SSH Reference Manual

ManualsBrandsHP ManualsServerHP NonStop G-Series

151

152

153

154

155

156

157

158

159

160

alias are read first, then entries of the guardian id). The value BOTH is only recommended if a guardian user and all

aliases configured for this guardian user are solely used by one person and client mode records are to be stored under

Guardian user identifier as well as alias names.

Example: Assume, an alias entry is present, but not an entry for the associated Guardian ID, and the user is logged on as

the alias. With client mode owner policy set to LOGINNAME, privileges to read/alter the entry would be granted, for

GUARDIANNAME they would not be granted because a matching entry is not found, and for BOTH they would be

granted. If the Guardian entry is present but not the alias, and the user is logged on as the alias, LOGINNAME access

would not be allowed, GUARDIANNAME would be allowed, and BOTH would also be allowed.

Client Mode Owner Policy Examples

Assuming Guardian User SUPER.MARIO and alias super-m are configured in Safeguard:

=info alias super-m

NAME USER-ID OWNER STATUS

super-m 255,20 254,255 THAWED

=info user super.mario

GROUP.USER USER-ID OWNER LAST-MODIFIED LAST-LOGON STATUS

SUPER.MARIO 255,20 254,255 12FEB11, 22:36 16FEB13, 13:50 THAWED

An alias entry is present in the SSH database, but not an entry for the associated Guardian ID, e.g.:

% info key *:*

info key *:*

KEY TYPE USER LIFE-CYCLE LAST-USE STATUS

k1 RSA super-m LIVE *NONE* THAWED

Assuming the user is logged on as the alias super-m. With client mode owner policy set to LOGINNAME, privileges to

read/alter the entry k1 would be granted, for GUARDIANNAME they would not be granted because a matching entry is

not found, and for BOTH they would be granted.

If the Guardian entry is present but no entry for the alias, e.g.:

% info key *:*

info key *:*

KEY TYPE USER LIFE-CYCLE LAST-USE STATUS

k2 RSA SUPER.MARIO LIVE *NONE* THAWED

and the user is logged on as the alias super-m, then access to entry k2 would not be denied with client mode owner policy

set to LOGINNAME but would be allowed with client mode owner policy set to GUARDIANNAME or BOTH.

Note: The default value for CLIENTMODEOWNERPOLICY

is BOTH. Please be aware that the default client mode

policy changed from GUARDIANNAME to BOTH with release 89. This change of the policy should not cause

problems with existing records as records had been read in previous releases only if stored under the Guardian user

identifier (entries stored under an alias had been ignored).

The following will change when using the new default value BOTH or value LOGINNAME:

If a user is logged on as an alias and new CLIENT MODE records are added (PASSWORD, KNOWNHOST,

PUBLICKEY), then the new records will be stored under the alias name. An alias user is not allowed to add records for

the underlying Guardian user when CLIENTMODEOWNERPOLICY

is set to LOGINNAME.

HP NonStop SSH Reference Manual SSHCOM Command Reference • 159