The SSH2 user base is maintained using the following commands. The commands will be discussed in details in the following subsections. Please also see "Database for Daemon Mode" on page 77 in chapter "The SSH User Database" for an overview of the database content.
• ADD RESTRICTION-PROFILE: adds a new restriction profile to the database. • ADD USER: adds a new user to the database.
• ALTER RESTRICTION-PROFILE: changes parameters for an existing restriction profile.
• ALTER USER: changes parameters for an existing user.
• DELETE RESTRICTION-PROFILE: deletes an existing restriction profile. • DELETE USER: deletes an existing user.
• FREEZE USER: freezes a user name, rendering it unable to log on from remote. • INFO RESTRICTION-PROFILE: shows information about a restriction profile or a
set of restriction profiles.
• RENAME RESTRICTION-PROFILE: renames a restriction profile. • RENAME USER: renames a user.
• THAW USER: thaws a user name, making it active again.
ADD USER
The ADD USER command adds a new user to the database and has the following syntax: ADD USER <user-name>
[,ALLOW-CI yes|no ] [,ALLOW-SHELL yes|no ] [,ALLOW-PTY yes|no ]
[,ALLOW-TCP-FORWARDING yes|no ]
[,ALLOWED-AUTHENTICATIONS ( <method>, <method>, ... ) ] [,ALLOWED-SUBSYSTEMS ( <subsystem>, <subsystem>, ... ) ] [,ALLOW-GATEWAY-PORTS yes|no ]
[,CI-COMMAND [ <command> ] ]
[,CI-PROGRAM [ <filename> | *MENU* | *MENU* <service> [ FORCE ] ] ] [,COMMENT <comment> | "<comment containing spaces>" ]
[,CPU-SET [<cpu> | <cpu-range> | ( <cpu-range-list> ) ] ] [,FROZEN]
[,LIKE <existing-user-name>] [,PRIORITY -1 | <priority> ]
[,PUBLICKEY <key-name> { FINGERPRINT <fingerprint-value> | FILE <filename> } ]...
[,RESTRICTION-PROFILE [<profile-name>] ]
[,SFTP-CPU-SET [<cpu> | <cpu-range> | ( <cpu-range-list> ) ] ] [,SFTP-GUARDIAN-FILESET ( <pattern>, <pattern>, ... ) ] [,SFTP-INITIAL-DIRECTORY <directory-path> [LOCKED]] [,SFTP-PRIORITY [ <number> ] ]
[,SFTP-SECURITY ( [<sftp-attr>] [, <sftp-attr>] ... ) ] [,SHELL-COMMAND [ <command> ] ]
[,SHELL-ENVIRONMENT [ <filename> ] ]
[,SHELL-PROGRAM [ <path> | *MENU* | *MENU* <service> [ FORCE ] ] ] [,SYSTEM-USER <system-user-name> | *NONE* ]
Only the <user-name> is mandatory in the command, all other fields are optional. The individual attributes have the following meaning and syntax:
<user-name>
The name of the user to be added
ALLOW-CI
This attribute controls whether a TACL or a specific command interpreter given by CI-
PROGRAM should be started upon a shell request of a client that allocated a 6530 pseudo TTY (such as 6530 SSH clients, MR-Win6530, and J6530).
ALLOW-GATEWAY-PORTS
This attribute is used to grant or deny gateway ports when port forwarding is initiated by a specific user. If the value of this attribute is YES, then any port forwarding request with SSH option -g will be rejected by SSH2.
ALLOW-PTY
This attribute is used to grant or deny the allocation of a pseudo TTY for a session. The pseudo TTY enables the user to execute full screen interactive applications, such as Emacs or vi.
ALLOW-SHELL
This attribute is used to grant or deny shell access to a user.
ALLOW-TCP-FORWARDING
This attribute is used to grant or deny port forwarding for a user.
This attribute is used to specify the authentication mechanisms that are allowed for a user. The following authentication methods currently supported by SSH2:
• password: Password authentication facilitating the NonStop system's password authentication mechanism. The password is validated against the SYSTEM-USER's password.
• publickey: Public key authentication using the PUBLIC-KEYs configured for a user. • keyboard-interactive: Authentication according to RFC 4256 mapped to the standard GUARDIAN user authentication dialog, verifying the SYSTEM-USER's password, as well as taking care of exceptions, such as password expiry.
• none: Grants access without authentication. This is useful for users connecting to an application requiring its own authentication, e.g. if you configure a PATHWAY PROGRAM as a CI-PROGRAM.
CAUTION: When specifying ALLOWED-AUTHENTICATIONS (none) user access should be
properly locked down to avoid security breaches that bypass any authentication (e.g. by setting SYSTEM-USER *NONE*).
ALLOWED-SUBSYSTEMS
This attribute is used to control access to specific subsystems. <subsystem> is one of the following subsystems provided by SSH2:
• SFTP: The SFTP subsystem allows the user to transfer files with the SFTP transfer protocol.
• TACL: The TACL subsystem provides direct TACL access without requiring OSS on the NonStop server.
CI-COMMAND
This attribute specifies the startup string to be passed to CI-PROGRAM. Specify CI-COMMAND without <command> to reset the attribute to its default (an empty startup string).
CI-COMMAND is ignored if CI-PROGRAM is set to *MENU*.
CI-PROGRAM
Sets the command interpreter to be started on a 6530 pseudo TTY after this user is authenticated. The filename is the name of the command interpreter’s object file. It must be a local file name. If you omit prog-filename, CI-PROGRAM will be reset to its default (TACL). If *MENU* is specified, 6530 shell will be connected to the service menu provided by the STN PTYSERVER. This resembles the functionality of TELSERV, which provides dynamic services, as well as services connecting to static windows. The services offered by the STN PTYSERVER process can be configured using STNCOM.
ALLOW-PTY must be set to YES for this attribute to be accepted for 6530 SSH clients, such as MR-Win6530 or J6530.
If *MENU* is followed by a service or window name, the corresponding service or window is automatically selected. If the service or window does not exist, the STN menu will be displayed. If the option FORCE is appended, then the user is forced to use the pre-configured STN service or window. In this case, the user will not see the STN menu, even when the configured service or window does not exist.
COMMENT
Enables the input of free text enabling administrators to describe an entity or provide a short explanation of the intended use of the entity. The whole comment must be enclosed in double quotes if the comment includes spaces. The content will not be used for any processing.
Defines a set of CPUs used when processes (except SFTPSERV processes) are invoked directly by SSH2 (for SFTPSERV processes the attribute SFTP-CPU-SET is used instead). CPUs are
assigned via a round-robin algorithm among all the configured CPUs that are available.
The value can be a CPU number (e.g. 2), a range of CPUs (e.g. 3-4), or a comma-separated list of CPU numbers and CPU ranges, enclosed in parentheses, e.g. (2, 5-7, 9).
The default is to start user processes in the same CPU in which the SSH2 process is running. In this case, the processing load is spread by using multiple SSH2 processes and starting these SSH2 processes in different CPUs).
If no value is specified, the value will be reset to the default.
FROZEN
If the FROZEN attribute is set, the user is added in the frozen state. If omitted, the user will be added in the thawed state.
LIKE
When specified, the new user record is first initialized with the values taken from the <existing- user-name> user record. Then the new user name and any other attributes specified in the ADD USER command are applied before the new user record is added. If the ADD USER command does not include a SYSTEM-USER attribute, then the new user name is used as SYSTEM-USER as well unless the SSH2 parameter USETEMPLATESYSTEMUSER is true (in that case the new user record will get the value for the SYSTEM-USER attribute from the <existing-user-name> user record).
PRIORITY
All user processes (except SFTPSERV processes) started directly by SSH2 will have the configured priority assigned. Following are the values allowed in this parameter and their meanings:
Value Meaning 1-199 Use the given priority value
-1 Use the same priority as the SSH2 process starting SFTPSERV. The default value is the priority the SSH2 process is using.
SFTPSERV processes will get the priority configured via the SFTP-PRIORITY attribute. PUBLICKEY
This attribute is used to assign one or more public key(s) to a user. Each public key must be given a <key name> which is unique among all public keys assigned to the current user. The key name will also be displayed in the audit log and thus can be used to determine which public key has been used for logon at a given time.
To add multiple public keys within a single command, the PUBLICKEY attribute can be repeated within a single ADD USER command. There is no limitation to the number of public keys that can be assigned to a user.
Public keys can be added by either specifying a file containing the public key or by specifying the fingerprint of the public key.
To specify a file holding the public key, the key word FILE must be used. The <filename> needs to point to a file holding the public key to be added. For details about the format of the public key file, refer to the chapter entitled "SSH Reference".
Instead of providing a public key file, it is possible to only provide the fingerprint of the user's public key. In this case, the key word FINGERPRINT must be used, followed by the fingerprint of the user's public key, which should be specified either in MD5 or "bubble-babble" form and enclosed in double-quotes.
Note: Only one of the two key words FILE or FINGERPRINT can be used in a single PUBLICKEY attribute specification.
RESTRICTION-PROFILE
Specifies the name of a RESTRICTION-PROFILE entity. If configured for a user, then the restrictions defined in the RESTRICTION-PROFILE record will be applied for all of a user’s incoming and outgoing connections.
SFTP-CPU-SET
Defines a set of CPUs used when SFTPSERV processes are invoked directly by SSH2 (for non- SFTPSERV processes the attribute CPU-SET is used instead). CPUs are assigned via a round- robin algorithm among all the configured CPUs that are available.
The value can be a CPU number (e.g. 2), a range of CPUs (e.g. 3-4), or a comma-separated list of CPU numbers and CPU ranges, enclosed in parentheses, e.g. (2, 5-7, 9).
The default is to start user processes in the same CPU in which the SSH2 process is running. In this case, the processing load is spread by using multiple SSH2 processes and starting these SSH2 processes in different CPUs).
If no value is specified, the value will be reset to the default.
SFTP-GUARDIAN-FILESET
A list of patterns identifying the GUARDIAN systems, volumes, subvolumes, and files the user is allowed to access. Following is the default for this attribute:
('\*.$*.*.*)
The default enables access (limited by the SFTP-SECURITY attribute) to any GUARDIAN system, volume, subvolume, or file. In each pattern configured with the GUARDIAN file set, the '*' sign is used as a wildcard for any sequence of characters. The '?' sign is used in a pattern as a wildcard for one single character.
SFTP-INITIAL-DIRECTORY
This attribute specifies the initial server-side directory the user will access after establishing the SFTP session. If the option LOCKED is used, a user will not be allowed to leave that path, by issuing a "cd .." command. For example, if a value of "/home/jdoe" is used, only access to
directories below is allowed. Access to upper level directories such as "/home" or "/usr" or "/" will not be allowed.
SFTP-PRIORITY
A number specifying the priority of the SFTPSERV processes for this user. Following are the values allowed in this parameter and their meanings:
Value Meaning 1-199 use the given priority value
-1 use the same priority as the SSH2 process starting SFTPSERV
The default value is 100
SFTP-SECURITY
This parameter is comprised of a comma-separated list of allowed operations for the user, with operations enclosed in brackets. The operations allowed are as follows:
• LIST: allows perusal of files
• READ: allows downloading of files to the remote system • WRITE: allows uploading of files from the remote system • PURGE: allows deletion of files on the NonStop system • RENAME: allows renaming of files on the NonStop system • MKDIR: allows creation of directories on the NonStop system
• RMDIR: allows removal of directories on the NonStop system • SYMLINK: allows creation of symbolic links on the NonStop system • ALL: shortcut for all operations
• NONE: shortcut for no operation
Operations can be abbreviated as long as the abbreviation is unambiguous. Example:
• SFTP-SECURITY (WRITE,LIST)
o will only allow perusal of files and uploading of files o can be abbreviated as SFTP-SECURITY (W,L)
SHELL-COMMAND
This attribute specifies a forced command that is to be executed rather than any command given by an exec request from the SSH client. A forced command allows you to limit shell access to specific tasks or implement additional security measures. SSH2 will retain the command given in the user's exec request, in the SSH_ORIGINAL_COMMAND environment variable, to allow a shell script to analyze and/or execute the original command.
SHELL-ENVIRONMENT
The full OSS file name of a shell script preparing the shell environment for non-login shells (which are started without executing /etc/profile or ~/.profile). The value will be used to set environment variable ENV (see man pages of ksh for information on how the shell processes ENV). The attribute value (shell script) can contain absolute paths but also pre-defined values like $HOME or ~.
SHELL-PROGRAM
This attribute specifies the path to the shell program that is to be used to start a shell or execute a command. Specify DEFAULT to make SSH2 use the default initial program configured for the assigned SYSTEM-USER (e.g. by the INITIAL-PROGRAM attribute of a SAFEGUARD user). If *MENU* is specified, the non-6530 session will be connected to a service menu provided by the STN PTYSERVER. This resembles the functionality of TELSERV, providing dynamic services, as well as services connecting to static windows. The services offered by the STN PTYSERVER process can be configured using STNCOM.
If *MENU* is followed by a service or window name, the corresponding service or window is automatically selected. If the service or window does not exist, the STN menu will be displayed. If the option FORCE is appended, then the user is forced to use the pre-configured STN service or window. In this case the user will not see the STN menu, even when the configured service or window does not exist.
SYSTEM-USER
This attribute defines the Guardian user name to which the <user-name> is mapped. If this attribute is omitted, it is assumed that <user-name> is a valid user on the system.
If *NONE* is specified, the user is not mapped to a system user, causing all channel requests that require a valid system user (e.g. exec, subsystem SFTP) to be rejected. SYSTEM-USER *NONE* is useful to grant anonymous access to services which perform their own authentication.