SSH Reference Manual
Dependency on Safeguard OBJECTTYPE USER Record
Every administrator that configures an OBJECTTYPE USER record is highly aware of the importance and relevance of
USER configuration on NonStop systems. But some may not be fully aware that the SSH configuration is a highly
critical, security-relevant task as well: A user that is allowed to configure SSH USER records can create access to the
NonStop system without Safeguard authentication, i.e. configuring SSH USER records is as critical as configuring
Safeguard USER records.
If a user is denied executing Safeguard SAFECOM ADD/ALTER USER commands, then this user must be denied
ADD/ALTER USER in SSHCOM in order to ensure a consistent security policy.
Starting with release 89 there is tighter coupling of SSHCOM security with Safeguard security. This does not only
include checking if a Safeguard user is frozen (see section "ALLOWFROZENSYSTEMUSER
") but also includes
support of OBJECTTYPE USER (please refer to HP NonStop™ manuals "Safeguard Reference Manual" and "Safeguard
Administrator's Manual").
The current implementation ignores OBJECTTYPE USER ACL entries containing a network id (\node-spec). The SSH2
process issues a warning message if it finds such an entry. Another restriction is that only the primary group of a user is
checked against group based OBJECTTYPE USER ACL entries.
In order to reduce overhead the OBJECTTYPE USER, USER and ALIAS information retrieved from SafeGuard is
cached. It can take up to 5 minutes before an SSH2 process takes SafeGuard modifications into account. By restarting an
SSH2 process any SafeGuard changes will be active in the SSH2 process immediately.
SSHCOM Security without Safeguard OBJECTTYPE USER Record
If a Safeguard OBJECTTYPE USER record does not exist or exists but is frozen, the behavior is as follows:
DAEMON MODE commands
The user super.super can execute any daemon mode commands. The parameter sets FULLSSHCOMACCESSUSER<i>
and FULLSSHCOMACCESSGROUP<j> are evaluated and users and groups configured in these parameter sets are
granted full access to all daemon mode commands.
CLIENT MODE commands
The user super.super can execute any client mode command for any user. The parameter sets
FULLSSHCOMACCESSUSER<i> and FULLSSHCOMACCESSGROUP<j>
are evaluated and configured users and
groups are granted full access to all client mode commands for any user.
If a person that is not logged on as super.super and not configured in parameter sets FULLSSHCOMACCESSUSER<i>
and FULLSSHCOMACCESSGROUP<j> wants to execute an SSHCOM CLIENT MODE command affecting records
for a specific Guardian user or alias <user-or-alias> must either be logged on as <user-or-alias> or meet these two
qualifications:
• Be the group manager of the underlying Safeguard user ID
• Be the owner of the underlying Safeguard user ID of <user-or-alias> or be the group manager of the owner of
the underlying Safeguard user ID of <user-or-alias>
SSHCOM Security with existing Safeguard OBJECTTYPE USER Record
If a Safeguard OBJECTTYPE USER record exists and is not frozen, the behavior is as follows:
DAEMON MODE commands
The user super.super can execute any daemon mode commands unless explicitly configured in the OBJECTTYPE USER
with DENY Create authority. The parameter sets FULLSSHCOMACCESSUSER<i> and
FULLSSHCOMACCESSGROUP<j> are ignored. Non-super.super users configured with Create authority in the
OBJECTTYPE USER record are granted full access to all daemon mode commands.
CLIENT MODE commands
156 • SSHCOM Command Reference HP NonStop SSH Reference Manual