SSH Reference Manual

ManualsBrandsHP ManualsServerHP NonStop G-Series

181

182

183

184

185

186

187

188

189

190

The value can be one host pattern or a list of patterns used to match the address or name of the client system connecting

to SSH2 on the NonStop server. The format of each pattern and the pattern matching done is the same as in OpenSSH for

parameter from=.

If a list is specified, it must be enclosed in parentheses.

One pattern represents a host name or its IP address and can include wildcard characters '*' (matching any number of

characters) and '?' (matching exactly one character). A pattern may be prefixed by '~' indicating negation, that is, if the

matching pattern is preceded by a tilde, the incoming connection will be rejected.

Examples for valid CONNECT-FROM values include:

103.10.0.37

dev*

(34.45.56.*, ~34.45.56.12)

(201.30.*.*, tandem1, 120.10.20.?, ~ 120.10.20.7)

CONNECT-TO

The CONNECT-TO attribute restricts a user’s outgoing connections to configured host/port combinations. The

CONNECT-TO restrictions are applied whenever the user tries to connect via SSH2 using SSH, SSHOSS, SFTP and

SFTPOSS clients.

The value for this attribute can be one host/port range or a list of host/port ranges. A comma-separated list must be

enclosed in parentheses.

Each host/port range is a pair of host and port ranges, separated by a colon as follows: <host>:<port-range>. A port range

can be a single port, a single port range or a list of ports and port ranges separated by + and enclosed in brackets.

Examples of valid values for CONNECT-TO include:

103.10.0.47:22

1.2.3.4:1025-1999

yourhost.domain.com:[2013]

abc.domain.com:[2013-2100]

(xyz.domain.com:[22 + 2013-2100 + 5000-5099], 4.5.6.7:[300-301 + 5555])

FORWARD-FROM

The FORWARD-FROM attribute restricts a user’s ability to do port forwarding, enabling only a specified set of hosts to

use forwarding tunnels opened by a given user.

The value can be one host pattern or a list of patterns used to match the address or name of the client system connecting

SSH2 on a NonStop server.

Please see the section on the CONNECT-FROM attribute for examples.

PERMIT-LISTEN

The PERMIT-LISTEN attribute restricts a user’s ability to do port forwarding, enabling only a specified set of hosts to

use forwarding tunnels opened by a given user. Only the configured ports are allowed for listening on the host opening

the forwarding tunnel.

The configuration requires the specification of a host and a port range, but for PERMIT-LISTEN the "host" must either

be 0.0.0.0 (indicating gateway ports to follow after the ':') or 127.0.0.1 (indicating non-gateway ports to follow).

PERMIT-OPEN

The PERMIT-OPEN attribute limits a user’s ability to do port forwarding to only specific host/port combinations. .

Configurations are allowed for <targethost> and <targetport> when port forwarding is specified as follows:

ssh -L <localport>:<targethost>:<targetport> <user>@<host>

ssh -R <remoteport>:<targethost>:<targetport> <user>@<host>

The PERMIT-OPEN attribute corresponds to the OpenSSH parameter permitopen=.

If localhost or 127.0.0.1 is specified as <targethost>, then the specified <host> is used for restriction checking.

188 • SSHCOM Command Reference HP NonStop SSH Reference Manual