SSH Reference Manual

ManualsBrandsHP ManualsServerHP NonStop G-Series

181

182

183

184

185

186

187

188

189

190

CONNECT-FROM

The attribute CONNECT-FROM restricts the host systems a user can connect from. Whenever an incoming connection

for the user is accepted, the CONNECT-FROM restrictions are applied.

The value can be one host pattern or a list of patterns used to match the address or name of the client system connecting

SSH2 on NonStop™ server. The format of each pattern and the pattern matching done is the same as in OpenSSH for

parameter from=. If a list is specified, it must be enclosed in parentheses.

One pattern represents a host name or its IP address and can include wildcard characters '*' (matching any number of

characters) and '?' (matching exactly one character). A pattern may be prefixed by '~' indicating negation, that is, if the

matching pattern is preceded by a tilde, the incoming connection will be rejected.

Examples for valid CONNECT-FROM values include:

103.10.0.37

dev*

(34.45.56.*, ~34.45.56.12)

(201.30.*.*, tandem1, 120.10.20.?, ~ 120.10.20.7)

CONNECT-TO

The CONNECT-TO attribute restricts user access, allowing user-initiated outgoing connections only to the configured

host/port combinations. The CONNECT-TO restrictions are applied whenever the user tries to connect via SSH2 using

the SSH, SSHOSS, SFTP and SFTPOSS clients.

The value for this attribute can be one host/port range or a list of host/ port ranges. A comma-separated list must be

enclosed in parentheses.

Each host/port range is a pair of host and port range, separated by a colon, <host>:<port-range>. A port range can be a

single port, a single port range or a list of ports and port ranges separated by + and enclosed in brackets.

Examples for valid values for CONNECT-TO include:

103.10.0.47:22

1.2.3.4:1025-1999

yourhost.domain.com:[2013]

abc.domain.com:[2013-2100]

(xyz.domain.com:[22 + 2013-2100 + 5000-5099], 4.5.6.7:[300-301 + 5555])

FORWARD-FROM

The attribute FORWARD-FROM restricts a user’s ability to do port forwarding. It restricts the set of hosts that can use

forwarding tunnels opened by a specific user.

The value can be one host pattern or a list of patterns used to match the address or name of the client system connecting

SSH2 on a NonStop™ server.

Please see the description for the CONNECT-FROM attribute for examples.

When specified, the new restriction profile record is first initialized with the values taken from the <existing-restriction-

profile-name> restriction profile record. Then the new restriction profile name and any other attributes specified in the

ADD RESTRICTION-PROFILE command are applied before the new restriction profile record is added.

PERMIT-LISTEN

The PERMIT-LISTEN attribute restricts a user’s ability to do port forwarding. Only the configured ports are allowed for

listening on the host opening the forwarding tunnel.

The configuration requires the specification of a host and a port range, but for PERMIT-LISTEN the "host" must either

be 0.0.0.0 (indicating gateway ports to follow after the ':') or 127.0.0.1 (indicating non-gateway ports to follow).

PERMIT-OPEN

The PERMIT-OPEN attribute restricts a user’s ability to do port forwarding.

186 • SSHCOM Command Reference HP NonStop SSH Reference Manual