SSH Reference Manual

ManualsBrandsHP ManualsServerHP NonStop G-Series

141

142

143

144

145

146

147

148

149

150

Database for Daemon Mode

Format and Content of the Database

In daemon mode, the SSH2 database contains USER and RESTRICTION-PROFILE entities controlling the way

incoming ssh connections are processed. The USER records mainly define the allowed authentication methods and the

mapping from SSH user to a local Guardian user or alias but also contain other attributes, e.g. for defining access

restrictions and use of resources. The following information is held for remote users accessing the NonStop SSH/SFTP

service remotely (field names to be used in administration of the database are shown in bold at the beginning of each

entry).

The USER entity has the following properties:

• USER: The ssh user name used at the remote end of the connection.

• COMMENT: Comment text for the ssh user.

• ALLOWED-AUTHENTICATIONS: The authentication mechanisms that are allowed for the ssh user.

• PRINCIPAL: Kerberos/GSSAPI related attribute: remote principal name configured for ssh user.

• OWNER: An existing local system user allowed to modify the USER record. The allowed actions of the owner

of a record and the manager of the owner of the record are be the same as defined by

PARTIALSSHCOMACCESSUSER/GROUP parameters.

• SYSTEM-USER: The local Guardian user name or alias under which operations initiated by the remote user

will be executed.

• PUBLICKEY: One or more public key(s) sent by the remote user for authentication (see chapter "SSH

Protocol Reference" for details). The secret part of the Public Key pair is not configured in USER records.

Several attributes are defined for each PUBLICKEY (name, fingerprint, last modified and last used date).

• ALLOW-SHELL: Indicating if the ssh user is allowed to request a shell.

• SHELL-PROGRAM: OSS path of the shell executed when the ssh user requests a shell or configuration of a

telnet service connected to when the ssh user requests a shell.

• SHELL-COMMAND: Enforced shell command executed when the ssh user requests a shell.

• SHELL-ENVIRONMENT: Pathname of a script that will be executed when a shell is invoked.

• ALLOW-CI: Indicating if the ssh user is allowed to request a TACL command interpreter.

• ALLOW-CI-PROGRAM-OVERRIDE: Indication if the ssh user is allowed to override the configured CI-

PROGRAM via "tacl -p" or "ci -p" command.

• CI-PROGRAM: Guardian object name of the command interpreter executed when the ssh user requests a

command interpreter or configuration of a telnet service connected to when the ssh user requests a command

interpreter.

• CI-COMMAND: Startup parameters for CI-PROGRAM used when the ssh user requests a command

interpreter.

• ALLOW-PTY: Indicating if the ssh user is allowed to request a pseudo terminal (PTY).

• PTY-SERVER: User specific configuration of the PTY server process. Ignored if ALLOW-PTY is set to NO.

Default value is taken from SSH2 parameter PTYSERVER.

• ALLOW-TCP-FORWARDING: Indicating if the ssh user is allowed to request port forwarding.

• ALLOWED-SUBSYSTEMS: Subsystems the ssh user is allowed to request.

• ALLOW-GATEWAY-PORTS: Indicating if the ssh user is allowed to open gateway ports, i.e. port

forwarding where the listen is made on an interface that is not the loopback network interface.

148 • The SSH User Database HP NonStop SSH Reference Manual