] SOCKETKEEPALIVE <1> [par ] SOCKETRCVBUF <122880> [par ] SOCKETSNDBUF <122880> [def ] SOCKTCPMAXRXMT <0> [
(output not shown here) -----finishing dump of file before end-of-file -----done 34> Notes • In this example, by using '*' as the second runtime argument, the output is written to the home terminal. When using the byte offset parameter or the byte offset and length parameter, the out file parameter must be specified as well. • Starting with SPR T0801^ABE, SHOWLOG reports errors regarding invalid timestamps. It is now possible to just specify a time without a date.
• Monitoring and Auditing HP NonStop SSH Reference Manual
Performance Considerations Introduction As the saying goes, "there is no such thing as a free lunch": using SSH2 to encrypt traffic will consume some CPU cycles on your NonStop host. The natural question "how much CPU resources does encryption consume" has no simple answer, it will depend on many factors: • • In general: o How many SSH connections are created—the initial setup of an SSH session involves a public-key operation, which require some CPU intensive calculations.
Performance Analysis of SSH Session Establishment Performance Running as SSH Daemon The performance impact of the initial SSH session setup should be viewed separately. As explained before, establishing an SSH session involves several CPU-intensive public key operations. The amount of CPU cycles consumed depends upon the key sizes used.
SFTP clients that retrieve the file attributes for each file matching the specified pattern again from the SFTP server. This is causing unnecessary overhead. If the delay is of unacceptable length, the following workarounds may help: • Reduce the number of files in one directory/subvolume on NonStop • Set USER attribute SFTP-GUARDIAN-FILESET if information of files in a Guardian subvolume is listed.
• Performance Considerations HP NonStop SSH Reference Manual
Troubleshooting Introduction This chapter lists the information items needed by support when reporting an SSH2 related problem and a number of common error messages that SSH2 or an SSH client can produce, and explains what they mean in more detail. We do not attempt to list all error messages here: there are many that should never occur, and some that should be selfexplanatory.
General SSH2 Error Messages Errors that impact the operation of the SSH2 process are reported as error logs or warning messages. Log messages are written to SSH’s log destinations as configured by the LOGCONSOLE, LOGFILE and LOGEMS parameters. Error log messages have a log level of 10. unexpected exception: . SSH2 terminating. Describes the error condition. Cause: The SSH2 process encountered a fatal error condition. Effect: The SSH2 process terminates.
Session Related SSH2 Errors Session related errors are reported as SSH2 warning log messages. Warning messages have a log level of 20. Session Related Error Messages of SSH2 Daemon All messages related to a connection received by a remote SSH client are preceded by a session ID.
Name of the remote user. Describes the reason for the authentication failure. Cause: An error occurred during the authentication of the user. Typical errors are: "User not found": does not exist in the SSHCTL. "User is frozen": exists in the SSHCTL but is frozen. Effect: The remote SSH user cannot be authenticated. The session will be terminated. Recovery: Any corrective action depends on the reason for the authentication failure.
Recovery: Reduce the number of identities (private keys) for the user presented by the SSH client. Usually, this involves adding fewer keys to an SSH agent. : public key authentication failed, invalid signature Cause: The signature presented by the SSH client does not match the public key. Effect: The authentication is rejected. Recovery: Check the SSH client that presented the invalid signature.
Is the detail error number that was raised by the PROCESSCREATE function. Cause: PROCESSCREATE failed with an error Effect: The channel request (e.g. subsystem SFTP) fails which the process (e.g. SFTPSERV) should be created for. Recovery: Check the NonStop™ server documentation for PROCESSCREATE error descriptions. If SFTPSERV could not be started make sure the program is located in the same directory as SSH2.
Is the port number the SSH client requested to forward the connection to. Describes the error that occurred. Cause: An error occurred when trying to forward a connection. Effect: The forwarding request fails. Recovery: Any corrective action depends on . A typical error is a failure to connect to the target host and port. The SSH client may need to correct its port forwarding configuration.
Is the name of a KNOWNHOST entity contained in the SSHCTL. Cause: The SSH client (e.g. SFTP) tried to access a known host that was frozen. Effect: The client access to the host is denied. The client connection fails. Recovery: If access to the host is desired, use the SSHCOM THAW KNOWNHOST command to thaw the host. : client access to known host denied, public key changed Is the name of a KNOWNHOST entity contained in the SSHCTL.
: failed to open channel, reason: Is a description of the cause of failure, which is sent by the remote SSH server. Cause: The remote SSH server could not open the channel the local SSH client requested to open. Effect: The channel is not opened. Recovery: Any corrective action depends on . : channel request failed Cause: The remote SSH server reports a failure of a channel request previously issued for the local SSH client.
Client Error Messages This section describes common errors generated by the SSH[OSS] and SFTP[OSS] client programs. could not open SSH2 process : Describes the error condition. Cause: The client failed to open a suitable SSH2 server process. Effect: The client process terminates. Recovery: Check if any SSH2 processes are started. connect failed, error Describes the error condition.
Please contact your system administrator. In this case, SSH2 has automatically added a KNOWNHOST object named , storing the remote host’s public key. However, the KNOWNHOST attribute FROZEN is set to disallow any connections to that host until it is THAWED.
After reconnecting the client, a "WARNING: REMOTE HOST IDENTIFICATION UNKNOWN!" will be issued and a new KNOWNHOST entry for the remote host’s new public key is automatically added to the SSHCTL. If the SSH2 parameter STRICTHOSTKEYCHECKING is TRUE, then you need to thaw the newly added KNOWNHOST entry to establish a connection: THAW KNOWNHOST Couldn’t read packet: Couldn’t write packet: Describes the error condition.
Appendix Event Summary The tables below lists log messages with log level, log text and short description of variable parts used in the event text.
LOG LEVEL EVENT TEXT / Description Variable Parts : Value of second highest byte of GSSAPI major status : GSSAPI major status : GSSAPI minor status : Highest byte of minor status : Value of second highest byte of GSSAPI minor status : Value of lowest 16Bit of GSSAPI minor status 10 : Error (GSS_C_GSS_CODE): : Session Name : GSSAPI error description for major status 10 : Error (GSS_C_MECH_CODE): : Session Name :
LOG LEVEL EVENT TEXT / Description Variable Parts : Value configured for parameter SFTPEXCLUSIONMODEREAD 10 Value for SFTPEXCLUSIONMODEWRITE not a supported value. : Value configured for parameter SFTPEXCLUSIONMODEWRITE 10 request code : Request Code 10 APILIB error : Error 10 SFTPSERV serving @ is stopping, reason: .
LOG LEVEL EVENT TEXT / Description Variable Parts : Decode error number 10 : could not add HPSIM key: : Session Name : Exception text 10 Invalid runmode. SSH2 terminating. 10 Valid runmodes are CLIENT, DAEMON, SERVER (same as DAEMON), ADMIN, NOADMIN, CLIENT_ADMIN, SERVER_ADMIN, DAEMON_ADMIN or ALL.
Event Category WARNING LOG LEVEL EVENT TEXT / Description Variable Parts 20 gssapi kex failed: : Error message 20 : GSS KEX disabled: : Session Name : Error text 20 : forwarding remote connection from to failed () : Session Name : Protocol : Normalized originator host address and port : Normalized target host address and port : Description 20 : listen request from remote failed, could not list
LOG LEVEL EVENT TEXT / Description Variable Parts : Session Name 20 : SSH client access denied: SSH2 not licensed for general usage. : Session Name 20 : could not add KNOWNHOST to database for local system user : : Session Name : Known host : Owner of new knownhost record : Exception text 20 : update of stored password for local system user failed.
LOG LEVEL EVENT TEXT / Description Variable Parts : Login name 20 : exception during host verification (local system user ): : Session Name : Login name : Exception text 20 : Authentication of succeeded : Session Name : User name 20 : Authentication failed : Session Name 20 : gssapi authentication failed: : Session Name : Error messageError message 20 : request rejected: Forwarding error
LOG LEVEL EVENT TEXT / Description Variable Parts : Session Name : Normalized originator host address and port : Normalized target host address and port : ALLOWTCPFORWARDING 20 : forwarding from to denied, USER not found in database and PARAM set to true : Session Name : Normalized originator host address and por : Normalized target host address and port : Guardian user name : RESTRICTIONCHECKFAILEDDEFAULT 20
LOG LEVEL EVENT TEXT / Description Variable Parts : Session Name : Normalized address and port to bind : User name 20 : forwarding from denied, USER not found in database and PARAM set to true : Session Name : Normalized originator host address and port : Guardian user name : RESTRICTIONCHECKFAILEDDEFAULT 20 : forwarding from denied, RESTRICTION-PROFILE FORWARD-FROM for USER does not include originator host :
LOG LEVEL EVENT TEXT / Description Variable Parts : Session Name : Remote host TCP/IP address : User name : AUTOADDSYSTEMUSERS 20 : request rejected: USER is not permitted to connect from host due to RESTRICTIONPROFILE settings.
LOG LEVEL EVENT TEXT / Description Variable Parts : Session Name 20 : public key authentication failed, too many keys : Session Name 20 : public key authentication failed, invalid signature : Session Name 20 : authentication failed: GSSAPI not available : Session Name : Authentication method name 20 : authentication failed: no GSS context established during key exchange : Session Name : Authentication method name 20 <
LOG LEVEL EVENT TEXT / Description Variable Parts 20 : shell request from 6530 client rejected, not licensed : Session Name 20 : channel shell for 6530 command interpreter denied (due to the SSH user's ALLOW-CI settings) 20 : shell request from 6530 client rejected, configured system user unknown : Session Name : Session Name 20 : request rejected, shell access not licensed : Session Name : Request type 20 : request rejecte
LOG LEVEL EVENT TEXT / Description Variable Parts : Pseudo terminal name used for authentication 20 : pty request denied: pseudo terminal access not allowed for user : Session Name : User name 20 : Could not allocate PTY: (authentication dummy pty: ) : Session Name : Exception text : Pseudo terminal name used for authentication 20 : Could not allocate PTY: : Session Name : Exception text 20 : forwardi
LOG LEVEL EVENT TEXT / Description Variable Parts 20 Expected IPv6 address for parameter because IP mode is but found IPv4 address . Using value instead. : Parameter name : TCP/IP mode : Value configured for parameter : Normalized interface address value 20 Expected IPv4 address for parameter because IP mode is but found IPv6 address . Using value instead.
LOG LEVEL EVENT TEXT / Description Variable Parts : Session Name : Normalized originator host address and port : Normalized target host address and port : Description 20 : SSH FTP Error '' : Session Name : Exception text 20 : socket error '', aborting session : Session Name : Exception text 20 : unexpected error '', aborting session : Session Name : Exception text 20 : unknown error, aborting sessi
LOG LEVEL EVENT TEXT / Description Variable Parts : Value "frozen" or "thawed" 20 Deleting user sessions records (user ) created by no longer existing SSH2 processes failed: : User name : Exception text 20 Updating sessions record for user '' failed: : User name : Exception text 20 Updating sessions record (removing port ) for user '' failed: : Port : User name : Exception text 20 Deleting all user sessions
LOG LEVEL EVENT TEXT / Description Variable Parts : Session Name 50 : caching credentials for user '' : Session Name : User initiating GSSAPI authentication 50 : credentials cache file name is '' : Session Name : Kerberos credentials cache file name 50 : processing GSSAUTH_GET_MIC_REQUEST : Session Name 50 : GSSAPI interface opened : Session Name 50 : GSSAPI interface closed : Session Name 50 : Excep
LOG LEVEL EVENT TEXT / Description Variable Parts : Session Name : Normalized address and port to bind : Reason 50 : forwarding connection from to : Session Name : Protocol : Normalized originator host address and port : Normalized target host address and port 50 : forwarding connection from (accepted on ) to remote : Session Name : Protocol : Normalized originator host address and port
LOG LEVEL EVENT TEXT / Description Variable Parts 50 : client access to known host (known by) : Session Name : Known host : Local system user or ALL : Owner 50 : automatically updated KNOWNHOST via GSS key exchange (known by local system user ) : Session Name : Known host : Owner of known host entry 50 : automatically accepted KNOWNHOST via GSS key exchange (entry known by ) : Session Name <
LOG LEVEL EVENT TEXT / Description Variable Parts 50 : channel request ok : Session Name 50 : server version string: : Session Name : SSH server software version 50 : session disconnected by server: : Session Name : Reason for disconnect 10 DEFINE =TCPIP^PROCESS^NAME has value '' : TCP/IP process name define 10 parameter SUBNET will be ignored and the define value will be used 50 : spawned program successfull
LOG LEVEL EVENT TEXT / Description Variable Parts 50 : auditing initiated.
LOG LEVEL EVENT TEXT / Description Variable Parts : Subsystem name : Program 50 : channel request for 6530 shell, connecting to : Session Name : Program 50 : channel request for 6530 shell, launching : Session Name : Program 50 : channel request for 6530 shell, connecting to PTYSERVER : Session Name : Pseudo terminal server : Service name 50 : channel request for shell, connecting to
LOG LEVEL EVENT TEXT / Description Variable Parts : Parameter value : Default value of ALLOWINFOSSH2 10 SSH config database file does not exist, creating. 10 SSH config database opened. : SSH database file name : SSH database file name 10 Initializing SSH2 ADMIN run mode. 10 Initializing SSH2 CLIENT run mode. 10 Initializing SSH2 DAEMON run mode.
LOG LEVEL EVENT TEXT / Description Variable Parts : Session Name 40 : received password request, sending user password : Session Name 40 : FTP logon o.
Copyright Statements As explained in the "SSH Protocol Reference" chapter, SSH2 uses some open source code for some components. This section of the appendix contains the various copyright notes. All patent rights of the various contributors to the open source components of SSH2 are acknowledged. OpenSSL Copyright Statement The OpenSSL toolkit is licensed under a dual-license (the OpenSSL license and the original SSLeay license). See the license text below.
in this distribution, be it the RC4, RSA, lhash, DES, etc., code; not just the SSL code. The SSL documentation included with this distribution is covered by the same copyright terms except that the holder is Tim Hudson (tjh@cryptsoft.com). Copyright remains Eric Young's, and as such any Copyright notices in the code are not to be removed. If this package is used in a product, Eric Young should be given attribution as the author of the parts of the library used.
* can be used freely for any purpose. Any derived versions of this * software must be clearly marked as such, and if the derived work is * incompatible with the protocol description in the RFC file, it must be * called by a name other than "ssh" or "Secure Shell". [Tatu continues] * However, I am not implying to give any licenses to any patents or * copyrights held by third parties, and the software includes parts that * are not under my direct control.
BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU.
* Copyright 1995, 1996 by David Mazieres . * * Modification and redistribution in source and binary forms is * permitted provided that due credit is given to the author and the * OpenBSD project by leaving this copyright notice intact. 4) The Rijndael implementation by Vincent Rijmen, Antoon Bosselaers and Paulo Barreto is in the public domain and distributed with the following license: * @version 3.
* are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3.
* 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
