SSH Reference Manual

ManualsBrandsHP ManualsServerHP NonStop G-Series

171

172

173

174

175

176

177

178

179

180

COMMENT "<comment>"] |

LIVE-DATE <date-time>] |

EXPIRE-DATE <date-time>] |

( [ FINGERPRINT <fingerprint-value>]

[, FILE <filename>]

[, COMMENT "<comment>"]

[, LIVE-DATE <date-time>]

[, EXPIRE-DATE <date-time>] )

]...

[,RESET { SFTP-INITIAL-DIRECTORY | SYSTEM-USER |

SFTP-SECURITY | SFTP-GUARDIAN-FILESET |

SFTP-PRIORITY } ]

[,RESTRICTION-PROFILE [<profile-name>] ]

[,SFTP-CPU-SET [<cpu> | <cpu-range> | ( <cpu-range-list> ) ] ]

[,SFTP-GUARDIAN-FILESET ( <pattern>, <pattern>, ... ) ]

[,SFTP-INITIAL-DIRECTORY <directory-path> [LOCKED]]

[,SFTP-PRIORITY [ <number> ] ]

[,SFTP-SECURITY ( [<sftp-attr>] [, <sftp-attr>] ... ) ]

[,SHELL-COMMAND [ <command> ] ]

[,SHELL-ENVIRONMENT [ <filename> ]]

[,SHELL-PROGRAM [ *DEFAULT* | <path> | *MENU* | *MENU* <service> [ FORCE ] ] ]

[,SYSTEM-USER <system-user-name> | *NONE* ]

The <user-name> is mandatory in the command, no wild cards are allowed in the user name. Please see description of

<user-name> under the ADD USER command for unconventional names that must be put in double quotes. At least one

attribute needs to be specified in the command.

The individual attributes have the following meaning and syntax:

ALLOW-CI

This attribute controls whether a TACL or a specific command interpreter given by CI-PROGRAM should be started

upon a shell request of a client that allocated a 6530 pseudo TTY (such as 6530 SSH clients, MR-Win6530, and J6530).

ALLOW-CI-PROGRAM-OVERRIDE

This attribute controls if a user is allowed to override the configured CI-PROGRAM via "tacl -p" or "ci -p" command. If

the CI-PROGRAM is set to *DEFAULT*, i.e. command interpreter TACL gets started and ALLOWED-SUBSYSTEMS

contains tacl, then this attribute is ignored because a user can start TACL and execute any command interpreter in that

way. In this case it is useless to try preventing "tacl -p" commands. The parameter is especially useful in cases where the

user does not have tacl as ALLOWED-SUBSYSTEM but needs to be allowed to execute some specific command

interpreter or TACL macro. If CI-PROGRAM is configured with a specific command interpreter or macro and ALLOW-

CI-PROGRAM-OVERRIDE is set to NO, then a user is restricted to execute the configured CI-PROGRAM and will not

get a TACL prompt. Should the ALLOW-CI-PROGRAM-OVERRIDE be YES, then the user can execute a "tacl -p

<program>" or a "ci -p <program>" command, thus overriding the program configured in CI-PROGRAM.

ALLOW-GATEWAY-PORTS

This attribute is used to grant or deny gateway ports in the case of port forwarding initiated by a specific user. If the

value of this attribute is NO, then any port forwarding request with SSH option "-g" will be rejected by SSH2.

ALLOW-MULTIPLE-REMOTE-HOSTS

When set to NO this attribute is used to restrict a user to a maximum of one remote host the user can establish a

connection from at any time. The restriction is based on the SSH user configured in the SSH2 database (not the system

user). After disconnecting all sessions from one host the user can connect from a different host. All SSH2 processes that

access the same SSH2 database share the restriction. If the attribute is set to YES, then a user can establish sessions from

different remote hosts at the same time.

ALLOW-PTY

This attribute is used to grant or deny the ability to allocate a pseudo TTY for a session. The pseudo TTY enables the

user to execute full screen interactive applications, such as Emacs or vi.

ALLOW-SHELL

176 • SSHCOM Command Reference HP NonStop SSH Reference Manual