SSH Reference Manual

ManualsBrandsHP ManualsServerHP NonStop G-Series

171

172

173

174

175

176

177

178

179

180

This attribute is used to grant or deny shell access to the user.

ALLOW-TCP-FORWARDING

This attribute is used to grant or deny port forwarding for a user. The value of this user attribute is ignored if the global

SSH2 parameter ALLOWTCPFORWARDING is set to FALSE.

ALLOWED-AUTHENTICATIONS

This attribute is used to specify the authentication mechanisms that are allowed for this user. <method> is one of the

following authentication methods currently supported by SSH2:

• password: Password authentication facilitating the NonStop system's password authentication mechanism. The

password is validated against the SYSTEM-USER's password. Local authentication with password now

provides the remote client IP address to system procedure USER_AUTHENTICATE_ if the OS release

supports this (H06.26 or later and J06.15 or later).

• publickey: Public key authentication using the PUBLIC-KEYs configured for this user.

• keyboard-interactive: Authentication according to RFC 4256 mapped to the standard GUARDIAN user

authentication dialog verifying the SYSTEM-USER's password, as well as taking care of exceptions such as

password expiry. Local authentication with password now provides the remote client IP address to system

procedure USER_AUTHENTICATE_ if the OS release supports this (H06.26 or later and J06.15 or later).

• none: Grants access without authentication. This is useful for users connecting to an application requiring its

own authentication, e.g. if you configure a PATHWAY PROGRAM as CI-PROGRAM.

CAUTION: When specifying ALLOWED-AUTHENTICATIONS (none) user access should be properly locked down

to avoid security breaches that bypass any authentication (e.g. by setting SYSTEM-USER *NONE*).

ALLOWED-SUBSYSTEMS

This attribute is used to control access to specific subsystems. <subsystem> is one of the following subsystems provided

by SSH2:

• SFTP: The SFTP subsystem allows the user to transfer files with the SFTP transfer protocol.

• TACL: The TACL subsystem provides direct TACL access without requiring OSS on the NonStop server.

CI-COMMAND

This attribute specifies the startup string to be passed to CI-PROGRAM. Specify CI-COMMAND without <command>

to reset the attribute to its default (empty startup string).

CI-COMMAND is ignored if CI-PROGRAM is set to *MENU*.

CI-PROGRAM

Sets the command interpreter to be started on a 6530 pseudo TTY after the user is authenticated. In this case, filename is

the name of the command interpreter’s object file. It must be a local file name.

If you omit any attribute value, CI-PROGRAM will be reset to its default (TACL).

Startup parameters can be specified for the configured program, which is especially of interest for the program value

TELNET (please refer to section "Using TELSERV as Service Provider

").

Please note: Specifying startup parameters in addition to the program file name requires double quotes around the CI-

PROGRAM attribute value, for example:

ALTER USER ...., CI-PROGRAM "TELNET <ip-addr> <port>".

If *MENU* is specified, 6530 shell will be connected to the service menu provided by the STN PTYSERVER. This

resembles the functionality of TELSERV, which provides dynamic services, as well as services connecting to static

windows. The services offered by the STN PTYSERVER process can be configured using STNCOM.

HP NonStop SSH Reference Manual SSHCOM Command Reference • 177