SSH Reference Manual
or TN6530-8, then a TACL process is started as well. For any other terminal type a shell request will start a shell under
OSS.
The user may request a specific command interpreter by specifying a remote command “tacl -p <program>”, e.g.:
ssh usr@host tacl -p fup
With a 6530 terminal on the client side the program $SYSTEM.SYSTEM.FUP is started (actual object FUP found on the
SYSnn subvolume) and the user sees a FUP prompt and can enter any number of FUP commands. The session ends after
the user entered the FUP command EXIT.
It is possible to specify a command for the requested command interpreter via “tacl -p <program> <command>”. For
example, when executing the following command,
ssh usr@host tacl -p fup info
a FUP is started, the FUP command INFO is executed and the session ends.
Even though USER attribute ALLOW-CI-PROGRAM-OVERRIDE is set to NO in the default configuration, the above
commands work. The reason is that subsystem tacl is allowed in the default USER configuration, i.e. a user can request
subsystem tacl, gets the TACL prompt and can execute the <program> (FUP in the example) anyway. Therefore the
value of attribute ALLOW-CI-PROGRAM-OVERRIDE is ignored in this case.
Configuration with Subsystem TACL not Allowed
Since version 0097 it is possible to start a command interpreter even when subsystem tacl is not allowed (USER attribute
ALLOWED-AUTHENTICATIONS does not list subsystem tacl). Before version 0097, the execution of CI-PROGRAM
or a command interpreter specified as remote command on the SSH client command line was rejected if tacl was not an
allowed subsystem. Now, with ALLOW-CI yes and a 6530 terminal on the client side the program configured under CI-
PROGRAM, e.g. $SYSTEM.SYSTEM.FUP can be executed by specifying “ci” on the command line, e.g.:
ssh usr@host ci
The command interpreter will be started and its prompt appears (the FUP prompt in the example) and the user can
execute commands processed by the started command interpreter.
Alternatively, a command can be specified on the ssh command line, e.g.
ssh usr@host ci –c info
After the command interpreter was started, the specified command gets executed and the session is closed. This works
only if CI-COMMAND is not set in the USER configuration. Otherwise the CI-COMMAND gets executed and the
command on the SSH client command line is ignored.
The user can specify a program, e.g.
ssh usr@host ci –p scf
but this will be rejected with error “Command interpreter initialization failed” if ALLOW-CI-PROGRAM-OVERRIDE
is NO. After changing the value of this attribute to YES, the above command gets executed and the specified command
interpreter starts and its prompt is displayed.
The user may try to start a TACL via the ci feature, e.g. like
ssh usr@host ci –p tacl
This will be rejected because subsystem TACL is not allowed and granting TACL access via command interpreter access
would circumvent the configured subsystem restriction.
Having configured TACL as CI-PROGRAM and ALLOW-CI-PROGRAM-OVERRIDE set to NO, a TACL with a
specific command can still be executed, even if subsystem TACL is not allowed. Unless CI-COMMAND is configured,
a command can be specified on the SSH client side, e.g.
ssh usr@host ci -c fileinfo
This is allowed as the user does not get a TACL prompt.
The command could be a TACL macro, e.g. a file with the following content:
HP NonStop SSH Reference Manual Configuring and Running SSH2 • 145