SSH Reference Manual
TACL Subsystem and Command Interpreter
Configuration
Enhanced EXEC Processing
The processing of EXEC requests (ssh client started with a remote command on the ssh command line) has been
enhanced in version 0097 to add flexibility. It is now possible to let a user execute single TACL commands or TACL
macros or a command interpreter other than TACL even though the subsystem TACL is not allowed for the user
(ALLOWED-SUBSYSTEMS does not contain tacl).
Previously, the execution of CI-PROGRAM via TACL command on the SSH client command line was rejected if tacl
was not an allowed subsystem. Now the tacl subsystem can be removed from the list of ALLOWED-SUBSYSTEMS but
the execution of commands via “tacl -c <command>” and “tacl -p <program> <cmd>” is still allowed as long as the
USER attribute ALLOW-CI is set to YES.
If an EXEC request is received and subsystem tacl is not allowed, CI-PROGRAM is left at the default value and CI-
COMMAND is not configured, then either -p or -c must be specified. Otherwise the user would get a TACL prompt,
which should not be allowed if tacl is not an allowed subsystem. The enhanced EXEC processing includes the possibility
to use subsystem tacl and CI-PROGRAM independently. Previously the subsystem tacl was initiated for an EXEC tacl
request. In order to be compatible with the previous behavior EXEC tacl still starts subsystem tacl if tacl is an allowed
subsystem. But now it is possible to specify a new command "ci" (instead of "tacl") on the SSH client command line
with options “-c <cmd>” and “-p <program> <cmd>” with the same meaning as the tacl -p and -c options.
The processing of EXEC ci is as follows, if ALLOW-CI is set to YES:
• Command on ssh client command line is "ci":
The value of USER attribute CI-PROGRAM is started as command interpreter (default:
$SYSTEM.SYSTEM.TACL). If additionally CI-COMMAND is configured, then this command is executed. If
no command is specified and tacl is not an allowed subsystem, the request will be rejected.
• Command on ssh client command line is "ci -c <cmd>":
The value of USER attribute CI-PROGRAM is started as command interpreter (default:
$SYSTEM.SYSTEM.TACL) and the command <cmd> is executed by the command interpreter unless CI-
COMMAND is configured. In this case the command <cmd> is ignored (but available via PARAM SSH-
ORIGINAL-COMMAND) and the command configured under user attribute CI-COMMAND is executed.
• Command on ssh client command line is "ci -p <program> [<cmd>]":
The command interpreter program <program> is started (default subvolume if not specified is
$SYSTEM.SYSTEM) and if <cmd> is specified, then this command is executed. If no <cmd> is specified, then
the user will get the prompt of the command interpreter and can enter commands interactively.
It is possible that a user specifies "ci -p tacl" but the access of tacl may not be allowed for the user. Therefore a
new USER attribute ALLOW-CI-PROGRAM-OVERRIDE determines if a user is allowed to use "ci -p". The
default value for attribute ALLOW-CI-PROGRAM-OVERRIDE is NO.
With this enhancement, if subsystem tacl is not allowed, an EXEC request like "tacl -c <cmd>" or "tacl -p <program>
<cmd>" will be automatically converted to "ci -c <cmd>" and "ci -p <program> <cmd>", respectively, and handled
accordingly. In any case, if subsystem tacl is not allowed, then a user will not get a tacl prompt.
Default configuration
The default configuration allows for subsystem tacl (USER attribute ALLOWED-AUTHENTICATIONS lists subsystem
tacl) as well as a command interpreter (ALLOW-CI YES). If subsystem is requested by the client (e.g. via ssh -s
usr@host tacl), then a TACL process is started after successful authentication and the user sees the TACL prompt. If a
shell request is requested by the client (e.g. via ssh usr@host) and the terminal the client was started is of type TN6530
144 • Configuring and Running SSH2 HP NonStop SSH Reference Manual