The ALTER RESTRICTON-PROFILE command changes one or more attributes of an existing restriction profile and has the following syntax:
ALTER RESTRICTON-PROFILE <profile-name>
[,COMMENT <comment> | "<comment containing spaces>" ]
[,CONNECT-FROM <host-pattern> | ( <host-pattern>, <host-pattern, ... ) ] [,CONNECT-TO <host-ports> | ( <host-ports>, <host-ports>, ... ) ]
[,PERMIT-LISTEN <host-ports> | ( <host-ports>, <host-ports>, ... ) ] [,PERMIT-OPEN <host-ports> | ( <host-ports>, <host-ports>, ... ) ] [,FORWARD-FROM <host-pattern> | ( <host-pattern>, <host-pattern, ... ) ]
The <profile-name> is mandatory in the command, and no wild cards are allowed in the profile name. At least one attribute needs to be specified in the command.
The individual attributes have the following meaning and syntax:
<profile-name>
The name of the restriction profile to be altered.
<comment>
A comment describing the restriction profile. If the comment contains spaces, it must be enclosed in double quotes.
<host-pattern>
One or more patterns used to match addresses or names of hosts. Wildcard characters '*' (any number of characters) and '?' (one character) are allowed. The '~' is supported for expressing negation.
<host-ports>
Specifies a pair of host addresses or names and port ranges, separated by a colon. A port range can be either one port, one port range or a list of port ranges separated by '+' and enclosed in brackets.
COMMENT
Enables users to enter free text to describe the entity or provide a short explanation of the intended use of the entity. All comment text must be enclosed in double quotes if the comment includes spaces.
The content will not be used for any processing.
CONNECT-FROM
The attribute CONNECT-FROM restricts which host systems a user can connect from. Whenever an incoming connection for the user is accepted, the CONNECT-FROM restrictions are applied. The value can be one host pattern or a list of patterns used to match the address or name of the client system connecting to SSH2 on the NonStop server. The format of each pattern and the pattern matching done is the same as in OpenSSH for parameter from=.
If a list is specified, it must be enclosed in parentheses.
One pattern represents a host name or its IP address and can include wildcard characters '*' (matching any number of characters) and '?' (matching exactly one character). A pattern may be
prefixed by '~' indicating negation, that is, if the matching pattern is preceded by a tilde, the incoming connection will be rejected.
Examples for valid CONNECT-FROM values include: 103.10.0.37
dev*
(34.45.56.*, ~34.45.56.12)
(201.30.*.*, tandem1, 120.10.20.?, ~ 120.10.20.7)
CONNECT-TO
The CONNECT-TO attribute restricts a user’s outgoing connections to configured host/port combinations. The CONNECT-TO restrictions are applied whenever the user tries to connect via SSH2 using SSH, SSHOSS, SFTP and SFTPOSS clients.
The value for this attribute can be one host/port range or a list of host/port ranges. A comma- separated list must be enclosed in parentheses.
Each host/port range is a pair of host and port ranges, separated by a colon as follows:
<host>:<port-range>. A port range can be a single port, a single port range or a list of ports and port ranges separated by + and enclosed in brackets.
Examples of valid values for CONNECT-TO include: 103.10.0.47:22 1.2.3.4:1025-1999 yourhost.domain.com:[2013] abc.domain.com:[2013-2100] (xyz.domain.com:[22 + 2013-2100 + 5000-5099], 4.5.6.7:[300-301 + 5555]) FORWARD-FROM
The FORWARD-FROM attribute restricts a user’s ability to do port forwarding, enabling only a specified set of hosts to use forwarding tunnels opened by a given user.
The value can be one host pattern or a list of patterns used to match the address or name of the client system connecting SSH2 on a NonStop server.
Please see the section on the CONNECT-FROM attribute for examples.
PERMIT-LISTEN
The PERMIT-LISTEN attribute restricts a user’s ability to do port forwarding, enabling only a specified set of hosts to use forwarding tunnels opened by a given user. Only the configured ports are allowed for listening on the host opening the forwarding tunnel.
The configuration requires the specification of a host and a port range, but for PERMIT-LISTEN the "host" must either be 0.0.0.0 (indicating gateway ports to follow after the ':') or 127.0.0.1 (indicating non-gateway ports to follow).
PERMIT-OPEN
The PERMIT-OPEN attribute limits a user’s ability to do port forwarding to only specific host/port combinations. . Configurations are allowed for <targethost> and <targetport> when port forwarding is specified as follows:
ssh -L <localport>:<targethost>:<targetport> <user>@<host> ssh -R <remoteport>:<targethost>:<targetport> <user>@<host>
The PERMIT-OPEN attribute corresponds to the OpenSSH parameter permitopen=. If localhost or 127.0.0.1 is specified as <targethost>, then the specified <host> is used for restriction checking.
The PERMIT-OPEN restrictions are applied whenever the user tries to establish a local port forwarding channel via SSH2 using the SSH and SSHOSS clients.
For formats and examples of the attribute value, please see the CONNECT-TO section. The format of values for PERMIT-OPEN and CONNECT-TO are the same. The values are just interpreted differently.