SSH Reference Manual

ManualsBrandsHP ManualsServerHP NonStop G-Series

171

172

173

174

175

176

177

178

179

180

Similar to the Safeguard USER/ALIAS field OWNER and to base new access rules on that field. This allows an existing

local user to modify all USER records that are configured with that local user as value for new USER attribute OWNER.

The allowed actions will be the same as defined by PARTIALSSHCOMACCESSUSER/GROUP parameters. The

OWNER field for existing USER records will be assumed to be *NONE*. New USER records will be set to OWNER

*NONE* by default unless attribute OWNER is explicitly set to a different value. The owner could be identical to the

SYSTEM-USER value, could be SUPER.SUPER or the group manager of the user configured in SYSTEM-USER or

could be any other local system user.

PRINCIPAL

This attribute is used to explicitly specify which Kerberos principal(s) are authorized to logon to this user account using

“gssapi-with-mic” authentication. To define an access control list with multiple principals within a single command, the

PRINCIPAL attribute can be repeated within a single ALTER USER command.

Note: Specifying one or more Kerberos principals using this attribute will override the default Kerberos authorization

rule, which implicitly grants access to the Kerberos principal with a matching local account name.

The PRINCIPAL attribute may have the following values:

• <user>@<REALM>

A fully qualified Kerberos principal name will authorize a specific Kerberos principal to access this user

account

• *@<REALM>

This pattern will authorize any principal in the given REALM to access this user account

• *@*

This pattern will authorize any principal in any REALM (i.e. anybody with a valid service ticket) to access this

user account

Note: Specifying a wildcard pattern as principal is useful when delegating authorization to the resource started for this

user (i.e. CI-PROGRAM or SHELL-PROGRAM).

CAUTION: When specifying a wildcard PRINCIPAL, user access should be properly locked down to avoid security

breaches in which per-user authorization is bypassed (e.g. by setting SYSTEM-USER *NONE*).

The Kerberos principal name authenticated and authorized during “gssapi-with-mic” authentication will also be

displayed in the audit log and thus can be used to correlate the Kerberos principal name with the NonStop user name.

To delete a PRINCIPAL from the access control list, use the DELETE PRINCIPAL attribute.

PRIORITY

All user processes (except SFTPSERV processes) started directly by SSH2 will have the configured priority assigned.

Following are the values allowed in this parameter and their meanings:

Value Meaning

1-199 Use the given priority value

-1 Use the same priority as the SSH2 process starting the process.

Note: SFTPSERV processes will be prioritized as specified via the SFTP-PRIORITY attribute.

PTY-SERVER

The value of a specific STN PTY server, Guardian process name, which the user will use.

If a value of *DEFAULT* is specified, the user will use the STN PTY server that is configured via SSH2 parameter

PTYSERVER.

PUBLICKEY

HP NonStop SSH Reference Manual SSHCOM Command Reference • 179