SSH Reference Manual

ManualsBrandsHP ManualsServerHP NonStop G-Series

121

122

123

124

125

126

127

128

129

130

Using TELSERV as Service Provider

6530 shell channels can also be forwarded to a TELSERV process. This enables a fast and easy migration of an existing

complex TELSERV environment to SSH, such as an environment with static windows. To forward 6530 shell requests

to TELSERV, specify the CI-PROGRAM as follows:

>SSHCOM <ssh2 process name>

%ALTER USER telnetuser, CI-PROGRAM telnet

This assumes that TELSERV is listening on port 23 for the same TCPIP process as SSH2. To forward shell requests to a

TELSERV listening on a different port or address, specify CI-PROGRAM as follows:

%ALTER USER telnetuser, CI-PROGRAM "telnet 192.2.3.4 4023"

Similarly, the SHELL-PROGRAM attribute can be prepared as follows (an example using an IPv6 address):

ALTER USER test, SHELL-PROGRAM "telnet fe80::a00:8eff:fe02:69d9 5023"

6530 shell users (e.g. when connecting a 6530 session over the MR-Win6530 SSH interface) will see the standard

TELSERV service menu after the connection is established.

Note: Although TELNET is specified as CI-PROGRAM, SSH2 will not invoke the TELNET program on a STN 6530

pseudo terminal. To provide optimal performance, SSH2 will directly establish a socket connection to the target

TELSERV process, which will provide the 6530 terminal device for the session.

Granting Access without SSH Authentication

Under certain circumstances, it is desirable to grant access to specific services without forcing the remote SSH user to

authenticate. For example, some services being delivered via SSH may perform their own user authentication. To avoid

making users have to enter their credentials twice, the authentication usually performed over the SSH protocol can be

turned off. Even without SSH authentication, the connection is still encrypted, protecting any passwords and data

transmitted during the service's execution.

CAUTION: When granting unauthenticated SSH access to a resource that performs its own authentication, the user’s

privileges should be properly locked to prevent unauthorized access to any other resources.

For access without authentication, the SSH2 SERVER can be configured so the authentication method "none" is an

ALLOWED-AUTHENTICATION for a user.

The following SSHCOM commands show how to set up a logical user who only authenticates through the

SAFEGUARD LOGON program:

>RUN SSHCOM $SSH01

SSHCOM T0801H01_22JAN2014_ABK - 2014-01-24 14:42:45.368

OPEN $ssh01

% ADD USER safeguarduser, ALLOWED-AUTHENTICATION (none), &

% SYSTEM-USER *none*, CI-PROGRAM $SYSTEM.SYSTEM.LOGON, &

% ALLOW-SHELL NO, ALLOWED-SUBSYSTEMS (), ALLOW-TCP-FORWARDING NO

OK, user safeguarduser added.

In the example above, "safeguarduser" does not require an individual SSH authentication. In this case, the user name

serves as a logical service that provides system access via the SAFEGUARD logon program. This service can be shared

by multiple individual users. After the session is established, the SAFEGUARD logon program performs user

authentication.

Please note that additional attributes limit the access rights of the user to the SAFEGUARD logon program only.

The following SSHCOM commands show how to set up a logical user who is only authenticated with the services started

by the STN PTY server:

HP NonStop SSH Reference Manual Configuring and Running SSH2 • 129