ALTER USER - HP NonStop SSH Reference Manual

The ALTER USER command changes one or more attributes of an existing user and has the following syntax:

ALTER USER <user-name>

[,ALLOW-CI yes|no ] [,ALLOW-PTY yes|no ] [,ALLOW-SHELL yes|no ]

[,ALLOW-TCP-FORWARDING yes|no ]

[,ALLOWED-AUTHENTICATIONS ( <method>, <method>, ... ) ] [,ALLOWED-SUBSYSTEMS ( <subsystem>, <subsystem>, ... ) ] [,ALLOW-GATEWAY-PORTS yes|no ]

[,CI-COMMAND [ <command> ] ]

[,CI-PROGRAM [ <filename> | *MENU* | *MENU* <service> [ FORCE] ] ] [,COMMENT <comment> | "<comment containing spaces>" ]

[,CPU-SET [<cpu> | <cpu-range> | ( <cpu-range-list> ) ] ] [,DELETE PUBLICKEY { <key-name> | * }]...

[,PRIORITY -1 | <priority> ]

[,PUBLICKEY <key-name> {FINGERPRINT <fingerprint-value> | FILE <filename> } ]...

[,RESET { SFTP-INITIAL-DIRECTORY | SYSTEM-USER | SFTP-SECURITY | SFTP-GUARDIAN-FILESET | SFTP-PRIORITY } ]

[,RESTRICTION-PROFILE [<profile-name>] ]

[,SFTP-CPU-SET [<cpu> | <cpu-range> | ( <cpu-range-list> ) ] ] [,SFTP-GUARDIAN-FILESET ( <pattern>, <pattern>, ... ) ]

[,SFTP-INITIAL-DIRECTORY <directory-path> [LOCKED]] [,SFTP-PRIORITY [ <number> ] ]

[,SFTP-SECURITY ( [<sftp-attr>] [, <sftp-attr>] ... ) ] [,SHELL-COMMAND [ <command> ] ]

[,SHELL-ENVIRONMENT [ <filename> ]]

[,SHELL-PROGRAM [ <path> | *MENU* | *MENU* <service> [ FORCE ] ] ] [,SYSTEM-USER <system-user-name> | *NONE* ]

The <user-name> is mandatory in the command, no wild cards are allowed in the user name. At least one attribute needs to be specified in the command.

The individual attributes have the following meaning and syntax:

ALLOW-CI

This attribute controls whether a TACL or a specific command interpreter given by CI-

PROGRAM should be started upon a shell request of a client that allocated a 6530 pseudo TTY (such as 6530 SSH clients, MR-Win6530, and J6530).

ALLOW-GATEWAY-PORTS

This attribute is used to grant or deny gateway ports in the case of port forwarding initiated by a specific user. If the value of this attribute is YES, then any port forwarding request with SSH option "-g" will be rejected by SSH2.

ALLOW-PTY

This attribute is used to grant or deny the ability to allocate a pseudo TTY for a session. The pseudo TTY enables the user to execute full screen interactive applications, such as Emacs or vi.

ALLOW-SHELL

This attribute is used to grant or deny shell access to the user.

ALLOW-TCP-FORWARDING

This attribute is used to grant or deny port forwarding for this user.

ALLOWED-AUTHENTICATIONS

This attribute is used to specify the authentication mechanisms that are allowed for this user. <method> is one of the following authentication methods currently supported by SSH2:

• password: Password authentication facilitating the NonStop system's password authentication mechanism. The password is validated against the SYSTEM-USER's password.

• publickey: Public key authentication using the PUBLIC-KEYs configured for this user.

• keyboard-interactive: Authentication according to RFC 4256 mapped to the standard GUARDIAN user authentication dialog verifying the SYSTEM-USER's password, as well as taking care of exceptions such as password expiry.

• none: Grants access without authentication. This is useful for users connecting to an application requiring its own authentication, e.g. if you configure a PATHWAY PROGRAM as CI-PROGRAM.

CAUTION: When specifying ALLOWED-AUTHENTICATIONS (none) user access should be

properly locked down to avoid security breaches that bypass any authentication (e.g. by setting SYSTEM-USER *NONE*).

ALLOWED-SUBSYSTEMS

This attribute is used to control access to specific subsystems. <subsystem> is one of the following subsystems provided by SSH2:

• SFTP: The SFTP subsystem allows the user to transfer files with the SFTP transfer protocol.

• TACL: The TACL subsystem provides direct TACL access without requiring OSS on the NonStop server.

CI-COMMAND

This attribute specifies the startup string to be passed to CI-PROGRAM. Specify CI-COMMAND without <command> to reset the attribute to its default (empty startup string).

CI-COMMAND is ignored if CI-PROGRAM is set to *MENU*.

CI-PROGRAM

Sets the command interpreter to be started on a 6530 pseudo TTY after the user is authenticated. In this case, filename is the name of the command interpreter’s object file. It must be a local file name.

If you omit prog-filename, CI-PROGRAM will be reset to its default (TACL). If *MENU* is specified, 6530 shell will be connected to the service menu provided by the STN PTYSERVER. This resembles the functionality of TELSERV, which provides dynamic services, as well as services connecting to static windows. The services offered by the STN PTYSERVER process can be configured using STNCOM.

ALLOW-PTY must be set to YES for this attribute to be accepted for 6530 SSH clients, such as MR-Win6530 or J6530.

If *MENU* is followed by a service or window name, the corresponding service or window is automatically selected. If the service or window does not exist, the STN menu will be displayed. If the option FORCE is appended, then the user is forced to use the pre-configured STN service or window. In this case the user will not see the STN menu, even when the configured service or window does not exist.

COMMENT

Enables administrators to input free text that describes an entity or provides a short explanation of the intended use of the entity. The entire comment must be enclosed in double quotes if the comment includes spaces. The content will not be used for any processing.

CPU-SET

Defines a set of CPUs used when processes (except SFTPSERV processes) are invoked directly by SSH2 (for SFTPSERV processes the attribute SFTP-CPU-SET is used instead). CPUs are

assigned via a round-robin algorithm among all the configured CPUs that are available.

The value can be a CPU number (e.g. 2), a range of CPUs (e.g. 3-4), or a comma-separated list of CPU numbers and CPU ranges, enclosed in parentheses, e.g. (2, 5-7, 9).

The default is to start user processes in the same CPU in which the SSH2 process is running. In this case, the processing load is spread by using multiple SSH2 processes and starting these SSH2 processes in different CPUs).

If no value is specified, the value will be reset to the default.

DELETE PUBLICKEY

This attribute deletes the public key identified by <key name>.

PUBLICKEY

This attribute is used to add or alter a public key with the provided <key name>. For details on the syntax of that attribute, please see the "ADD USER" command.

To delete a specific public key for a user use the DELETE PUBLICKEY <key name> attribute syntax. To delete all public keys for a user, use the DELETE PUBLICKEY * attribute syntax. Both the PUBLICKEY and the DELETE PUBLICKEY attributes can be repeated multiple times within a single ALTER USER command.

RESET

This option is used to reset an attribute of the current user to the default value. For each attribute that should be reset, there must be a separate occurrence of the RESET option. An attempt to set and reset an attribute will result in an error message.

The following attributes can be reset: • SFTP-INITIAL-DIRECTORY • SYSTEM-USER • SFTP-SECURITY • SFTP-PRIORITY • SFTP-GUARDIAN-FILESET RESTRICTION-PROFILE

Specifies the name of a RESTRICTION-PROFILE entity. If configured for a user, then the restrictions defined in the RESTRICTION-PROFILE record will be applied for all incoming and outgoing connections related to the user.

SFTP-CPU-SET

Defines a set of CPUs used when SFTPSERV processes are invoked directly by SSH2 (for non- SFTPSERV processes the attribute CPU-SET is used instead). CPUs are assigned via a round- robin algorithm among all the configured CPUs that are available.

The value can be a CPU number (e.g. 2), a range of CPUs (e.g. 3-4), or a comma-separated list of CPU numbers and CPU ranges, enclosed in parentheses, e.g. (2, 5-7, 9).

If no value is specified, the value will be reset to the default.

SFTP-GUARDIAN-FILESET

A list of patterns identifying the GUARDIAN systems, volumes, subvolumes and files the user is allowed to access. The default for this attribute is as follows:

('\*.$*.*.*)

This enables access (limited by the SFTP-SECURITY attribute) to any GUARDIAN system, volume, subvolume, or file. In each pattern configured with the GUARDIAN file set, the '*' sign is used as a wildcard for any sequence of characters. The '?' sign is used in a pattern as a wildcard for one single character.

SFTP-INITIAL-DIRECTORY

The initial directory on the server side the user will access right after establishing the SFTP session. If the option LOCKED is used, a user will not be allowed to leave that path, by issuing a "cd .." command. For example, if a value of "/home/jdoe" is used, only access to directories below is allowed. Access to upper level directories such as "/home" or "/usr" or "/" will not be allowed.

SFTP-PRIORITY

A number specifying the priority of the SFTPSERV processes for this user. Following are the meanings of the values allowed for this parameter:

Value Meaning 1-199 use the given priority value

-1 use the same priority as the SSH2 process starting SFTPSERV

The default value is 100

SFTP-SECURITY

This parameter is comprised of a comma-separated list of allowed operations for the user, with operations enclosed in brackets. The following operations are available:

• LIST: allows perusal of files

• READ: allows downloading of files to the remote system • WRITE: allows uploading of files from the remote system • PURGE: allows deletion of files on the NonStop system • RENAME: allows renaming of files on the NonStop system • MKDIR: allows creation of directories on the NonStop system • RMDIR: allows removal of directories on the NonStop system • SYMLINK: allows creation of symbolic links on the NonStop system • ALL: shortcut for all operations

• NONE: shortcut for no operation

Operations can be abbreviated as long as the abbreviation is unambiguous. Example:

• SFTP-SECURITY (WRITE,LIST)

o will only allow perusal of files and uploading of files o can be abbreviated as SFTP-SECURITY (W,L)

SHELL-COMMAND

This attribute specifies a forced command that is to be executed rather than any command given by an exec request from the SSH client. A forced command allows you to limit shell access to specific tasks or implement additional security measures. SSH2 will retain commands given in the user's exec request, in the SSH_ORIGINAL_COMMAND environment variable, to allow a shell script to analyze and/or execute the original command.

SHELL-ENVIRONMENT

The full OSS file name of a shell script preparing the shell environment for non-login shells (which are started without executing /etc/profile or ~/.profile). The value will be used to set environment variable ENV (see man pages of ksh for information on how the shell processes ENV). The attribute value (shell script) can contain absolute paths but also pre-defined values like $HOME or ~.

This attribute specifies the path to the shell program to be used to start a shell or execute a command. Specify DEFAULT to make SSH2 use the default initial program configured for the assigned SYSTEM-USER (e.g. by the INITIAL-PROGRAM attribute of a SAFEGUARD user). If *MENU* is specified, the non-6530 session will be connected to a service menu provided by the STN PTYSERVER. This resembles the functionality of TELSERV, providing dynamic services, as well as services connecting to static windows. The services offered by the STN PTYSERVER process can be configured using STNCOM.

SYSTEM-USER

This attribute defines the Guardian user name to which the <user-name> is mapped. If this attribute is omitted, it is assumed that <user-name> is a valid user on the system.

If *NONE* is specified, the user is not mapped to a system user, causing all channel requests that require a valid system user (e.g. exec, subsystem SFTP) to be rejected. SYSTEM-USER *NONE* is useful to grant anonymous access to services that perform their own authentication.

In document HP NonStop SSH Reference Manual (Page 90-95)