SSH Reference Manual

ManualsBrandsHP ManualsServerHP NonStop G-Series

181

182

183

184

185

186

187

188

189

190

Only the configured host/port combinations are allowed for <targethost> and <targetport> when port forwarding is

specified, such as in the following example:

ssh -L <localport>:<targethost>:<targetport> <user>@<host>

ssh -R <remoteport>:<targethost>:<targetport> <user>@<host>

The PERMIT-OPEN attribute corresponds to the OpenSSH parameter permitopen=.

If localhost or 127.0.0.1 is specified as <targethost>, then the specified <host> is used for restriction checking.

The PERMIT-OPEN restrictions are applied whenever the user tries to establish a local port forwarding channel via

SSH2 using the SSH and SSHOSS clients.

For more information regarding format and examples of the attribute value please see the CONNECT-TO attribute

section. The format of values for PERMIT-OPEN and CONNECT-TO is the same. The values are just interpreted

differently.

ALTER RESTRICTION-PROFILE

The ALTER RESTRICTION-PROFILE command changes one or more attributes of an existing restriction profile and

has the following syntax:

ALTER RESTRICTION-PROFILE <profile-name>

[,COMMENT <comment> | "<comment containing spaces>" ]

[,CONNECT-FROM <host-pattern> | ( <host-pattern>, <host-pattern, ... ) ]

[,CONNECT-TO <host-ports> | ( <host-ports>, <host-ports>, ... ) ]

[,PERMIT-LISTEN <host-ports> | ( <host-ports>, <host-ports>, ... ) ]

[,PERMIT-OPEN <host-ports> | ( <host-ports>, <host-ports>, ... ) ]

[,FORWARD-FROM <host-pattern> | ( <host-pattern>, <host-pattern, ... ) ]

The <profile-name> is mandatory in the command, and no wild cards are allowed in the profile name. At least one

attribute needs to be specified in the command.

The individual attributes have the following meaning and syntax:

<profile-name>

The name of the restriction profile to be altered.

A comment describing the restriction profile. If the comment contains spaces, it must be enclosed in double quotes.

<host-pattern>

One or more patterns used to match addresses or names of hosts. Wildcard characters '*' (any number of characters) and

'?' (one character) are allowed. The '~' is supported for expressing negation.

<host-ports>

Specifies a pair of host addresses or names and port ranges, separated by a colon. A port range can be either one port,

one port range or a list of port ranges separated by '+' and enclosed in brackets.

COMMENT

Enables users to enter free text to describe the entity or provide a short explanation of the intended use of the entity. All

comment text must be enclosed in double quotes if the comment includes spaces.

The content will not be used for any processing.

CONNECT-FROM

The attribute CONNECT-FROM restricts which host systems a user can connect from. Whenever an incoming

connection for the user is accepted, the CONNECT-FROM restrictions are applied.

HP NonStop SSH Reference Manual SSHCOM Command Reference • 187