SSH Reference Manual
This attribute controls whether a TACL or a specific command interpreter given by CI-PROGRAM should be started
upon a shell request of a client that allocated a 6530 pseudo TTY (such as 6530 SSH clients, MR-Win6530, and J6530).
ALLOW-CI-PROGRAM-OVERRIDE
This attribute controls if a user is allowed to override the configured CI-PROGRAM via "tacl -p" or "ci -p" command. If
the CI-PROGRAM is set to *DEFAULT*, i.e. command interpreter TACL gets started and ALLOWED-SUBSYSTEMS
contains tacl, then this attribute is ignored because a user can start TACL and execute any command interpreter in that
way. In this case it is useless to try preventing "tacl -p" commands. The parameter is especially useful in cases where the
user does not have tacl as ALLOWED-SUBSYSTEM but needs to be allowed to execute some specific command
interpreter or TACL macro. If CI-PROGRAM is configured with a specific command interpreter or macro and ALLOW-
CI-PROGRAM-OVERRIDE is set to NO, then a user is restricted to execute the configured CI-PROGRAM and will not
get a TACL prompt. Should the ALLOW-CI-PROGRAM-OVERRIDE be YES, then the user can execute a "tacl -p
<program>" or a "ci -p <program>" command, thus overriding the program configured in CI-PROGRAM.
ALLOW-GATEWAY-PORTS
This attribute is used to grant or deny gateway ports when port forwarding is initiated by a specific user. If the value of
this attribute is NO, then any port forwarding request with SSH option -g will be rejected by SSH2.
ALLOW-MULTIPLE-REMOTE-HOSTS
When set to NO this attribute is used to restrict a user to a maximum of one remote host the user can establish a
connection from at any time. The restriction is based on the SSH user configured in the SSH2 database (not the system
user). After disconnecting all sessions from one host the user can connect from a different host. All SSH2 processes that
access the same SSH2 database share the restriction. If the attribute is set to YES, then a user can establish sessions from
different remote hosts at the same time.
ALLOW-PTY
This attribute is used to grant or deny the allocation of a pseudo TTY for a session. The pseudo TTY enables the user to
execute full screen interactive applications, such as Emacs or vi.
ALLOW-SHELL
This attribute is used to grant or deny shell access to a user.
ALLOW-TCP-FORWARDING
This attribute is used to grant or deny port forwarding for a user. The value of this user attribute is ignored if the global
SSH2 parameter ALLOWTCPFORWARDING is set to FALSE.
ALLOWED-AUTHENTICATIONS
This attribute is used to specify the authentication mechanisms that are allowed for a user. The following authentication
methods currently supported by SSH2:
• password: Password authentication facilitating the NonStop system's password authentication mechanism. The
password is validated against the SYSTEM-USER's password. Local authentication with password now
provides the remote client IP address to system procedure USER_AUTHENTICATE_ if the OS release
supports this (H06.26 or later and J06.15 or later).
• publickey: Public key authentication using the PUBLIC-KEYs configured for a user.
• keyboard-interactive: Authentication according to RFC 4256 mapped to the standard GUARDIAN user
authentication dialog, verifying the SYSTEM-USER's password, as well as taking care of exceptions, such as
password expiry. Local authentication with password now provides the remote client IP address to system
procedure USER_AUTHENTICATE_ if the OS release supports this (H06.26 or later and J06.15 or later).
• none: Grants access without authentication. This is useful for users connecting to an application requiring its
own authentication, e.g. if you configure a PATHWAY PROGRAM as a CI-PROGRAM.
HP NonStop SSH Reference Manual SSHCOM Command Reference • 169