FTP SSH - NonStopTools
Contents
1. See also LOGFORMATCONSOLE LOGFORMATEMS LOGFORMATFILE LOGFORMATCONSOLE Use this parameter to control the format of the log messages that are written to the console Parameter Syntax LOGFORMATCONSOLE format Arguments format A number is used to represent a bit mask that controls the format Following are the values and their corresponding format Bit 1 decimal 1 Date Bit 2 decimal 2 Header log messages a pre fixed with log Bit 3 decimal 4 Time Bit 4 decimal 8 Milliseconds Bit 5 decimal 16 Process ID name or PIN Bit 7 decimal 64 Log level of message Default The default log format is 93 date time milliseconds process ID and log level Example Display date time and milliseconds only LOGFORMATCONSOLE 13 Display date and time only LOGFORMATCONSOLE 5 See also LOGFORMATFILE LOGFORMATEMS LOGFORMATEMS Use this parameter to control the format of the log messages that are written to EMS Parameter Syntax LOGFORMATEMS format Arguments HP NonStop SSH Reference Manual Configuring and Running SSH2 e 95 format A number is used to represent a bit mask that controls the format Following are the values and their corresponding format bit 1 decimal 1 Date bit 2 decimal 2 Header log messages a pre fixed with log bit 3 decimal 4 Time bit 4 decimal 8 Milliseconds bit 5 decimal 162. Sexport sshctl subvol S datal sshexp OK all SSHCTL exported to files on datal sshexp 2 INFO HOST KEY The INFO HOST KEY provides detailed information about the host key that is stored in the HOSTKEY file name of the hostkey file type of key size of key and the key s fingerprints bubble babble and MDS The command has the following syntax INFO HOST KEY All users with SSHCOM access can execute this command Example info host key info host key HOSTKEY FILE HOSTKEY TYPE ssh dss BITS 1024 PUBLICKEY FINGERPRINT MD5 23 42 77 e1 20 51 ff 55 e7 4c 7a c8 71 30 06 93 BABBLE xuseb mofen sisuh zogun cehuz pomaz vuzuf tabup lodoz lured ruxix 166 e SSHCOM Command Reference HP NonStop SSH Reference Manual The MDS fingerprint is logged at SSH2 process startup as well The fingerprint information can be used to configure a known host entry on a remote system EXPORT HOST KEY The EXPORT HOST KEY command will export the public key part of the host key that is stored in the HOSTKEY file The command has the following syntax EXPORT HOST KEY FILE lt GUARDIAN file name gt lt OSS file name gt lt OSS file name gt The individual attributes have the following meaning and syntax FILE lt GUARDIAN file name gt lt OSS file name gt lt OSS file name gt The name of the Guardian or OSS file that will hold the exported key A file created in the Guardian name space will be a file with f
3. LOGCACHESIZE LOGCONSOLE LOGEMS LOGEMSKEEPCOLLECTOROPENED LOGFILE LOGFILERETENTION LOGFORMAT LOGFORMATCONSOLE LOGFORMATEMS LOGFORMATFILE LOGLEVEL LOGLEVELCACHE LOGLEVELCONSOLE LOGLEVELEMS LOGLEVELFILE LOGMAXFILELENGTH LOGMEMORY MACS PARTIALSSHCOMACCESSGROUP lt n gt PARTIALSSHCOMACCESSUSER lt k gt PAUTHSUPPRESSIPADDRESS PORT PROPAGATEDEFINES PTCPIPFILTERKEY PTCPIPFILTERTCPPORTS PTYSERVER RECORDDELIMITER RESTRICTIONCHECKFAILEDDEFAULT SAFEGUARD PASSWORD REQUIRED SFTPALLOWGUARDIANCD SFTPCPUSET SFTPDISPLAYGUARDIAN Controls life cycle of user generated private keys Controls the life cycle of user public keys Determines if the internal log cache is written to the log file in case of process aborting Determines the size of the internal log cache Determines whether log messages are written to a console Determines whether log messages are written to EMS Controls opening closing of the EMS collector Determines whether log messages are written to a file Controls log file rollover Controls the format of the log messages that are written Controls the format of the log messages that are written to the console Controls the format of the log messages that are written to EMS Controls the format of the log messages that are written to a file Sets the general logging level Determines whether log messages are written to the int
4. 360 Appendix HP NonStop SSH Reference Manual LOG LEVEL EVENT TEXT Description Variable Parts 50 lt str1 gt client access to known host lt str2 gt known by lt str3 gt lt str4 gt lt str1 gt Session Name lt str2 gt Known host lt str3 gt Local system user or ALL lt str4 gt Owner 50 lt str1 gt automatically updated KNOWNHOST lt str2 gt via GSS key exchange known by local system user lt str3 gt lt str1 gt Session Name lt str2 gt Known host lt str3 gt Owner of known host entry 50 lt str1 gt automatically accepted KNOWNHOST lt str2 gt via GSS key exchange entry known by lt str3 gt lt str1 gt Session Name lt str2 gt Known host lt str3 gt Owner of new knownhost record 50 lt str1 gt added unknown host identification as FROZEN HOST to database lt str2 gt lt str1 gt Session Name lt str2 gt Known host 40 lt str1 gt SSH client session established lt str1 gt Session Name 50 lt str1 gt establishing remote lt str2 gt port forwarding for lt str3 gt lt str1 gt Session Name lt str2 gt Protocol lt str3 gt Target host name and port 50 lt str1 gt establishing local lt str2 gt port forwarding for lt str3 gt lt str1 gt Session Name lt str2 gt Protocol lt str3 gt Target host name and port 40 lt str1 gt Port forwarding error lt str2 gt lt str1 gt Session Name lt str2 gt Exception text 50 lt str1 gt requesting a pseud
5. Default By default the minimum value 1024 is used See also e LOGLEVELCACHE e Commands SET LOGCACHESIZE in the SSHCOM Command Reference chapter LOGCONSOLE Use this parameter to define whether SSH2 log messages are written to a console device and if so which device Parameter Syntax LOGCONSOLE 0 logdevice Arguments Means that no log messages are written to a console device Results in log messages being written to the home terminal of the SSH2 process 0 Specifies that log messages are written to 0 logdevice Specifies that log messages are written to a given device e g DEV SUBDEV HP NonStop SSH Reference Manual Configuring and Running SSH2 e 91 Considerations e The LOGLEVELCONSOLE parameter controls what messages are produced by SSH2 e Log messages are automatically cut by the collector when using value 0 for LOGCONSOLE Please use LOGEMS to enable logging to an EMS collector Default By default log messages are written to the home terminal See also e LOGEMS LOGFILE LOGLEVELCONSOLE e Log Messages in the Monitoring and Auditing chapter LOGEMS Use this parameter to define whether SSH2 log messages are written to EMS Parameter Syntax LOGEMS collector Arguments Means that no log messages are written to EMS collector Specifies the name of the collector to which log messages are written Default By default no log messages
6. ddmmmyy HH MM SS TTT ddmmmyy HH MM SS TIT ddmmmyy HH MM SS ddmmmyy HH MM ddmmmyy HH MM SS TTT HH MM SS TT HH MM SS HH MM Current date is used if date not specified as part of lt start gt timestamp Date from lt start gt is used if date not specified in lt end gt timestamp Examples Whole log file written to home terminal SHOWLOG logfile Display 1000 bytes starting at offset 10000 written to EDIT file logedit SHOWLOG logfile logedit 10000 1000 Starting at offset 200000 and display all bytes up to the end of the file SHOWLOG logfile 200000 Display messages in timeframe to home terminal SHOWLOG logfile 03Janl11 03 15 0O5Jan07 21 30 10 89 Write messages in timeframe to EDIT file logedit starting from specified time SHOWLOG logfile logedit 01Feb12 01 02 03 67 21 gt If SHOWLOG is run with only the name of the log file as first runtime argument it will dump the whole log file to the home terminal The byte offset within the log file will be displayed every now and then this allows you to limit the output of SHOWLOG to certain sections of the log file as shown below SUS SSH92 33 gt run showlog sh54log SHOWLOG log file converter Version T9999A05_16Apr2009_HP_SHOWLOG_0022 processing in file sh54log L gt 173 00 30 17 07 31 00 10 SSH2 version T9999H06_17Apr2012_comForte_SSH2_0092 17 07 31 202 10 config file none 17 07 31 03 20 object filename
7. q Quiet mode No warning or error messages are printed c ciphers Specify a comma separated list of ciphers for encrypting the session Currently the following ciphers are supported e aes256 cbc AES Rijndael in CBC mode with 256 bit key e aes128 cbc AES with 128 bit key e twofish256 cbc Twofish in CBC mode with 256 bit key e twofish128 cbc Twofish with 128 bit key e twofish cbe alias for twofish256 cbc Note this is being retained for historical reasons e blowfish cbc Blowfish in CBC mode e 3des cbe three key 3DES in CBC mode e arcfour the ARCFOUR stream cipher e cast128 cbc CAST 128 in CBC mode If this option is not specified the client will negotiate a cipher from list configured for the SSH2 server using the CIPHERS parameter m macs Specify a comma separated list of message authentication algorithm for the session Currently the following MACs are supported HP NonStop SSH Reference Manual SSH and SFTP Client Reference e 221 e hmac shal HMAC SHAI digest length key length 20 bytes 160 bits e hmac md5 HMAC MDS5 digest length key length 16 bytes 128 bits e hmac shal 96 first 96 bits of HMAC SHA1 digest length 12 bytes 96 bits key length 20 bytes 160 bits e hmac md5 96 first 96 bits of HMAC MDS digest length 12 bytes 96 bits key length 16 bytes 128 bits If this option is not specified the client will negotiate a cipher from list configured for the SSH2 server using the MACS parameter
8. Java is a U S trademark of Sun Microsystems Inc Motif OSF 1 UNIX X Open and the X device are registered trademarks and IT DialTone and The Open Group are trademarks of The Open Group in the U S and other countries Open Software Foundation OSF the OSF logo OSF 1 OSF Motif and Motif are trademarks of the Open Software Foundation Inc OSF MAKES NO WARRANTY OF ANY KIND WITH REGARD TO THE OSF MATERIAL PROVIDED HEREIN INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE OSF shall not be liable for errors contained herein or for incidental consequential damages in connection with the furnishing performance or use of this material 1990 1991 1992 1993 Open Software Foundation Inc The OSF documentation and the OSF software to which it relates are derived in part from materials supplied by the following 1987 1988 1989 Carnegie Mellon University 1989 1990 1991 Digital Equipment Corporation 1985 1988 1989 1990 Encore Computer Corporation 1988 Free Software Foundation Inc 1987 1988 1989 1990 1991 Hewlett Packard Company 1985 1987 1988 1989 1990 1991 1992 International Business Machines Corporation 1988 1989 Massachusetts Institute of Technology 1988 1989 1990 Mentat Inc 1988 Microsoft Corporation 1987 1988 1989 1990 1991 1992 SecureWare Inc 1990 1991 Siemens Nixdorf Informationssysteme AG 1986
9. The PERMIT OPEN restrictions are applied whenever the user tries to establish a local port forwarding channel via SSH2 using the SSH and SSHOSS clients For more information regarding format and examples of the attribute value please see the CONNECT TO attribute section The format of values for PERMIT OPEN and CONNECT TO is the same The values are just interpreted differently ALTER RESTRICTION PROFILE The ALTER RESTRICTION PROFILE command changes one or more attributes of an existing restriction profile and has the following syntax ALTER RESTRICTION PROFILE lt profile name gt COMMENT lt comment gt lt comment containing spaces gt CONNECT FROM lt host pattern gt lt host pattern gt lt host pattern CONNECT TO lt host ports gt lt host ports gt lt host ports gt PERMIT LISTEN lt host ports gt lt host ports gt lt host ports gt PERMIT OPEN lt host ports gt lt host ports gt lt host ports gt FORWARD FROM lt host pattern gt lt host pattern gt lt host pattern The lt profile name gt is mandatory in the command and no wild cards are allowed in the profile name At least one attribute needs to be specified in the command The individual attributes have the following meaning and syntax lt profile name gt The name of the restriction profile to be altered lt comment gt A comment describing the restriction profile If the comment contain
10. remoteAddress remote IP address HP NonStop SSH Reference Manual Monitoring and Auditing 317 Event Event Name Id Conditions Pattern Token Values action mkdir object directory name outcome denied or failed 14 SftpRmDirE Successful sessionId Youser remoteAddress sessionId SESSION LOG ID vent action Yobject Youtcome huser SSH username remoteAddress remote IP address action rmdir object directory name Joutcome granted Failed error sessionld Yuser remoteAddress sessionId SESSION LOG ID detail available action Yobject Youtcome error user SSH username Terror remoteAddress remote IP address action rmdir object directory name outcome denied or failed error error detail Failed error sessionld Yuser remoteAddress sessionId SESSION LOG ID detail not action Yobject Youtcome huser SSH username available remoteAddress remote IP address action rmdir object directory name outcome denied or failed SftpSymlink Successful sessionId Youser remoteAddress sessionId SESSION LOG ID Event Faction object target link Zoutcome Jouser SSH username 15 remoteAddress remote IP address action symlink object file name link link name Zoutcome granted Failed error sessionld Yuser YremoteAddress sessionId SES
11. Defines the maximum number of application openers of a window lt n gt may be in the range 1 512 and defaults to 32 Prior to STN version B22 the allowed range was 1 64 Any open attempts beyond the maximum will be rejected with feopenstop 61 This feature prevents an ill behaved application from monopolizing STN resources Larger values of MAX_OPENERS may require an increase in PARAM OPEN TABLESIZE especially when many windows are active MAX_OUTQ lt n gt MAX_OUTQ defines the maximum number of messages queued for a window Default 0 zero means no maximum Allowable range is 0 50 If the limit is exceeded by an unusual application an EMS message is generated and the session is terminated Use only on recommendation of HP support staff NBOT Y N STN supports Non Blocking OSS Terminals NBOT which is used by the Posix system call select The NBOT command can be used to disable this feature The default Y enables NBOT by setting bit lt 11 gt in the misc flags field in replies to Posix open messages NBOT N clears bit lt 11 gt to indicate select is not supported to be compatible with STN releases prior to BO8 NBOT_TIMEOUT lt seconds gt NBOT_TIMEOUT controls error recovery for NBOT The default setting is 8 seconds When NBOT Y if STN cannot open or writeread a select ready message to Terminal Helper ZTTnn after NBOT_TIMEOUT seconds STN will send a Posix SIGQUIT control to the application Setting NBOT_TIMEOU
12. Parameter Syntax ALLOWPASSWORDSTORE TRUE FALSE Arguments TRUE FALSE Specifies whether to allow password storage Valid values are o TRUE Any PASSWORDs stored for remote user ID will be automatically used for SSH password authentication If no PASSWORD is stored for a connection the user will be prompted after a successful authentication if a password should be stored in the password store o FALSE Any stored PASSWORD will be ignored and users will not be prompted to interactively store passwords Default If omitted ALLOWPASSWORDSTORE will be set to TRUE Considerations 56 e Configuring and Running SSH2 HP NonStop SSH Reference Manual e If ALLOWPASSWORDSTORE is set to TRUE passwords can be added manually to the user s password store using the SSHCOM ADD PASSWORD command Passwords can also be added interactively when users are prompted after a successful SSH password authentication with a remote SSH daemon Example ALLOWPASSWORDSTORE TRUE ALLOWTCPFORWARDING Use this parameter to specify whether the SSH2 daemon will completely reject TCP port forwarding through SSH or allow TCP port forwarding depending on user configuration Parameter Syntax ALLOWTCPFORWARDING TRUE FALSE Arguments TRUE FALSE Specifies whether to allow port forwarding or not Valid values are o TRUE port forwarding will be allowed unless user attribute ALLOW TCP FORWARDING is set to NO for a specific user o FALSE port forwarding wi
13. See also e AUDITCONSOLE AUDITFILERETENTION AUDITFORMAT and AUDITMAXFILELENGTH e Audit Messages in chapter Monitoring and Auditing AUDITFILERETENTION Use this parameter to control how many audit files SSH2 keeps when logfile rollover occurs Parameter Syntax AUDITFILERETENTION n Arguments n Specifies the number of audit files to keep Default By default 10 files are kept Considerations e Setting the parameter to a value 0 disables log file retention e If log file retention is enabled a minimum of 10 is enforced by this parameter e See section Logfile Auditfile Rollover in the Monitoring and Auditing chapter for details on file rollover e The file security set for the current audit file e g via FUP SECURE command will be used for subsequently created audit files The very first audit file will have the default file security of user SUPER SUPER See also AUDITMAXFILELENGTH and AUDITFILE AUDITFORMAT This parameter can be used to control the format of the audit messages that are written to the console and file Set parameter AUDITFORMATCONSOLE and AUDITFORMATFILE to configure the audit format for console and file independently Parameter Syntax AUDITFORMAT format HP NonStop SSH Reference Manual Configuring and Running SSH2 e 59 Arguments format A number is used to represent a bit mask that controls the format Following are the values and their corresponding format
14. e RECOVERY The DEBUG command is generally used only by development and support staff 296 e STN Reference HP NonStop SSH Reference Manual zstn evt exit debug value is 25 lt 1 gt Process exiting debug e CAUSE An inspect session from a previous DEBUG command finished e EFFECT STN operation continues Active sessions may timeout if the time spent in inspect mode was too long e RECOVERY None informational only Client Messages at the Remote Workstation When a TN6530 client terminal emulator such as Win6530 or J6530 first connects to STN several messages are displayed as the session is initiated Each message begins with the letters STN followed by a two digit message number for ease of identification STNOO Connected to STN version lt version gt lt date time gt lt window name gt This is the first message displayed which confirms connection to STN as distinct from Telserv or other Telnet servers The STN version string is included lt window name gt is in the form node process window STNO1 Host IP lt h gt lt subnet gt Port lt p gt lt window name gt This is the second message which confirms the NSK host IP address lt h gt the TCP process name lt subnet gt port number lt p gt and finally the full filename of the STN window in the form node process window This information can be useful for support purposes STNO2 Services This message precedes the list of services displayed STNO3 T
15. AUDITEMS Use this parameter to define whether SSH2 audit messages are written to EMS Parameter Syntax AUDITEMS collector Arguments Means that no audit messages are written to EMS collector Specifies the name of the collector to which audit messages are written Default By default no audit messages are written to EMS Considerations e The AUDITFORMATEMS parameter controls the log message format e The parameter can be changed without having to restart SSH2 using the SSHCOM command interpreter command SET AUDITEMS e To send audit messages to the default collector 0 use AUDITEMS 0 e If the EMS collector specified cannot be opened during startup SSH2 will write to the collector 0 e Ifthe EMS collector cannot be opened after it has been changed through SSHCOM the original collector will stay active See also AUDITFORMATEMS AUDITFILE Use this parameter to define whether SSH2 audit messages are written and if so to what file Parameter Syntax 58 e Configuring and Running SSH2 HP NonStop SSH Reference Manual AUDITFILE filenameprefix Arguments Means that no audit log messages are written to a file filenameprefix Specifies the prefix of the audit message file set The actual audit file names are constructed from filenameprefix which is appended by a number controlled by the AUDITFILERETENTION parameter Default By default no audit messages are written to a file
16. HP NonStop SSH Reference Manual HP Part Number 544701 016 Published February 2014 Edition HP NonStop SSH 4 4 G06 21 and subsequent G series RVUs H06 07 and subsequent H series RVUs J06 03 and subsequent J series RVUs O invent Hewlett Packard Company 3000 Hanover Street Palo Alto CA 94304 1185 2014 HP All rights reserved Copyright 2014 Hewlett Packard Development Company L P Confidential computer software Valid license from HP required for possession use or copying Consistent with FAR 12 211 and 12 212 Commercial Computer Software Computer Software Documentation and Technical Data for Commercial Items are licensed to the U S Government under vendor s standard commercial license The information contained herein is subject to change without notice The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services Nothing herein should be construed as constituting an additional warranty HP shall not be liable for technical or editorial errors or omissions contained herein Export of the information contained in this publication may require authorization from the U S Department of Commerce Microsoft Windows and Windows NT are U S registered trademarks of Microsoft Corporation Intel Pentium and Celeron are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries
17. INTERFACE INTERFACEOUT INTERVALLIVEPRIVATEUSERKEY INTERVALLIVEPUBLICUSERKEY INTERVALPENDINGPRIVATEUSERKEY INTERVALPENDINGPUBLICUSERKEY IPMODE LICENSE Allows restriction of possible authentication methods used by NonStop ssh clients Defines security granularity for client mode SSH2 database Specifies whether compressed SSH sessions are supported Specifies the file name of an SSH2 configuration file Specifies the file name of a second configuration file for an SSH2 process Controls log message duplicates suppression for log target console home terminal Specifies the default value for USER attribute CPU SET Allows setting the customer name or overwriting the customer name in the license file Defines security granularity for daemon mode USER records in the SSH2 database Controls the handling of unknown user names in incoming connections Can be used to configure IP host name resolving regarding the use of multiple IP addresses per host name Controls log message duplicates suppression for log target EMS Enables or disables statistics at startup Controls log message duplicates suppression for log target log file Parameter set allows granting administrative SSHCOM command privileges to groups Parameter set allows granting administrative SSHCOM command privileges to users Enables or disables GSSAPI authentication Enables or disables GSSAPI key exchange with group exchan
18. OUTPUT SSH ORIGINAL COMMAND was gt PARAM SSH ORIGINAL COMMAND lt If the command test data is specified as in ssh usr host ci c some data from client then the output would be similar to STEMP TEMP MYMACRO abc def 123 Macro STEMP TEMP MYMACRO started with parameters gt abc def 123 lt SSH ORIGINAL COMMAND was gt ci c some data from client lt Please remember that through this section the assumption is that a 6530 terminal is on the client side 146 e Configuring and Running SSH2 HP NonStop SSH Reference Manual The SSH User Database Overview of SSH Operation Modes As explained in the Introduction the SSH2 process accesses a database to e discover allowed operations for remote users as well as their logon credentials when running as SSH daemon allowing remote systems running an SSH or SFTP client to connect to the local NonStop system This mode of operation is referred to as daemon mode within this chapter e find local system users key files and remote host public keys when SSH and SFTP clients on the NonStop system connect to remote systems running an SSH SFTP implementation This mode of operation is referred to as client mode within this chapter This chapter describes the content of the database for both modes and shows how to create and maintain the database While all database content is kept in a single file the content of the database is distinctly different for the daemon and client mo
19. PARAM Spm run p65 MODE BLOCK Without the HOME parameter while the Pathway application starts and runs normally a problem arises if the session is terminated from the workstation client This results in PATHCOM creating a ZZSA dump file usually in subvol S YSTEM SYSTEM LOGON REQ NONE LOGON controls user authentication for TYPE DYNAMIC services The default is NONE requiring no authentication before starting the application specified by PROG This is appropriate when the application performs its own authentication for example TACL LOGON REQ requires authentication before starting the application If the SSH SYSTEM USER for the session is a valid Guardian userid then that Guardian userid is used for the session If SSH SYSTEM USER is NONE then STN will prompt the workstation user to enter a valid Guardian userid and password LOGON REQ should be used when PROG is the OSS shell OSH LIMIT max sessions LIMIT controls the number of simultaneous sessions for a TYPE DYNAMIC service The default is zero 0 which disables LIMIT and allows any number of sessions Values 1 9999 may be specified STN rejects any attempts to use a TYPE DYNAMIC service when LIMIT sessions are already active DEBUGOPT OFF lt number gt DEBUGOPT controls the debug option parameter of Guardian procedure call process_create_ used when starting the application for TYPE DYNAMIC services The default is OFF which omits the parameter A value in th
20. Remote host TCP IP address lt str1 gt request rejected USER lt str2 gt is not permitted to connect from host lt str3 gt due to ALLOW MULTIPLE REMOTE HOSTS being false and user has already connected from lt str4 gt lt str1 gt Session Name lt str2 gt User name lt str3 gt Remote host TCP IP address lt str4 gt Remote IP address of user session lt str1 gt request rejected USER lt str2 gt is not permitted to connect because the configured SYSTEM USER lt str3 gt is frozen and SSH2 parameter lt str4 gt is set to false lt str1 gt Session Name lt str2 gt User name lt str3 gt System user name lt str4 gt ALLOWFROZENS YSTEMUSER lt str1 gt Authentication denied SSH2 not licensed for general usage lt str1 gt Session Name lt strl gt lt str2 gt authentication for user lt str3 gt not allowed lt str1 gt Session Name lt str2 gt Last authentication method tried lt str3 gt User name lt strl gt Authentication of user lt str2 gt with method lt str3 gt failed lt str4 gt lt str1 gt Session Name lt str2 gt User name lt str3 gt Authentication method name lt str4 gt Exception text lt str1 gt lt str2 gt authentication for user lt str3 gt not supported SYSTEM USER lt str4 gt lt str1 gt Session Name lt str2 gt Authentication method name lt str3 gt User name lt str4 gt System user name lt strl gt Authentication of user lt str2 gt failed
21. SERVICE service name LPADDR dotted ip address SUBTYPE nn NONE SCRIPT script name window name This name uniquely identifies the window and together with the STN process name is used by applications to exchange data with the remote terminal session The name must be 2 to 8 characters long beginning with a pound sign followed by a letter and optionally followed by letters or numbers All letters are shifted to upper case When a window is automatically added for a dynamic session a unique window name using the format ZWNxxxx is generated where xxxx is a unique number starting at 0000 Starting with STN version B17 window names may now contain up to 16 characters following standard Guardian filename qualifier rules Formerly STN only allowed the first qualifer the middle part of the file name aaa MIDDLE now STN also allows the second qualifier the third part of the filename aaa middle THIRD Case does not matter Examples A B1 def1234 G H J123456 k1234567 Note that only windows with one qualifer part A may be specified in response to the Enter Choice gt prompt Windows with two qualifier parts B C cannot be specified in this way HP NonStop SSH Reference Manual STN Reference e 259 TYPE DYNAMIC Normally used only internally by the dynamic window mechanism SERVICE and TERM_TYPE are required and IPADDR is not allowed The window will be automatically deleted when the session terminates
22. SFTP PRIORITY A number specifying the priority of the SFTPSERV processes for this user Following are the meanings of the values allowed for this parameter Value Meaning 1 199 Use the given priority value Use the same priority as the SSH2 process starting SFTPSERV The default value is 100 SFTP SECURITY This parameter is comprised of a comma separated list of allowed operations for the user with operations enclosed in brackets The following operations are available e LIST allows perusal of files e READ allows downloading of files to the remote system e WRITE allows uploading of files from the remote system e PURGE allows deletion of files on the NonStop system e RENAME allows renaming of files on the NonStop system e MKDIR allows creation of directories on the NonStop system e RMDIR allows removal of directories on the NonStop system e SYMLINK allows creation of symbolic links on the NonStop system e ALL shortcut for all operations e NONE shortcut for no operation Operations can be abbreviated as long as the abbreviation is unambiguous Example e SFTP SECURITY WRITE LIST o will only allow perusal of files and uploading of files o can be abbreviated as SFTP SECURITY W L SHELL COMMAND This attribute specifies a forced command that is to be executed rather than any command given by an exec request from the SSH client A forced command allows you to limit shell access to specific
23. SSHCOM Command Reference e 163 AUDITFILE SQAHPSSH TO801ABK ZTC1AUD AUDITFORMATCONSOLE 0 AUDITFORMATEMS 0 AUDITFORMATFILE 21 AUDITMAXF ILELENGTH AUDITFILERETENTION 10 EA CLEAR LOGCACHE If a log cache is written see parameters LOGLEVELCACHE LOGCACHESIZBE the command CLEAR LOGCACHE can be used to clear the cache It has the following syntax CLEAR LOGCACHE The original content of the log cache is lost when executing this command FLUSH LOGCACHE If a log cache is written see parameters LOGLEVELCACHE LOGCACHESIZBE the command FLUSH LOGCACHE can be used to write the content of the log cache to the configured log file parameter LOGFILE must not be set to a value of to be able to flush the log cache It has the following syntax FLUSH LOGCACHE The log cache will be automatically cleared after the content of the log cache was written to the current log file INFO DEFINE The INFO DEFINE command displays information about the DEFINEs as they exist in the SSH2 process context It has the following syntax INFO DEFINE ALL lt define name gt Especially the TCP IP defines are relevant because the SSH2 process directly communicates with a TCP IP process and not the SSH OSS SFTP OSS clients themselves When ALL is specified all defines in the SSH2 process context are displayed otherwise the information is displayed for the specified lt define name gt OUT lt filename gt STOP STOP Outpu
24. lt str3 gt lt str1 gt Session Name lt str2 gt User name lt str3 gt Exception textError messageReason lt str1 gt public key authentication failed algorithm not supported 352 e Appendix HP NonStop SSH Reference Manual LOG LEVEL EVENT TEXT Description Variable Parts lt str1 gt Session Name 20 lt str1 gt public key authentication failed too many keys lt str1 gt Session Name 20 lt str1 gt public key authentication failed invalid signature lt str1 gt Session Name 20 lt str1 gt lt str2 gt authentication failed GSSAPI not available lt str1 gt Session Name lt str2 gt Authentication method name 20 lt str1 gt lt str2 gt authentication failed no GSS context established during key exchange lt str1 gt Session Name lt str2 gt Authentication method name 20 lt str1 gt lt str2 gt authentication for user lt str3 gt not supported lt str1 gt Session Name lt str2 gt Authentication method name lt str3 gt User name 20 lt str1 gt No more authentication requests possible for lt str2 gt lt str1 gt Session Name lt str2 gt User name 20 lt str1 gt channel request for subsystem sftp denied lt str1 gt Session Name 20 lt str1 gt channel request for subsystem sftp rejected sftp is not licensed lt str1 gt Session Name 20 lt str1 gt channel request for subsystem sftp denied due to the SSH user s sftp security settings lt str1 gt
25. p port The port to connect to on the remote host C Requests compression of all data including stdin stdout stderr and data for forwarded connections The compression algorithm is the same used by gzip Compression is desirable on slow connections but will only slow down things on fast networks o option Set a configuration option for the SSH client The following options are supported e BINDADDRESS address The local address used for outgoing connections Useful if the SSH2 process is configured with the unspecified address 0 0 0 0 or 0 0 for parameter INTERFACEOUT or multiple IP addresses are configured in INTERFACEOUT the TCP IP process is configured with more than one subnet and a specific local address needs to be used e g due to firewall configuration restrictions e IDENTITY keyname Use this option to select a specific KEY for authentication to the remote system By default all KEYs that you have generated using the SSHCOM GENERATE KEY command will be presented to the remote host for publickey authentication However some servers will deny authentication after a maximum number of inacceptable keys are presented which can create a problem if you have many keys To overcome this problem use the IDENTITY option to present only the key that has been advertised as authorized key to the target server e PORT port The port to connect to on the remote host This option has the same effect as the p command line option
26. remoteAddress action Yobject Youtcome error error sessionld Yuser remoteAddress action Yobject Youtcome sessionld Yuser remoteAddress action Yobject Youtcome sessionId Yuser remoteAddress action Yobject Youtcome error error sessionld Z user remoteAddress action Yobject Youtcome sessionId SESSION LOG ID Puser SSH username remoteAddress remote IP address action rename object old file name Ynewname new file name outcome denied or failed sessionId SESSION LOG ID Puser SSH username remoteAddress remote IP address Joaction list object directory name Joutcome granted sessionId SESSION LOG ID Puser SSH username remoteAddress remote IP address action list object directory name outcome denied or failed error error detail sessionId SESSION LOG ID Puser SSH username remoteAddress remote IP address action list object directory name Youtcome denied or failed sessionId SESSION LOG ID Puser SSH username remoteAddress remote IP address Joaction mkdir object directory name Joutcome granted sessionId SESSION LOG ID Puser SSH username remoteAddress remote IP address action mkdir object directory name outcome denied or failed error error detail sessionId SESSION LOG ID user SSH username
27. A A A A HP NonStop SSH Reference Manual SSHCOM Command Reference e 175 COMMENT lt comment gt LIVE DATE lt date time gt EXPIRE DATE lt date time gt FINGERPRINT lt fingerprint value gt FILE lt filename gt COMMENT lt comment gt LIVE DATE lt date time gt EXPIRE DATE lt date time gt J hes RESET SFTP INITIAL DIRECTORY SYSTEM USER SFTP SECURITY SFTP GUARDIAN FILESET SFTP PRIORITY RESTRICTION PROFILE lt profile name gt SFTP CPU SET lt cpu gt lt cpu range gt lt cpu range list gt SFTP GUARDIAN FILESET lt pattern gt lt pattern gt SFTP INITIAL DIRECTORY lt directory path gt LOCKED SETP PRIORITY lt number gt SFTP SECURITY lt sftp attr gt lt sftp attr gt SHELL COMMAND lt command gt SHELL ENVIRONMENT lt filename gt SHELL PROGRAM DEFAULT lt path gt MENU MENU lt service gt FORCE SYSTEM USER lt system user name gt NONE The lt user name gt is mandatory in the command no wild cards are allowed in the user name Please see description of lt user name gt under the ADD USER command for unconventional names that must be put in double quotes At least one attribute needs to be specified in the command The individual attributes have the following meaning and syntax ALLOW CI This attribute controls whether a TACL or a specific command
28. Alter amp Info None Yes No Yes No No Create configuration configuration DENY Create Yes No Not Yes No Not Applicable Applicable Yes No N A N A N A All Yes Yes N A N A All Yes Yes N A N A All Yes Yes N A Yes Alter amp Info No N A Yes Alter amp Info No N A Yes N A All No Yes N A Yes Alter amp Info No Yes N A N A All No Yes N A Yes Alter amp Info Ownership and Management of Client Mode Entities In release 89 a finer granularity for access and administration of mode client records was introduced In previous releases client mode records were owned by a Guardian user identifier Even when logged on as alias the underlying Guardian identifier was used to add and retrieve KEY PASSWORD and KNOWNHOST records The philosophy behind this assumed that one person used a specific Guardian user identifier as well as the configured aliases for that Guardian user identifier This approach is consistent with the general security on NonStop ACL file security etc which is based on the Guardian user identifier HP NonStop SSH Reference Manual SSHCOM Command Reference e 157 As each alias has its own password it is possible to create a NonStop environment where different persons use different aliases pointing to the same Guardian user identifier In such an environment storing KEY PASSWORD and KNOWNHOST records under the same user id represents a security problem Assuming aliases al and a2 exist both config
29. Authentication failed Cause The authentication of the user with the remote SSH server failed Effect The client access to the host is denied The client connection fails Recovery Additional error information is returned to the SSH client e g SFTP Check the user s credentials private keys or password for accuracy Check if any of the user s private keys are made known to the SSH server 338 e Troubleshooting HP NonStop SSH Reference Manual lt session id gt failed to open channel reason lt reason gt lt reason gt Is a description of the cause of failure which is sent by the remote SSH server Cause The remote SSH server could not open the channel the local SSH client requested to open Effect The channel is not opened Recovery Any corrective action depends on lt reason gt lt session id gt channel request failed Cause The remote SSH server reports a failure of a channel request previously issued for the local SSH client For example the subsystem sftp channel request may have failed Effect The channel is not opened Recovery Check the remote SSH server installation lt session id gt error on channel lt error description gt lt error description gt Describes the error Cause An error occurred on the SSH channel Effect The SSH channel is closed Recovery Any corrective action depends on lt error description gt lt session id gt error on ssh session lt error descr
30. BWNSO02 SQAHPSSH TO801ABK LICENSE gt LIFECYCLEPOLICYPRIVATEUSERKEY lt DISABLED gt LIFECYCLEPOLICYPUBLICUSERKEY lt DISABLED gt LOGCACHEDUMPONABORT lt TRUE gt LOGCACHESIZE lt 1024 gt LOGCONSOLE lt gt LOGEMS lt gt LOGEMSKEEPCOLLECTOROPENED lt TRUE gt LOGFILE lt SQAHPSSH TO801ABK ZTC1LLOG gt LOGF ILERETENTION lt 10 gt LOGFORMATCONSOLE lt 93 gt LOGFORMATEMS lt 16 gt LOGFORMATFILE lt 93 gt LOGLEVEL lt 50 gt LOGLEVELCACHE lt 50 gt LOGLEVELCONSOLE lt 50 gt LOGLEVELEMS lt 20 gt LOGLEVELFILE lt 50 gt LOGMAXFILELE lt 1000 gt MACS lt hmac shal hmac md5 hmac shal 96 hmac md5 96 gt OWNER lt RoGeR gt PARTIALSSHCOMACCESSGROUP1 lt gt PARTIALSSHCOMACCESSUSERI1 lt gt PAUTHSUPPRESSIPADDRESS lt FALSE gt PORT lt 12229 gt PTCPIPFILTERKEY lt gt PTYSERVER lt SZPTYK gt RECORDDELIMITER lt ANY gt RESTRICTIONCHECKFAILEDDEFAULT lt FALSE gt SFTPALLOWGUARDIANCD lt FALSE gt SFTPCPUSET lt gt SFTPEDITLINEMODE lt none gt SFTPEDITLINENUMBERDECIMALINCR lt 1000 gt SFTPEDITLINESTARTDECIMALINCR lt 1 gt D 10 Hh FH Fh hh hh FR FH FH Fh HO h EF FH FH Fh Fh FH FH FH Fh Fh Fh H Hh FH FH H H Hh H H Hh H H Fh FH Fh SFTPENHANCEDERRORREPORTING lt 2 gt SFTPEXCLUSIONMODEREAD lt SHARED gt SFTPIDLETIMEOUT lt 1l gt SFTPMAXEXTENTS lt 900 gt SFTPPRIMARYEXTENTSIZE lt 2 gt SFTPREALPATHFILEATTRIBUTEECHOED lt FALSE gt SFTPSEC
31. Cause An error occurred during the initial inter process communication with the SFTPSERV process Effect The channel request for the SFTP subsystem is rejected Recovery Check if SFTPSERV abended during the initialization procedure Contact comForte if this problem persists lt host gt Is the IP address of the socket client the SSH client tries to forward a connection from lt port gt Is the IP address of the socket client the SSH client tries to forward a connection from lt target host gt Is the IP address the SSH client requested to forward the connection to lt target port gt Is the port number the SSH client requested to forward the connection to Cause An SSH client requested the forwarding of a connection However this has been administratively prohibited e g by setting the ALLOWTCPFORWARDING parameter to FALSE Effect The forwarding request is rejected Recovery If forwarding is desired check the setting of ALLOWTCPFORWARDING lt session id gt forwarding lt protocol gt connection from lt host gt lt port gt to lt target host gt lt target port gt failed lt error detail gt lt host gt Is the IP address of the socket client the SSH client tries to forward a connection from lt port gt Is the IP address of the socket client the SSH client tries to forward a connection from lt target host gt Is the IP address the SSH client requested to forward the connection to 336 e Troubleshoo
32. DAEMON MODE commands The user super super can execute any daemon mode commands The parameter sets FULLSSHCOMACCESSUSER lt i gt and FULLSSHCOMACCESSGROUP lt j gt are evaluated and users and groups configured in these parameter sets are granted full access to all daemon mode commands CLIENT MODE commands The user super super can execute any client mode command for any user The parameter sets FULLSSHCOMACCESSUSER lt i gt and FULLSSHCOMACCESSGROUP lt j gt are evaluated and configured users and groups are granted full access to all client mode commands for any user If a person that is not logged on as super super and not configured in parameter sets FULLSSHCOMACCESSUSER lt i gt and FULLSSHCOMACCESSGROUP lt j gt wants to execute an SSHCOM CLIENT MODE command affecting records for a specific Guardian user or alias lt user or alias gt must either be logged on as lt user or alias gt or meet these two qualifications e Be the group manager of the underlying Safeguard user ID e Be the owner of the underlying Safeguard user ID of lt user or alias gt or be the group manager of the owner of the underlying Safeguard user ID of lt user or alias gt SSHCOM Security with existing Safeguard OBJECTTYPE USER Record If a Safeguard OBJECTTYPE USER record exists and is not frozen the behavior is as follows DAEMON MODE commands The user super super can execute any daemon mode commands unless explicitly configured in the OBJECTTYPE US
33. FILE Parameter Syntax TCPIPHOSTFILE filename Arguments filename Specifies the name of the TCPIP host file to be used by SSH2 The file name will override the value of the DEFINE TCPIP HOST FILE parameter which may have been passed to SSH2 at startup Indicates no host file will be set However any DEFINE TCPIP HOST FILE passed to SSH2 at startup will remain in effect HP NonStop SSH Reference Manual Configuring and Running SSH2 e 123 Default The default for this parameter is Considerations e Use this parameter to pass the value for the DEFINE TCPIP HOST FILE to SSH2 servers configured as generic processes This can also be achieved by adding the define TCPIP HOST FILE for the generic process possible since G06 28 H06 06 e Incase the define TCPIP HOST FILE causes unwanted behaviour it is possible to disable the propagation of defines completely see parameter PROPAGATEDEFINES e Anentry TCPIPHOSTFILE system ztcpip empty has been added to the SSH2 configuration file for the maintenance LAN file SSsHmCFG starting with H06 25 J06 14 to bypass DNS lookup This solves a problem of a 40 seconds delay when executing an SSH command against a CLIM e g using CLIMCMD due to unresolved DNS lookups Although this is a problem with the DNS configuration the above workaround has been put into place to prevent these delays Name resolution delays are now detected during SSH2 startup and a warning message will be
34. FILE lt filename gt PASSPHRASE lt passphrase gt COMMENT lt comment gt LIVE DATE lt date time gt EXPIRE DATE lt date time gt The individual attributes have the following meaning and syntax lt system user name gt A valid GUARDIAN user who owns the key in the SSH key store If lt system user name gt is omitted either the user being set in a previously issued ASSUME USER command or the issuer of the ALTER KEY command will be used as the default If lt system user name gt is specified it MUST be followed by a to separate it from the key name lt key name gt The name of the key owned by the current user Multiple owners can have keys with same name FILE HP NonStop SSH Reference Manual SSHCOM Command Reference e 195 The name of the file that holds the private key to be imported PASSPHRASE The optional passphrase associated with the private key file The passphrase must be enclosed in double quotes i e If the PASSPHRASE attribute is not specified it is assumed that the key file is accessible without a passphrase lt date time gt Date or date and time in either of the following formats e DD Mon YYYY hh mm e DDMonYY hh mm e DD Mon YYYY e DDMonYY The second format requires surrounding quotes because it contains a comma commas are separators in SSHCOM COMMENT This optional attribute is used to associate additional textual information with the imported key LIVE DATE T
35. GWN prefix len 4 GWN num digits 4 GWN next window ZWN0001 GWN last window ZWN0000 SSL vproc none SSH vproc none Process Startup Params PARAM BACKUPCPU ANY AG BZBwwHnnnnwnwnwWoO ANNHANA AA Note Some commands displayed are not supported in HP T0801 for example CONN_CLR_TELNET and 3270_IN_SIZE These commands are not documented in this manual and should not be used by HP T0801 users Comments Config BWNS02 ZPTYE 075536 T0801H01_24JAN2013_ABE LG 04JAN2013_230358 Expand node name STN process name system serial number STN vproc and LINKGMT SSH vproc T9999H06_22Nov2010_comForte_SSH2_0089 This displays none until the first SSH session connects to STN thereafter the VPROC of the SSH process Process Startup Params If STN was started without params displays no PARAMs HP NonStop SSH Reference Manual STN Reference e 267 Otherwise a list of PARAMS is shown example PARAM BACKUPCPU ANY As of T0801 ABE the GWN window and session parameters are displayed as well See section Session and Window Naming INFO SCRIPT lt script name gt Displays configuration information for the specified script or for all configured scripts INFO SER VICE lt service name gt Displays configuration information for the specified service or for all configured services Only parameters which are different from the default are displayed Includes IPRANGE if configure
36. Process ID name or PIN bit 7 decimal 64 Log level of message Default The default log format is 93 date time milliseconds process ID and log level Example Display date time and milliseconds only LOGFORMATEMS 13 Display date and time only LOGFORMATEMS 5 See also LOGFORMATCONSOLE LOGFORMATFILE LOGFORMATFILE Use this parameter to control the format of the log messages that are written to the log file Parameter Syntax LOGFORMATFILE format Arguments format A number is used to represent a bit mask that controls the format Following are the values and their corresponding format bit 1 decimal 1 Date bit 2 decimal 2 Header log messages a pre fixed with log bit 3 decimal 4 Time bit 4 decimal 8 Milliseconds bit 5 decimal 16 Process ID name or PIN bit 7 decimal 64 Log level of message Default The default log format is 93 date time milliseconds process ID and log level Example Display date time and milliseconds only LOGFORMATFILE 13 96 e Configuring and Running SSH2 HP NonStop SSH Reference Manual Display date and time only LOGFORMATFILE 5 See also LOGFORMATCONSOLE LOGFORMATEMS LOGLEVEL Use this parameter to control the level of detail of messages that are written to the console or log file Parameter Syntax LOGLEVEL detail Arguments detail A number is used to represent the level of detail desi
37. Session Name 20 lt str1 gt channel request for subsystem sftp denied due to the SSH user s allowed subsystems settings lt str1 gt Session Name 20 lt str1 gt channel request for subsystem sftp denied due to the SSH2 process allowed subsystem settings lt str1 gt Session Name 20 lt str1 gt request for subsystem tacl rejected not licensed lt str1 gt Session Name 20 lt str1 gt channel request for subsystem tacl denied due to the SSH user s allowed subsystems settings lt str1 gt Session Name 20 lt str1 gt channel request for subsystem tacl denied due to the SSH2 process allowed subsystem settings lt str1 gt Session Name 20 lt str1 gt request for subsystem lt str2 gt failed invalid parameter lt str3 gt lt str1 gt Session Name lt str2 gt Subsystem name lt str3 gt Text 20 lt str1 gt request for subsystem lt str2 gt failed invalid parameters lt str1 gt Session Name lt str2 gt Subsystem name HP NonStop SSH Reference Manual Appendix e 353 LOG LEVEL EVENT TEXT Description Variable Parts 20 lt str1 gt shell request from 6530 client rejected not licensed lt str1 gt Session Name 20 lt str1 gt channel shell for 6530 command interpreter denied due to the SSH user s ALLOW CI settings lt str1 gt Session Name 20 lt str1 gt shell request from 6530 client rejected configured system user unknown lt str1 gt Session Name 20 l
38. TERMO00 1 000 unique names P77 increments to P99 then back to P00 Shortest possible name 100 unique names AB12345 cycles to AB99999 then back to ABO0000 100 000 unique names maximum allowed If GWN TEMPLATE is not used or does not follow the above rules a default of ZWN0001 is used which is compatible with STN B19 and earlier GWN TEMPLATE defines both the format of the name and the starting window name As sessions are started the numeric suffix is incremented until it reaches all nines then the next window name wraps back to all zeroes Using a short numeric suffix makes typing window names easier Using a longer numeric suffix allows for more sessions before a window name is reused GWN TEMPLATE may be used with or without GWN FILE PARAM GWN INITIAL RANDOM If this param is present and is set to the value RANDOM the initial value is randomly computed from the microsecond clock Otherwise the number in GWN TEMPLATE if present is used or else the default of 0001 GWNQAINITIAL may be used with or without GWN FILE PARAM GWN FILE lt filename gt GWN FILE names a central disc file where the next window name is stored Normally all STN processes would share the same file by using the same PARAM GWN FILE value lt filename gt must name a disc file If the file does not exist it is created as an unstructured disc file code 1107 and initialized using GWNATEMPLATE and GWN INITIAL
39. TYPE STATIC SERVICE is required IPADDR is not allowed Typically some number of static windows are defined for a given static service creating a pool of windows to allocate to sessions requesting that service Application programs must be pre started before terminal sessions are allowed to access the service TYPE SU SERVICE and IPADDR are not allowed SU windows may only be accessed by specifying window name at the service menu although they do not appear in the service menu in any form SU windows allow a given terminal to connect to a specific window which generally simplifies application configuration A disadvantage is that each workstation must be configured to automatically select the unique window name or the name must be manually entered Having different configurations or procedures for each workstation presents logistical problems See TYPE DEDICATED for an alternative TYPE DEDICATED SERVICE is not allowed IPADDR is required DEDICATED windows are automatically connected when a session is started by a remote workstation with an IP address matching the IPADDR field No service menu is displayed at all This window cannot be connected by specifying window name at the service prompt DEDICATED windows allow the system manager to pre configure all workstations in STN with their own window Sessions from that workstation will always connect to the matching window allowing precise control of application window workstation mappi
40. This is the time to check that the new version of SSH2 is running properly in your environment 5 Backing out the new version 34 e Installation amp Quick Start HP NonStop SSH Reference Manual In case the new version of SSH2 creates unexpected problems revert to the old object files Where configuration data is stored Other than any macros you have created there are two data files which you want to keep in order to keep your existing database configuration entries HOSTKEY stores the host key SSHCTL stores all users and configuration done through SSHCOM Migration Considerations When migrating from one NSK system to another the original configuration can be preserved by porting the SHCTL database the HOSTKEY file and the SSH configuration file to the SSH subvolume system zssh The migration should only be done for SSH2 processes associated with non maintenance LANs Note that the configuration file SSHCFG is a template and will be overwritten by DSM SCM when a new SPR is installed Therefore the ported configuration file should be named differently and the startup message in the SCF input file for persistent processes or the startup obey file changed to point to the correct configuration file Also take note that if a license file existed in the original configuration but not required any longer in the target system SPRs gt TO801 AAQ the customer name from the license file must be placed as a value for parameter CUSTOMER in
41. URSTSUPPRESSION lt FALSE gt URSTSUPPRESSIONEXPIRATIONTIME lt 300 gt BURSTSUPPRESSIONMAXLOGLEVEL lt 40 gt CACHEBURSTSUPPRESSION lt FALSE gt CIPCOMPATERROR lt gt CIPHERS lt aes256 cbc twofish256 cbc twofish cbc aes128 cbc twofish128 cbc blowfish cbc 3des cbc arcfour cast128 cbc gt def CLIENTALLOWEDAUTHENTICATIONS lt none gssapi with publickey password keyboard interactive gt CLIENTMODEOWNERPOLICY lt GUARDIANNAME gt COMPRESSION lt TRUE gt CONFIG lt SQAHPSSH TO801ABK ztclcfg gt CONF IG2 lt gt CONSOLEBURSTSUPPRESSION lt FALSE gt CPUSET lt gt CUSTOMER ey DAEMONMODEOWNERPOLICY lt LOGINNAME gt DNSMODE lt FIRST gt EMSBURSTSUPPRESSION lt FALSE gt U U A A A A A A A A AU A A A A B B B B HP NonStop SSH Reference Manual Installation amp Quick Start e 37 ENABLESTATISTICSATSTARTUP lt FALSE gt FILEBURSTSUPPRESSION lt FALSE gt FULLSSHCOMACCESSGROUP1 lt gt FULLSSHCOMACCESSUSERI lt gt GSSAUTH GSSGEXKEX GSSKEX lt gt lt FALSE gt lt TRUE gt GUARDIANATTRIBUTESEPARATOR lt gt HOSTKEY HOSTKEYBITS HOSTKEYTYPE INTERFACE INTERFACEOUT lt HOSTKEY gt lt 1024 gt lt DSA gt lt 0 0 0 0 gt lt 0 0 0 0 gt INTERVALLIVEPRIVATEUSERKEY lt 730 gt INTERVALLIVEPUBLICUSERKEY lt 730 gt INTERVALPENDINGPRIVATEUSERKEY lt 0 gt INTERVALPENDINGPUBLICUSERKEY lt 0 gt IPMODE lt IPV4 gt LICENSE lt
42. action authentication Zoutcome granted method authentication method oreason reason Authentication sessionld Yuser remoteAddress sessionId SESSION LOG ID successful action Youtcome method method huser SSH username method publickey publickeyOrPrincipal Y reason System remoteAddress remote IP or gssapi with user YosystemUser address mig action authentication outcome denied or failed method authentication method publickeyOrPrincipal name of publickey or principal name reason reason 2 Authenticatio Authentication sessionld Yuser remoteAddress sessionId SESSION LOG ID nEvent failed action Y outcome method method user SSH username Method not reason remoteAddress remote IP publickey and not address gssapi with mic action authentication Zoutcome granted method authentication method reason reason Authentication sessionld Yuser remoteAddress sessionId SESSION LOG ID failed action outcome method method user SSH username Method publickeyOrPrincipal reason remoteAddress remote IP publickey or gssi address with mic action authentication outcome denied or failed method authentication method publickeyOrPrincipal name of publickey or principal reason reason 3 TerminateSe sessionId Yuser remoteAddress sessionId SESSION LOG ID ssionEvent terminate session user SSH username remoteAddress
43. bit 1 decimal 1 Date bit 2 decimal 2 header log messages a pre fixed with log bit 3 decimal 4 Time bit 4 decimal 8 Milliseconds bit 5 decimal 16 Process name bit 7 decimal 64 Log level of message Default The default audit log format is 21 date time process name Example Display date time and milliseconds only AUDITFORMAT 13 Display date and time only AUDITFORMAT 5 See also e AUDITCONSOLE AUDITEMS AUDITFILE AUDITFORMATCONSOLE AUDITFORMATEMS and AUDITFORMATFILE e Audit Messages in the chapter entitled Monitoring and Auditing AUDITFORMATCONSOLE Use this parameter to control the format of the audit messages that are written to the console Parameter Syntax AUDITFORMATCONSOLE format Arguments format A number is used to represent a bit mask that controls the format Following are the values and their corresponding format Bit 1 decimal 1 Date Bit 2 decimal 2 Header log messages a pre fixed with log Bit 3 decimal 4 Time Bit 4 decimal 8 Milliseconds Bit 5 decimal 16 Process ID name or PIN Bit 7 decimal 64 Log level of message Default The default audit format is 21 date time process name 60 e Configuring and Running SSH2 HP NonStop SSH Reference Manual See also e AUDITCONSOLE AUDITFORMATEMS AUDITFORMATFILE e Audit Messages in the chapter entitled Monitoring and Auditin
44. lt key name gt FILE lt GUARDIAN file name gt lt OSS file name gt lt OSS file name gt PASSPHRASE lt passphrase gt FORMAT OPENSSH SSH2 PRIVATE The individual attributes have the following meaning and syntax lt system user name gt This refers to a valid GUARDIAN user who owns the key in the SSH key store If lt system user name gt is omitted either the user being set in a previously issued ASSUME USER command or the issuer of the ALTER KEY command will be used as the default If lt system user name gt is specified it MUST be followed by a to separate it from the key name lt key name gt The name of the key owned by the current user FILE The name of the GUARDIAN or OSS file that will hold the exported key If the OSS file name contains spaces it must be enclosed in double quotes PASSPHRASE This attribute is relevant only if the PRIVATE attribute is set It configures the optional passphrase to secure the resulting private key file The passphrase must be enclosed in double quotes i e If the PASSPHRASE attribute is omitted the private key can be retrieved by anyone who has read access to the file FORMAT The format of the resulting key file Format can be either OPENSSH or SSH2 If this attribute is omitted SSH2 will be used as the default Export of the private key part is not supported when exporting in format SSH2 PRIVATE HP NonStop SSH Reference Manual
45. lt str1 gt listen request on lt str2 gt denied USER lt str3 gt not permitted to initiate TCP forwarding lt str1 gt Session Name lt str2 gt Normalized address and port to bind lt str3 gt User name 20 lt str1 gt listen request on lt str2 gt denied RESTRICTION PROFILE PERMIT LISTEN for USER lt str3 gt does not include local address port 350 e Appendix HP NonStop SSH Reference Manual LOG LEVEL EVENT TEXT Description Variable Parts 20 20 20 20 20 20 20 20 20 20 20 20 20 20 lt str1 gt Session Name lt str2 gt Normalized address and port to bind lt str3 gt User name lt str1 gt forwarding from lt str2 gt denied USER lt str3 gt not found in database and PARAM lt str4 gt set to true lt str1 gt Session Name lt str2 gt Normalized originator host address and port lt str3 gt Guardian user name lt str4 gt RESTRICTIONCHECKFAILEDDEFAULT lt str1 gt forwarding from lt str2 gt denied RESTRICTION PROFILE FORWARD FROM for USER lt str3 gt does not include originator host lt str1 gt Session Name lt str2 gt Normalized originator host address and port lt str3 gt User name gssapi authentication failed lt str1 gt lt str1 gt Error message Insane thread started Insane Thread Count down lt int1 gt lt intl gt Counter value Insane Thread was killed DEFINE lt str1 gt was set to lt lt str2 gt gt lt st
46. not valid while not connected to an FTP server lt str1 gt Session Name lt str2 gt Text 20 lt str1 gt FTP logon failed reporting login failure to FTP client lt str1 gt Session Name 20 lt str1 gt connection to SSH server at lt str2 gt failed reporting failure to client lt str1 gt Session Name lt str2 gt Normalized target host address and port 20 lt str1 gt SSH user authentication failed disconnecting lt str1 gt Session Name 20 lt str1 gt SSH user authentication o k lt str1 gt Session Name 20 lt str1 gt failed to create SSH tunnel to FTP server at lt str2 gt lt str3 gt disconnecting SSH session lt str1 gt Session Name lt str2 gt Normalized target host address and port lt str3 gt Description 20 Cannot forward data because remote side has closed the channel ignoring data 20 Configuration error regarding parameter lt str1 gt lt str2 gt lt str1 gt CLIENTMODEOWNERPOLICY lt str2 gt Error number 20 User lt str1 gt Error occurred while checking if system user lt str2 gt is frozen Assuming system user is lt str3 gt lt str1 gt Name lt str2 gt System user name HP NonStop SSH Reference Manual Appendix e 357 LOG LEVEL EVENT TEXT Description Variable Parts 20 20 20 20 20 lt str3 gt Value frozen or thawed Deleting user sessions records user lt str1 gt created by no longer existing SSH2 processes failed lt
47. o TRUE Duplicate log messages will be suppressed o FALSE Duplicate log messages will not be suppressed Considerations The value of parameter CACHEBURSTSUPPRESSION is ignored if BURSTSUPPRESSION is set to TRUE Burst suppression for log target memory cache is enabled if either parameter BURSTSUPPRESSION or parameter CACHEBURSTSUPPRESSION is set to TRUE Default If omitted CACHEBURSTSUPPRESSION is set to FALSE Example CACHEBURSTSUPPRESSION TRUE See also BURSTSUPPRESSION BURSTSUPPRESSIONEXPIRATIONTIME BURSTSUPPRESSIONMA XLOGLEVEL HP NonStop SSH Reference Manual Configuring and Running SSH2 e 67 CIPCOMPATERROR In case there is no support for DEFINEs in the kernel older OS releases then a PARAM CIPCOMPATERROR can be set to SUPPRESS for a kernel process Parameter Syntax CIPCOMPATERROR SUPPRESS Arguments SUPPRESS DEFINE CIP COMPAT ERROR will be set to SUPPRESS DEFINE CIP COMPAT ERROR will not be set Default The default for this parameter is Considerations Use this parameter to pass the value for the DEFINE TCPIP RESOLVER NAME parameter to SSH2 servers configured as generic processes This can also be achieved by adding the define TCPIP RESOLVER NAME for the generic process possible since G06 28 H06 06 An existing DEFINE CIPACOMPAT ERROR passed to the SSH2 process at startup will remain in effect CIPHERS Use this parameter to specify which cipher suites are
48. one character are allowed The is supported for expressing negation lt host ports gt Specifies a pair of host addresses or name and port ranges separated by a colon A port range can be either one port one port range or a list of port ranges separated by and enclosed in brackets COMMENT Enables users to enter free text to describe the entity or provide a short explanation of the intended use of the entity The whole comment text must be enclosed in double quotes if the comment includes spaces The content will not be used for any processing HP NonStop SSH Reference Manual SSHCOM Command Reference e 185 CONNECT FROM The attribute CONNECT FROM restricts the host systems a user can connect from Whenever an incoming connection for the user is accepted the CONNECT FROM restrictions are applied The value can be one host pattern or a list of patterns used to match the address or name of the client system connecting SSH2 on NonStop server The format of each pattern and the pattern matching done is the same as in OpenSSH for parameter from If a list is specified it must be enclosed in parentheses One pattern represents a host name or its IP address and can include wildcard characters matching any number of characters and matching exactly one character A pattern may be prefixed by indicating negation that is if the matching pattern is preceded by a tilde the incoming connection will be rejected Examp
49. remoteAddress sessionId SESSION LOG ID detail not action Yobject Youtcome huser SSH username available remoteAddress remote IP address action purge object file name Joutcome denied or failed SftpRename Successful sessionId user remoteAddress sessionId SESSION LOG ID Event action object to Ynewname huser SSH username Zoutcome 11 remoteAddress remote IP address action rename object old file name Ynewname new file name Zoutcome granted Failed error sessionld Yuser remoteAddress sessionId SESSION LOG ID detail available action Yobject to Ynewname outcome user SSH username error error remoteAddress remote IP address action rename object old file name Ynewname new file name outcome denied or failed error error detail 316 e Monitoring and Auditing HP NonStop SSH Reference Manual Event Id Event Name Conditions Pattern Token Values 12 13 SftpListDirE vent SftpMkDirE vent Failed error detail not available Successful Failed error detail available Failed error detail not available Successful Failed error detail available Failed error detail not available sessionld Yuser remoteAddress action Yobject to Ynewname outcome sessionld Yuser remoteAddress action Yobject Youtcome sessionId Yuser
50. 2 3 Each decimal number represents 8 bits one octet of the IPv4 address IPv6 addresses are not only longer than IPv4 addresses but there can be several valid representations of an IPv6 address An IPv6 address is represented as eight groups of four hexadecimal digits separated by colons e g 2001 0db8 0000 0000 13 19 0000 0000 7344 Each group represents 16 bits two octets of the IPv6 address Leading zeros are usually dropped resulting in the valid representation 2001 0db8 0 0 1319 0 0 7344 Further simplifying RFC 4291 allows to replace a sequence of 0 groups to one group resulting in 2001 0db8 1319 0 0 7344 a maximum of one sequence is allowed The original example address can also represented as 2001 0db8 0 0 1319 7344 Usually the longest sequence of zero groups is replaced by If there is more than one sequence of 0 groups of the same 66 99 length the first sequence is replaced by Another IPv6 representation uses dotted decimals for the last 4 octets of an IPv6 address especially used for IPv4 compatible IPv6 addresses like 13 1 68 3 and IPv4 Mapped IPv6 addresses like FFFF 129 144 52 38 In cases where a numeric element like a port or any or hexadecimal element not belonging to the IP address is appended to an IP address separated by a colon the IP address must be enclosed with square brackets if the IP address is an IPv6 address e g 2001 0db8 1319 0 0 7344 4567 Otherwise the por
51. 3 gt lt 4 gt lt 5 gt lt 2 gt lt 3 gt lt 4 gt zero Used only for SecurTN where this event has an alternate meaning lt 5 gt text from AUDITMSG CAUSE Generated when STNCOM command AUDITMSG is used This event is written to the specified AUDITCOLL collector not to the standard 0 EMS event collector EFFECT None RECOVERY None informational only zstn evt auditcoll service value is 1023 lt 1 gt AUDITCOLL lt 2 gt lt 3 gt lt 4 gt service lt 5 gt Outcome lt 6 gt lt 2 gt full name of the window node stn window lt 3 gt remote IP address lt 4 gt remote IP port lt 5 gt window name only win lt 6 gt text Granted for a dedicated window and Granted or Denied for a service CAUSE Generated on a session connection attempt to a service or dedicated window Outcome is GRANTED or DENIED for a service GRANTED for a dedicated window This event is written to the specified AUDITCOLL collector not to the standard 0 EMS event collector EFFECT None RECOVERY None informational only zstn evt auditcoll connect value is 1024 lt 1 gt AUDITCOLL connect lt 2 gt lt 3 gt lt 4 gt lt 5 gt Client Info lt 6 gt lt 2 gt full name of the window node stn window lt 3 gt remote IP address lt 4 gt remote IP port lt 5 gt text PLAIN for unencrypted sessions or SECURE lt 6 gt encryption method CAUSE Generated when a new session is accepted from a remote
52. ALLOW SHELL Indicating if the ssh user is allowed to request a shell SHELL PROGRAM OSS path of the shell executed when the ssh user requests a shell or configuration of a telnet service connected to when the ssh user requests a shell SHELL COMMAND Enforced shell command executed when the ssh user requests a shell SHELL ENVIRONMENT Pathname of a script that will be executed when a shell is invoked ALLOW CI Indicating if the ssh user is allowed to request a TACL command interpreter ALLOW CI PROGRAM OVERRIDE Indication if the ssh user is allowed to override the configured CI PROGRAM via tacl p or ci p command CI PROGRAM Guardian object name of the command interpreter executed when the ssh user requests a command interpreter or configuration of a telnet service connected to when the ssh user requests a command interpreter CI COMMAND Startup parameters for CI PROGRAM used when the ssh user requests a command interpreter ALLOW PTY Indicating if the ssh user is allowed to request a pseudo terminal PTY PTY SERVER User specific configuration of the PTY server process Ignored if ALLOW PTY is set to NO Default value is taken from SSH2 parameter PTYSERVER ALLOW TCP FORWARDING Indicating if the ssh user is allowed to request port forwarding ALLOWED SUBSYSTEMS Subsystems the ssh user is allowed to request ALLOW GATEWAY PORTS Indicating if the ssh user is allowed to open gateway ports i e port forwarding where the l
53. CAUSE The backup process repeatedly failed Other EMS events will give additional information e EFFECT STN runs without a backup until a STNCOM command BACKUPCPU is entered e RECOVERY Correct the problem causing the backup failures then use the STNCOM BACKUPCPU command zstn evt ckpt fe value is 12 lt 1 gt Backup checkpoint16file err lt 2 gt lt 2 gt error code e CAUSE Unable to communicate with backup process due to an error condition e EFFECT The backup is stopped STN will automatically restart the backup process e RECOVERY None informational only zstn evt ckopen err valueis 13 lt 1 gt Checkopen err lt 2 gt file lt 3 gt lt 2 gt error code lt 3 gt file name e CAUSE An error occurred during backup checkopen of a file e EFFECT The backup is stopped STN will automatically restart the backup process e RECOVERY None informational only zstn evt trace start valueis 14 lt 1 gt Trace started to file lt 2 gt size lt 3 gt lt 2 gt trace file name lt 3 gt size of the trace file e CAUSE An STN trace was started e EFFECT None e RECOVERY None informational only 294 e STN Reference HP NonStop SSH Reference Manual zstn evt trace stop valueis 15 lt 1 gt Trace stopped e CAUSE An STN trace was stopped e EFFECT None e RECOVERY The binary trace file may now be forwarded to Support or may be formatted using the GTRED program zstn evt trace segment valueis 16 lt 1 gt Tra
54. CPU SET is used instead CPUs are assigned via a round robin algorithm among all the configured CPUs that are available The value can be a CPU number e g 2 a range of CPUs e g 3 4 or a comma separated list of CPU numbers and CPU ranges enclosed in parentheses e g 2 5 7 9 The default is to start user processes in the same CPU in which the SSH2 process is running In this case the processing load is spread by using multiple SSH2 processes and starting these SSH2 processes in different CPUs If no value is specified the value will be reset to the default The default is to use the value of SSH2 parameter SFTPCPUSET to determine a CPU or if that is not set the CPU the SSH2 process is running in is used SFTP GUARDIAN FILESET A list of patterns identifying the GUARDIAN systems volumes subvolumes and files the user is allowed to access Following is the default for this attribute COVES Re The default enables access limited by the SFTP SECURITY attribute to any GUARDIAN system volume subvolume or file In each pattern configured with the GUARDIAN file set the sign is used as a wildcard for any sequence of characters The sign is used in a pattern as a wildcard for one single character SFTP INITIAL DIRECTORY This attribute specifies the initial server side directory the user will access after establishing the SFTP session The default value for the initial directory is either the value taken from INITIAL DI
55. DEFINE TCPIP PROCESS NAME was set to lt NPNSO1 ZSAM1 gt L8Apr1i2 17 07 31 25 20 TCP IP process is ZSAM1 2 S 12 L8Apri2 17 07 31 25 20 DEFINE PTCPIP FILTER KEY was set to L US SSH92 SSH48 gt L8Apr L7eO07s3 The second runtime argument can be used to create a new EDIT file containing the log file contents The following example shows how to convert the whole log file into an edit file note that this can take some time for large files 42 gt run showlog SSH2log logedit SHOWLOG log file converter Version T9999A05_16Apr2009_HP_SHOWLOG_0022 writing out file logedit processing in file ssh2log EOF reached done fileinfo logedit SSH89C EOF LAST MODIFIED 6086 23DEC2010 17 36 255 255 NONO 14 OWNER RWEP PExt SExt 2844 gt The third and last runtime argument can be used to limit the part of the file that is converted This is helpful for the viewing large log files The following example illustrates the dumping of a large log file Only a limited number of log messages totaling 10 000 bytes after a given offset 5 000 000 are shown 33 gt run showlog SSH2log 5000000 10000 SHOWLOG log file converter Version T9999A05_16Apr2009_HP_SHOWLOG_0022 starting at offset 5000000 dumping at most 10000 bytes processing in file SSH21log 324 e Monitoring and Auditing HP NonStop SSH Reference Manual output not shown here done 34 gt Notes e In this example by using
56. E PAS 194 TMEPORICK BY ie2cscct cess tes ails ses esttoenas oes hie ees eh bend ee nated ict e a coh tld tees 195 TIN OMB Ye oie es aest athe E E OA inte Miles chapel keene A E ETAN 196 IRENAME KB Yess scctisccicctoussuest eile saccs tenth lohan Gae ie Saas to aa i ak ee es 198 M B DAAE KA D ANEA E A E E E E E nan est aeha E AE a ee 199 Client Mode Commands Operating on the PASSWORD Entity ssesseseesseeeeseeressesreereresesesrsrrererserseerees 200 ADD PASS WORD a aa CaS seats 200 ALTER PASS WORD a cc a a bs oe Seanad eae 200 DEIETE PASS WORD EEA A E Seated es nds Ree ee E E ES 200 FREEZE PASS WORD 3 csissssceeseo iets sce ee Bs a e 201 INFO PASS WORD a en eee ASS 201 RENAME PASS WORD a eee ete ees 202 LHAW PASS WORD e a cee 203 Client Mode Commands Operating on the KNOWNHOST Entity 0 cece ececeeeceecneeeeceseeeeeaeeneeeeens 204 ADD KNOW NHOS DP EEEE EER A ESE ica ee Sea a tes ccc ose E oe eee as ease nada ead Bes 204 AIUTER KNOWNHOS Wii a Sah hae eee tees eat 205 DEIEFETE KNOW NHOST eiiciecieccieg esas clk he becdeaddecken ec iae cases eet earae ce Movs ORR 205 FREEZE KNOWNHOS T esis ccccccetetiesech once lind oeatuces cbeesou E E a E S 205 NFO KNO WN HOS tities a ae A ees 206 RENAME KNOWNEIOS a E E E AN EEST 207 THAW KNOV NHO S EN avec tae ee eos ee aes ie 208 StattissCOMMANAS 2 cscs ccieesesea eke ces rcs ees Sete eee ewes ec ek ees 208 STATUS ES SD a ae a cc eR hates 208 STATUS SESSION esctscsosite Beccles ooeecc ted wad
57. Enabling 6530 Terminal Access in chapter Configuring and Running SSH2 e Updated Guardian SSH description in section Secure Shell access from NonStop to Remote Systems to reflect new capabilities Version 2 1 Describes changes in SSH2 releases 0062 and later The manual now reflects the additional functionality implemented for the SecurSH product a complete SSH suite including shell client and server capabilities with full pseudo TTY support as well as port forwarding The manual contains the following major changes and additions e The Installation amp Quickstart chapter has been rewritten e The Configuring and Running SSH2 chapter describes additional SSH2 parameters e Sections for Enabling PTY Access and Load Balancing have been added e The SSHCOM reference now describes some additional USER attributes The following additional new features are also described e Running SSH2 as a NonStop process pair e The new mechanism for rolling over log and audit files 22 e Preface HP NonStop SSH Reference Manual Version 1 8 The new SFTP PRIORITY attribute of user entity allows administrators to specify the priority of the SFTPSERV process started by SSH2 This feature enables SSH2 to run at a high priority while SFTPSERV runs at a priority below other critical application or system processes This will minimize the impact SFTP transfers have on overall system performance while ensuring fast response times of SSH2 during SS
58. FIXED See also INTERVALLIVEPUBLICUSERKEY INTERVALPENDINGPUBLICUSERKEY FULLSSHCOMACCESSUSER lt i gt FULLSSHCOMACCESSGROUP lt j gt PARTIALSSHCOMACCESSUSER lt k gt and PARTIALSSHCOMACCESSGROUP lt n gt LOGCACHEDUMPONABORT Use this parameter to define whether SSH2 writes the log messages held in the log cache are written to the log file in case of an abort Parameter Syntax LOGCACHEDUMPONABORT TRUE FALSE Arguments TRUE In case of abort the content of the log cache will be written to the configured log file FALSE The content of the log cache will be discarded on process abort Default 90 e Configuring and Running SSH2 HP NonStop SSH Reference Manual The default for this parameter is TRUE Considerations e The log cache content can be written to the log file at any time via SSHCOM command FLUSH LOGCACHE See also e LOGCACHESIZE LOGLEVELCACHE LOGFILE e Log Messages in the Monitoring and Auditing chapter e Commands FLUSH LOGCACHE and CLEAR LOGCACHE in the SSHCOM Command Reference chapter LOGCACHESIZE Use this parameter to define how many lines of log messages are held in log cache Parameter Syntax LOGCACHESIZE lt lines gt Argument lt lines gt The number of log messages lines to be held in the log cache The minimum value is 1024 and the maximum value is 1048576 1024 1024 Considerations e The LOGLEVELCACHE parameter controls what messages are written to the log cache
59. If it cannot be created or written the default of ZWN0001 is used If the file exists it is validated as containing a valid GWN record If the GWN record is valid STN allocates an initial block of window names as described below The window name stored in the file overrides any GWN TEMPLATE HP NonStop SSH Reference Manual STN Reference e 283 If the file exists but an error occurs while opening or reading the file or the file does not contain valid GWN data STN closes the file generates an EMS warning and runs without GWN FILE for the duration of the STN process No recovery is attempted If it cannot be created or written the default of ZWN0001 is used If lt filename gt is OFF or the PARAM is omitted then the default of ZWNO001 is used PARAM GWN BLOCKSIZE lt nnn gt When GWN FILE is used GWN operates by allocating a block of consecutively numbered window names at a time This allows multiple STN processes to use the same range of window names without duplicating any names It also allows a restarted STN process to avoid duplicating names previously used GWN BLOCKSIZE specifies the number of window names to be allocated in each block in the range 10 1000 If GWN BLOCKSIZE is not specified or contains an illegal value a default or 25 is used Allocation works as follows 1 STN reads GWN file with locking to get the next window name 2 This window name and the next lt blocksize gt 1 consecutive window name
60. LIVE 08Ju111 18 22 THAWED KEY newl COMMENT USER super super TYPE RSA BITS 1024 PUBLICKEY FINGERPRINT MD5 e1 96 56 e2 d3 1 96 3a c6 00 78 6e 8f 4a 76 37 BABBLE xicef sineb gopiv byfeb lahal vidan kimev cekoh zylyp manav zexix CREATION DATE 04May11 22 40 LIVE DATE 01Jun11 00 00 EXPIRE DATE 31Aug11 12 30 LIFE CYCLE STATE LIVE LAST USE 08Ju111 18 22 LAST MODIFIED 08Ju111 19 01 STATUS THAWED The fields of the output of INFO KEY have the following meaning COMMENT A comment as entered when generating importing or altering the key USER The system user who owns the private key TYPE The type of the key BITS The key length in bits PUBLICKEY FINGERPRINT Both the MDS and bubble babble fingerprint of the public key HP NonStop SSH Reference Manual SSHCOM Command Reference e 197 CREATION DATE This attribute contains the creation date of a key and is automatically set when a key is generated or imported If a key was generated or imported before the introduction of the CREATION DATE attribute the value will be shown as NONE meaning not set LIVE DATE This optional attribute contains the date the key has gone or will go into state LIFE The key is not valid before that date and will not be used for authentication If a key was generated or imported before the introduction of the LIVE DATE attribute or if an attribute value was not specified ina GENERATE KEY or IMPORT KEY command then th
61. LOGEMS LOGLEVELCONSOLE LOGLEVELFILE LOGFORMATEMS LOGLEVELFILE Use this parameter to control which messages are written to the log file Parameter Syntax LOGLEVELFILE detail Arguments detail A number specifying the detail level Default For downward compatibility the default log level is taken from the LOGLEVEL parameter if present Otherwise a default of 50 is used Considerations e Different log levels can be used for the outputs to LOGCONSOLE LOGEMS and LOGFILE e With the SSHCOM command interpreter users can change parameters without having to restart SSH2 See also LOGFILE LOGLEVELCONSOLE LOGMAXFILELENGTH LOGFORMATFILE LOGMAXFILELENGTH Use this parameter to control the maximum size of a log file Parameter Syntax LOGMAXFILELENGTH length Arguments length Represents the maximum log file length in kilobytes Following are the ranges allowed Maximum 40 000 or 40 MB Minimum 100 KB Default The default length is 20 000 KB Considerations e After the current log file reaches the maximum size a log rollover will occur The current log file will be renamed by appending a number to its name A new file with the LOGFILE name will be created for subsequent log output See also HP NonStop SSH Reference Manual Configuring and Running SSH2 e 99 e LOGFILE LOGLEVELFILE LOGFILERETENTION e Log Messages in the Monitoring and Auditing chapter LOGMEMORY Use this parameter to include SSH2
62. Manual Configuring and Running SSH2 e 139 Entity RESTRICTION PROFILE fields e CONNECT FROM e CONNECT TO e PERMIT LISTEN e PERMIT OPEN e FORWARD FROM Entity KNOWNHOST fields e Name identifier of a KNOWNHOST record e ADDRESSES Entity PASSWORD fields e Name identifier of aPASSWORD record IP Mode Similar to the FAMILY configuration of TCP IP monitor process and subnets the SSH2 process supports control over the IP mode the SSH2 process is running in A new SSH2 parameter IPMODE has been added The SSH2 parameter IPMODE allows restricting communication to IPv4 or IPv6 or allowing both types The accepted values for parameter IPMODE are e IPV4 allows IPv4 communication only can be used when accessing a TCP IP process running object TCPIP or a TCPIP process running TCP6SAM CIPSAM with a monitor process configured with FAMILY INET or DUAL e IPV6 allows IPv6 communication only can be used when accessing a TCP IP process running object TCP6SAM CIPSAM with a monitor process configured with FAMILY INET6 or DUAL e DUAL allows both IPv4 and IPv6 communication can be used when accessing a TCP IP process running object TCP6SAM CIPSAM with a monitor process configured with FAMILY INET INET6 or DUAL Generally an SSH2 process can only support a protocol family if the underlying TCP IP process provides support for that protocol family If for example SSH2 is configured with IPMODE IPV4 and the TCP IP process accessed by this S
63. N ATAA 96 LOGLEN i PIE E Maite ath A iris BARA eae eh E alee alee 97 LOGEEVELCACGHBE a E dee oaninth atin na eaiaiatn wis cea eels 97 LOGLEVELCONSOLE sucesso ce ae alc SE in alien aaah eaten 98 LOGEEVELEMS a yet ee eae isi AER a ae ee 98 LOGEEV EGRFICE esiaseserciny ath watt thie wena E ele 99 LOGMAXEILELENGT H o s3ssous acne E e cine eine EEE A eA RRE RRS 99 LOGMEMOR Y e E E A E A A KE E NRE RER ARE 100 MACS ree r e Ee r EE EE EEEE EEE ES E SE E EEEE EENE EREET EEEE E E 100 PARTIALSSHCOMACCESSGROUP lt DN gt sssssesseeeesesreeesseerestrrtsstrresesteetrsreestenreseeereseneeeee 101 PARTIALSSHCOMACCESSUSER lt K gt ooo eee ceseeeecesecesecnaeceaecseecaecsaecaaecaaecaeseneeeeeees 101 PAUTHSUPPRESSIPADDRESS oeeie bet cog Eo SEENE Eeer ESE EEEE EEEE EE EPO E ERE EEN 102 PORT renie e ESE E EE EE E ESA E EEEE E EEES EE E EE 103 PROPAGATEDEFINES E a us EEE EN EE SE EE E EE E EI EE 103 PTCPIPFILTERKEY via cise cesstvancsescecetck oa o E NEE EEN EE EEEE EEEE EEE EE E E E RES 104 PTCPIPFILTERTCPPOR PS o e io repot terore SEK EEES E EEEE EEEE EE EFTE E EI EEY 104 PTYSER V R a E OEE E beg E EE RE O S E REE N ESS 105 RECORDDEISIMITER a eaaet orenen rere EAEE E E E REARED ERES 105 RESTRICTIONCHECKFAILEDDEFAULT eesseesseeeeseeeesssrerrssrrreesesreerrsreesrenresreereseeereee 106 SAFEGUARD PASSWORD REQUIRED s esssssessereesssrssrsreerssrrrrssesrensesrererresesrenresrenresenees 107 SFTPALLOWGUARDIANC D ics heor eaen e raap Aa OEE AEE SEERE ia EEE AEE vi
64. RESET SERVICE RSCMGR_DEPTH lt n gt Specifies the number of simultaneous Resource Managers internal to STN The range is 1 to 25 default 3 The Resource Manager handles dynamic sessions and logon processing including the creation of the dynamic application If all Resource Managers are busy new dynamic session requests can be delayed When the rate of new dynamic session requests is very high performance can be improved by increasing RSCMGR_DEPTH Use only under guidance from HP support staff SAVECFG lt filename gt SAVECFG creates an edit 101 text file containing the current STN configuration This is useful for configuration management and for generating complete documentation for support cases SAVECFG also includes commentary information about the STN process SAVECFG deals only with STN and does not include SSH configuration information 274 e STN Reference HP NonStop SSH Reference Manual If the file already exists it is purged A new file is created The file will contain commands suitable for direct input to STNCOM including process parameters such as IDLE_TIMEOUT and WELCOME as well as ADD commands for services windows types STATIC SU and DEDICATED only scripts and ip ranges ADD commands will span multiple lines using amp ampersand as a continuation character so STNCOM T0801H01_24JAN2011_AAS T0801G06_15DEC2010_AAT or later is required to accept the commands in the SAVECFG output file SECURITY lt le
65. Ria el ee Rieti 250 ADD SCRIPT eia ar a ir Ee eine aelal bina cee Bila am iia aint 251 ADD SER VICE ssc coovis oreert rea hua ei eel cos ene aed eek eh es es 251 ADD WINDOW 2i8 cos niin hd inte a E E AEE loran ai eea ot 259 AUDITCOLL OFF lt ems collector gt sesseseesseeeseeeeesrererrsteerestrrrsstrtesserrssertesrestesteseeereseeeeset 261 AUDITMSG lt text gt terijits din cts detail O E E are aly ae ee Reais 261 AUTO_ADD_WIN DYNAMIC STATIC OFF cece eceeceseeeeeeceseeeeeseceeeeeeeeeeesseenaeseeeas 261 AUTODEL WALT lt Sec ond Si cisths 5 scs05i don 0 a e ds cashes enra E oa tate ves de tn So de Dake RESE DE tects 261 BACKUP CPU lt cpu gt NONE BUDDY ANY 12 ee cecesecseeeeeseceeeecseseecaeeeseeeeas 261 HP NonStop SSH Reference Manual Contents e ix x e Contents BANNER Y Naren cesses ee a e ld Sieur cutiusn A E aaa remus ese ieee 262 BANNER_TIMEOUT lt minutes gt ccccccccccssscsssceessecssececsseceseeeesecseeeecsaecseeeecaecsseeeseeeeaees 262 BLAST SMessag eos orne ire ssh E EE A R E eresind EREE 262 BREAK ON DISCON YIN peenar aa E a E RS REE 263 BUFFERS SIZE E EEE TE E eae Te eee RO 263 GCI 2A WAY SY MeN ccc ctertec ak a SEO ae 263 CHOICE PROMPT Y N aicundestcamemesierhis a een aii E 263 GCHOICB ATE XT text gt EEA aR RT 263 CONN CIRESSHEY AUN a e montero noses Sateen r E eT E E 263 DELETE IPRANGE lt iprange name gt eseesesisrssresreeerreeersessreseretstrseststeeressrseretrereesesiststtees 26
66. SCRIPT Setmode 214 may be used with ADD SCRIPT but with a static window the script will not be applied until the first session connects Standard SETPARAM Functions 37 break handling Extended SETPARAM Functions unique to STN 200 returns STN vproc information example Gemini STN A50 22JUN2006 201 returns the IP address of the remote workstation as reported by NonStop TCP IP call accept_nw 4 bytes 202 returns the WSINFO host name or empty string 203 returns the WSINFO ip address or empty string 204 returns the WSINFO user name or empty string 205 returns the IP port number of the remote workstation as reported by NonStop TCP IP call accept_nw 2 bytes 206 returns the IP address of the NonStop host as reported by NonStop TCP IP call getsockname 4 bytes 207 returns the IP port of the NonStop host as reported by NonStop TCP IP call getsockname 2 bytes 208 returns the Kerberos Principal Name if available for PTY sessions 209 Info from WSINFO domain or empty string 210 Info from WSINFO netbios or empty string 211 Info from WSINFO client or empty string HP NonStop SSH Reference Manual STN Reference e 305 306 e STN Reference HP NonStop SSH Reference Manual Monitoring and Auditing Introduction The SSH2 process writes two kinds of messages that allow users to analyze its operation e Log messages are intended
67. SFTP client prompt The ASLINEMODE command takes one of the values none cut and wrap as parameter See also SFTPEDITLINENUMBERDECIMALINCR SFTPEDITLINESTARTDECIMALINCR SFTPEDITLINENUMBERDECIMALINCR Use this parameter to define the decimal increment used to calculate the next Guardian edit line number when a file transfer is made to a Guardian edit file on the NonStop server Parameter Syntax SFTPEDITLINENUMBERDECIMALINCR lt number gt Arguments lt number gt The value is 1000 times the increment See documentation for Guardian procedure call INCREMENTEDIT Default HP NonStop SSH Reference Manual Configuring and Running SSH2 e 109 The default value is 1000 i e the line numbers are incremented by 1 Examples Increment by 0 003 SFTPEDITLINENUMBERDECIMALINCR 3 Increment by 0 1 SFTPEDITLINENUMBERDECIMALINCR 100 Considerations e The setting of this parameter is only relevant if parameter SFTPEDITLINESTARTDECIMALINCR is set to a number between 0 and 99999999 e Previously all Guardian edit files were written starting with line number 1 and increment 1 000 which allowed a maximum of 99999 lines This behavior is still the default e The default increment 1 000 is used for all lines less than the value of parameter SFTPEDITLINESTARTDECIMALINCR In order to get the same result as the NonStop FTP server the parameter SFTPEDITLINENUMBERDECIMALINCR must be set to 100 and the value of SFTPEDITLINESTARTDECIMALI
68. SSH SSH SUBN SSH SSH not SSH open SSH lt BW SS SS SS SS SSH BWN SS SS SS H H Q H 1 20Jan14 15 34 05 79 20 DEFINE CIP COMPAT ERROR was set to S02 SQAHPSSH TO801ABK SUPPRESS gt 1 20Jan14 15 34 05 79 20 DEFINE SSH2 PROCESS NAME was set to lt BWNS02 SSH01 gt L 20Janl1 234 05 80 10 Initializing SSH2 ADMIN run mode L 20Janl1 234 05 80 10 Initializing SSH2 CLIENT run mode L 20Jan1 34 05 80 10 Initializing SSH2 DAEMON run mode l 20Jan14 15 34 05 81 10 Loading private key from 02 SQAHPSSH TO801ABK HOSTKEY L 20Jan1 34 05 83 30 Host key algorithm ssh dss L 20Jan1 34 05 84 30 Host key bits 1024 L 20Jan1 34 05 84 30 Host key MD5 fingerprint 26 ba c4 e2 a7 1e 81 68 6c 18 10 49 96 50 04 03 SSSHO1 20Jan14 15 34 05 84 30 Host key Bubble Babble xotam patys kupek mogiv tozul dihez sevag tikel cebok tityd vyxux SSH01 20Jan14 15 34 05 86 10 SSH2 Server listening on process ZTC1 interface0 0 0 0 port 12229 Oomooondoocco R O 0 Ow O O RO O GOO O B i a a a A Secure Shell Access to the NonStop Server Note This functionality is not enabled if you purchased a license restricted to file transfer HP NonStop SSH SecureFTP or comForte SecurFTP SSH SSH2 allows remote SSH clients to establish fully functional OSS shell sessions SSH2 will also support the allocation of pseudo terminals PTYs which allow the remote users to execute full screen
69. SSH Reference Manual Appendix e 343 LOG LEVEL EVENT TEXT Description Variable Parts lt uint3 gt Value of second highest byte of GSSAPI major status lt uint4 gt GSSAPI major status lt uint5 gt GSSAPI minor status lt uint6 gt Highest byte of minor status lt uint7 gt Value of second highest byte of GSSAPI minor status lt uint8 gt Value of lowest 16Bit of GSSAPI minor status 10 lt strl1 gt Error GSS_C_GSS_CODE lt str2 gt lt str1 gt Session Name lt str2 gt GSSAPI error description for major status 10 lt strl gt Error GSS_C_MECH_CODE lt str2 gt lt str1 gt Session Name lt str2 gt GSSAPI error description for minor status 10 lt str1 gt received invalid request code lt str1 gt Session Name 10 lt str1 gt received invalid request lt str2 gt lt str1 gt Session Name lt str2 gt Exception text 10 lt str1 gt received invalid request unknown exception lt str1 gt Session Name 10 Failed to obtain credentials for host service Check your Kerberos installation 10 GSS Error major status lt uint1 gt lt uint2 gt lt uint3 gt lt uint4 gt lt str1 gt lt uintl gt GSSAPI major status lt uint2 gt Value of highest byte of GSSAPI major status lt uint3 gt Value of second highest byte of GSSAPI major status lt uint4 gt GSSAPI major status lt str1 gt GSSAPI error description for major status 10 Kerberos Error minor status lt uint1 gt lt uint2 gt lt uint3
70. SSH2 e 89 time period after key addition and length of the period a key is in LIVE state Only a key in LIVE state may be part of a public key authentication of the user configured with the key Parameter Syntax LIFECYCLEPOLICYPUBLICUSERKEY DISABLED FIXED VARIABLE Arguments DISABLED Life cycle control for user public keys will not be enabled When a public key is added it is immediately in state LIVE and it will never expire FIXED Users without full SSHCOM access cannot set or alter KEY attributes LIVE DATE and EXPIRE DATE Both dates will be determined by the CREATION DATE and the values of parameters INTERVALPENDINGPUBLICUSERKEY and INTERVALLIVEPUBLICUSERKEY VARIABLE Users with partial access can specify the LIVE DATE and EXPIRE DATE when adding a user public key or when altering the public key By not specifying these attributes in an ALTER USER PUBLICKEY command the values for LIVE DATE and EXPIRE DATE will be automatically set depending on the CREATION DATE and the values of parameters INTER VALPENDINGPUBLICUSERKEY and INTERVALLIVEPUBLICUSERKEY Default The default for this parameter is DISABLED resulting in the same behavior as before the introduction of this parameter Example LIFECYCLEPOLICYPUBLICUSERKEY FIXED Considerations e Users with full SSHCOM access can set or modify USER PUBLICKEY attributes LIVE DATE and EXPIRE DATE even when the life cycle policy for user public keys is set to
71. SSH2 using the SSH and SSHOSS clients For formats and examples of the attribute value please see the CONNECT TO section The format of values for PERMIT OPEN and CONNECT TO are the same The values are just interpreted differently DELETE RESTRICTION PROFILE The DELETE RESTRICTION PROFILE command deletes a user from the database and has the following syntax DELETE RESTRICTION PROFILE lt profile name gt The lt profile name gt is mandatory in the command and no wild cards are allowed in the profile name INFO RESTRICTION PROFILE The INFO RESTRICTION PROFILE command displays information about a single restriction profile or a set of restriction profiles and has the following syntax INFO RESTRICTION PROFILE lt profile name gt lt profile name prefix gt DETAIL At least one of lt profile name gt lt profile name prefix gt or is mandatory in the command If lt profile name prefix gt followed by an asterisk is specified the restriction profile records are displayed where the first part of the profile name matches the specified prefix If a is used information for all users will be displayed Otherwise information for a single user will be displayed RENAME RESTRICTION PROFILE The RENAME RESTRICTION PROFILE command renames a restriction profile and has the following syntax RENAME RESTRICTION PROFILE lt old profile name gt lt new profile name gt Both lt old profile name gt and lt ne
72. SSHCOM Command Reference e 193 If this attribute is specified the full private key will be exported otherwise only the public part of the key will be exported Note Exporting a private key may result in a compromise of security Only the SUPER SUPER user unless explicitly denied in OBJECTTYPE USER record or those configured with full SSHCOM access can export private keys FREEZE KEY The FREEZE KEY command freezes a key A local SFTP client cannot connect to a remote host using a key that has a status set as frozen The key won t enable access until it is thawed using the THAW KEY command The command has the following syntax FREEZE KEY lt system user name gt lt key name gt The individual attributes have the following meaning and syntax lt system user name gt A valid GUARDIAN user who owns the key entry in the user database If lt system user name gt is omitted either the user being set with a previously issued ASSUME USER command or the issuer of the FREEZE KEY command will be used as the default If lt system user name gt is specified it MUST be followed by a to separate it from the known host name that follows Only the SUPER SUPER user unless explicitly denied in OBJECTTYPE USER record or those configured with full SSHCOM access can freeze a key entry for other users lt key name gt The name of the key to be frozen GENERATE KEY This command is used to generate a private public key pair The
73. SUPER SUPER 4096 Oct 13 2004 bashtest rw rw rw COMF TB COMF 699 24 2007 block c rwxr xXr x COMF TB COMF 27064 25 13 08 fileO 0 1 1 1 r rWXrWXrWwX L COMF TB COMF 244 24 2007 fixmore drwxrwxrwx L COMF TB COMF 4096 25 2006 gnumisc drwxrwxrwx L COMF TB COMF 4096 08 2008 hertz faRTSXT aX SUPER SUPER SUPER 389152 03 2005 1s rwxXrwxrwx l COMF TB COMF 128 28 06 35 re0071 226 e SSH and SFTP Client Reference HP NonStop SSH Reference Manual Q O TB F Mar rc0078 TB COME Mar rc_bad TB CO Nov 1 resize test TB COME Mar returncode_failure TB COME Mar returncode_success TB col May sshtest client TB Feb sshtest daemon SIB CO Oct t1000 TB CO Oct t100000 TB CO 1000000 Oct 1 t1000000 TB CO 4096 Oct testdata TB CO 171 Mar testfilel TB CO 13 Jan testtail rw rw rw COMF TB CO 100000 Oct tscroll drwxrwxrwx L COME TB 4096 Dec tuxedo rw rw rw COMF TB CO 533775 Feb zlib tar Z 226 Transfer Complete 2674 bytes received in 0 45 seconds 5 80 Kbytes s ftp gt bye 221 Goodbye STB TBSSH79 3 gt YwxXrwxrwx O YwxXrwxrwx Q O zZ rw rw rw Q O YwxXrwxrwx Q O r rWXrwxrwXx Arwxr xr x QArWXrwxrwx ee Q O E zj Q O Q O iS a ie Q O Z rw rw rw 7 Hj hj hj Q O QArWXrwxrwx y Q O zZ Q Q O O lt lt AY RY AA A mj A j mj yy hj rw rw rw J Ay f j The follo
74. Smaller values conserve buffers in the memory pool which may be necessary with a large number of simultaneous sessions REPLY DELAY MAX lt seconds gt This command sets the maximum delay time in seconds for an STN reply to an I O error An I O error is defined as application I O to the terminal read write etc which results in an STN reply with non zero fecode 140 110 etc This protects against poorly coded applications that hard loop on I O errors consuming a cpu The reply to the first I O error after a normal I O is not delayed the second consecutive error is delayed for 0 01 second The delay time is multiplied by 4 for successive errors up to REPLY_DELAY_MAX seconds The first time this limit is reached for a session the following EMS event is generated zstn evt application loop 1018 lt stn proc gt lt appl proc gt lt progfile gt is looping on window lt window gt Example SZPTY T SX1G4 SSYSTEM SYSTEM TACL is looping on window ZWN0001 REPLY_DELAY_MAX defaults to 2 seconds and values from 1 to 60 are allowed REPLY_DELAY_MAX 0 disables the feature which means a looping application and STN can consume 100 of a cpu RESET SERVICE lt service name gt This command will reset the cumulative sessions counter to zero Note that this is the only counter affected by RESET Also note that RESET does not default to like INFO and STATUS to reset counters for all services RESET SERVICE is required not just
75. THAWED comf us 10 0 0 196 superulrich THAWED comf us fe80 a00 8eff fe00 d14e 55022 superulrich THAWED 2 HP NonStop SSH Reference Manual SSHCOM Command Reference e 201 If used with the DETAIL modifier INFO PASSWORD will provide some detailed information about each password displayed The following is an example of the output of INFO PASSWORD DETAIL info password comf us fe80 a00 8eff fe00 d14e 55022 detail info password comf us fe80 a00 8eff fe00 d14e 55022 detail PASSWORD USER STATUS comf us fe80 a00 8eff fe00 d1l4e 55022 superulrich THAWED USERID HOST comf us fe80 a00 8eff fe00 dl4e 55022 USER superulrich LAST USE 20Apr12 20 05 LAST MODIFIED 20Apr12 19 11 STATUS THAWED Specifying a prefix followed by a wildcard is supported info password superu u detail info password superu u detail PASSWORD USER STATUS us 10 0 0 196 superulrich THAWED USERID HOST us 10 0 0 196 USER superulrich LAST USE 20Apr12 20 13 LAST MODIFIED 20Apr12 20 12 STATUS THAWED The fields of the output of INFO PASSWORD have the following meaning USER The system user who owns the password LAST USE The timestamp of the last usage of the password LAST MODIFIED The timestamp of the last modification of the password STATUS Whether the password is FROZEN or THAWED RENAME PASSWORD The RENAME PASSWORD command is used to rename a password entry in the SSH database A password entry ca
76. Transfer SSH2 includes an OSS and a Guardian SFTP client as well as an SFTP server that provides remote SFTP client access to both Guardian and OSS files All components allow users to navigate the Guardian file system and specify files using the OSS or Guardian file name syntax regardless of whether OSS is running Additionally just as with standard NonStop FTP attributes for target files can be specified allowing direct transfers of structured Guardian files TCP and FTP Port Forwarding TCP port forwarding allows secure tunneling of Telnet sessions as well as other connections SSH2 also tunnels FTP sessions securing existing FTP procedures with minimal changes Both local and remote forwarding are supported Single Sign on SecurSH now supports user authentication and key exchange based on the GSSAPI Kerberos 5 standards RFC 4462 When used with a Kerberos software package on the NonStop server this enables integration with Microsoft Active Directory and other Kerberos based single sign on solutions Note HP does not offer a Kerberos product today it must be purchased separately from a NonStop partner TCP IPv6 Starting with version 0092 SSH2 supports IPv6 specified in RFC 2460 Internet Protocol Version 6 See section TCP IPv6 Configuration for related configuration details and section TCP IPv6 Considerations for cases specific to IPv6 The SSH Protocol SSH Secure Shell consisting of a suite of network conne
77. USER records can create access to the NonStop system without Safeguard authentication i e configuring SSH USER records is as critical as configuring Safeguard USER records If a user is denied executing Safeguard SAFECOM ADD ALTER USER commands then this user must be denied ADD ALTER USER in SSHCOM in order to ensure a consistent security policy Starting with release 89 there is tighter coupling of SSHCOM security with Safeguard security This does not only include checking if a Safeguard user is frozen see section ALLOWFROZENS YSTEMUSER but also includes support of OBJECTTYPE USER please refer to HP NonStop manuals Safeguard Reference Manual and Safeguard Administrator s Manual The current implementation ignores OBJECTTYPE USER ACL entries containing a network id node spec The SSH2 process issues a warning message if it finds such an entry Another restriction is that only the primary group of a user is checked against group based OBJECTTYPE USER ACL entries In order to reduce overhead the OBJECTTYPE USER USER and ALIAS information retrieved from SafeGuard is cached It can take up to 5 minutes before an SSH2 process takes SafeGuard modifications into account By restarting an SSH2 process any SafeGuard changes will be active in the SSH2 process immediately SSHCOM Security without Safeguard OBJECTTYPE USER Record If a Safeguard OBJECTTYPE USER record does not exist or exists but is frozen the behavior is as follows
78. User Database into as many as six text files All attributes of the various objects are written in the CSV comma separated value format The command has the following syntax EXPORT SSHCTL SUBVOL lt subvolume gt WIDTH lt width gt The individual attributes have the following meaning and syntax SUBVOL lt subvolume gt The files are stored in a subvolume specified by the SUBVOL attribute Starting with SPR TO801 ABE an OSS directory may be specified If a Guardian subvolume is specified then Guardian edit files are created and long lines will be wrapped Files exported to a directory will not be wrapped unless option WIDTH is specified Specifying OSS paths referring to a Guardian namespace like G system ssh2exp leads to code 180 files and no wrapping occurs if WIDTH is not specified The volume must be a physical disk in this case WIDTH lt width gt Defines the maximum number of characters per output line If WIDTH is specified the end of a wrapped line is marked by as the last character on the line Only users with SUPER SUPER privileges unless explicitly denied in OBJECTTYPE USER record or those configured with full SSHCOM access are allowed to perform the EXPORT SSHCTL function The following export files are generated File Description USER USER object data USERPUBK All public keys of all users PRIVKEY KEY object data KNWNHOST KNOWNHOST object data RESTRICT RESTRICTION PROFILE object data
79. a CPU or if that is not set the CPU the SSH2 process is running in is used DELETE PRINCIPAL Deletes the principal name specified by lt user gt lt REALMS a pattern or all principal names from the list of principal names defined for the user If more than one valid principal name is to be deleted by name then there must be one DELETE PRINCIPAL lt user gt lt REALM3 gt attribute for each principal name If lt REALM gt is specified the entry lt REALM gt is removed and not all principal names ending in lt REALM gt Similarly when is specified the principal entry is removed from the list of principals If all entries need to be removed from the user s list of principals the wildcard can be used i e DELETE PRINCIPAL DELETE PUBLICKEY This attribute deletes the public key identified by lt key name gt or all public keys of the user when wildcard is specified EXPIRE DATE This optional attribute of an ssh user s PUBLICKEY entry is used to set the EXPIRE DATE not valid after date for the public key This attribute can only be set if the life cycle policy for User Public Keys is enabled determined by SSH2 parameter LIFECYCLEPOLICYPUBLICUSERKEY If SSH2 parameter LIFECYCLEPOLICYPUBLICUSERKEY is set to FIXED then field EXPIRE DATE can be modified by the SUPER SUPER user only unless explicitly denied in OBJECTTYPE USER record or those configured with full SSHCOM access In case the SSH2 parameter LIFECYCLEPOLI
80. a password DELETE PASSWORD deletes a password FREEZE PASSWORD freezes a password rendering it inactive INFO PASSWORD shows information about a key or a set of keys THAW PASSWORD thaws a password making it active again e Commands operating on the KNOWNHOST entity O O O ADD KNOWNHOST adds a new known host to the database ALTER KNOWNHOST changes parameters for an existing known host DELETE KNOWNHOST deletes an existing known host FREEZE KNOWNHOST freezes a known host rendering it inactive INFO KNOWNHOST shows information about a known host or a set of known hosts RENAME KEY renames a known host THAW KNOWNHOST thaws a user making it active again These commands will be discussed in detail in the following subsections Please also see Database for Client Mode in The SSH User Database chapter for an overview of the database content 190 e SSHCOM Command Reference HP NonStop SSH Reference Manual ASSUME USER The KEY KNOWNHOST and PASSWORD entities are associated with a single Guardian system user In the case of the KNOWNHOST entity the reserved user name ALL is also allowed to specify that a KNOWNHOST can be accessed by all Guardian users The ASSUME user command sets a user name as default for the following commands Subsequent commands that allow the specification of a user name can therefore be abbreviated The command has the following syntax ASSUME USER lt system user name gt If no
81. address or name of the client system connecting SSH2 on a NonStop server Please see the section on the CONNECT FROM attribute for examples PERMIT LISTEN The PERMIT LISTEN attribute restricts a user s ability to do port forwarding enabling only a specified set of hosts to use forwarding tunnels opened by a given user Only the configured ports are allowed for listening on the host opening the forwarding tunnel The configuration requires the specification of a host and a port range but for PERMIT LISTEN the host must either be 0 0 0 0 indicating gateway ports to follow after the or 127 0 0 1 indicating non gateway ports to follow PERMIT OPEN The PERMIT OPEN attribute limits a user s ability to do port forwarding to only specific host port combinations Configurations are allowed for lt targethost gt and lt targetport gt when port forwarding is specified as follows ssh L lt localport gt lt targethost gt lt targetport gt lt user gt lt host gt ssh R lt remoteport gt lt targethost gt lt targetport gt lt user gt lt host gt The PERMIT OPEN attribute corresponds to the OpenSSH parameter permitopen If localhost or 127 0 0 1 is specified as lt targethost gt then the specified lt host gt is used for restriction checking 188 e SSHCOM Command Reference HP NonStop SSH Reference Manual The PERMIT OPEN restrictions are applied whenever the user tries to establish a local port forwarding channel via
82. admissible for the SSH2 server Parameter Syntax CIPHERS suite suite Arguments suite Specifies a cipher suite Currently the following cipher suites are supported by SSH2 o aes256 cbc AES Rijndael in CBC mode with 256 bit key o aes128 cbc AES with 128 bit key o twofish256 cbc Twofish in CBC mode with 256 bit key o twofishl128 cbc Twofish with 128 bit key o twofish cbc alias for twofish256 cbc Note this is being retained for historical reasons o blowfish cbc Blowfish in CBC mode o 3des cbe three key 3DES in CBC mode o arcfour the ARCFOUR stream cipher o cast128 cbe CAST 128 in CBC mode Considerations For details about the ciphers listed above please refer to standard SSH documentation such as the manual for the RFCs available 68 e Configuring and Running SSH2 HP NonStop SSH Reference Manual Default If omitted SSH2 will accept all ciphers mentioned above Example CIPHERS 3des cbc This will enforce the use of only 3DES encryption CLIENTALLOWEDAUTHENTICATIONS Use this parameter to restrict the authentication methods the NonStop ssh clients SSH OSS SFTP OSS can try Parameter Syntax CLIENTALLOWEDAUTHENTICATIONS method method method Arguments method A supported authentication method Considerations e The value list of authentication methods is only relevant for outgoing ssh connections For incoming connections the list of authentication methods is configured for each us
83. and matching exactly one character A pattern may be prefixed by indicating negation that is if the matching pattern is preceded by a tilde the incoming connection will be rejected Examples for valid CONNECT FROM values include 103 10 0 37 dev 34 45 56 34 45 56 12 201 30 tandeml 120 10 20 120 10 20 7 CONNECT TO The CONNECT TO attribute restricts a user s outgoing connections to configured host port combinations The CONNECT TO restrictions are applied whenever the user tries to connect via SSH2 using SSH SSHOSS SFTP and SFTPOSS clients The value for this attribute can be one host port range or a list of host port ranges A comma separated list must be enclosed in parentheses Each host port range is a pair of host and port ranges separated by a colon as follows lt host gt lt port range gt A port range can be a single port a single port range or a list of ports and port ranges separated by and enclosed in brackets Examples of valid values for CONNECT TO include 103 10 0 47 22 1 2 3 4 1025 1999 yourhost domain com 2013 abc domain com 2013 2100 xyz domain com 22 2013 2100 5000 5099 4 5 6 7 300 301 5555 FORWARD FROM The FORWARD FROM attribute restricts a user s ability to do port forwarding enabling only a specified set of hosts to use forwarding tunnels opened by a given user The value can be one host pattern or a list of patterns used to match the
84. batch mode The commands contained in the file are executed one by one until completion or a failure in execution The client then terminates HP NonStop SSH Reference Manual SSH and SFTP Client Reference 227 B lt buffer size gt Specify the size of the buffer that sftp uses when transferring files Larger buffers require fewer round trips at the cost of higher memory consumption The default is 29696 bytes 29kB The maximum buffer size is 57344 bytes 56kB The transfer buffer size can also be set by specifying a PARAM environment variable SFTPBUFFERSIZE C Requests compression of the transfer data The compression algorithm is the same used by gzip Compression is desirable on slow connections but will only slow down the transfer on fast networks o lt ssh2 option gt Allows to pass an option for the ssh session to the SSH2 process The following options are supported BINDADDRESS address The local address used for outgoing connections Useful if the SSH2 process is configured with any address for parameter INTERFACEOUT or multiple IP addresses are configured in INTERFACEOUT the TCP IP process is configured with more than one subnet and a specific local address needs to be used e g due to firewall configuration restrictions IDENTITY keyname Use this option to select a specific KEY for authentication to the remote system By default all KEYs that you have generated using the SSHCOM GENERATE KEY command will
85. be configured using STNCOM ALLOW PTY must be set to YES for this attribute to be accepted for 6530 SSH clients such as MR Win6530 or J6530 If MENU is followed by a service or window name the corresponding service or window is automatically selected If the service or window does not exist the STN menu will be displayed If the option FORCE is appended then the user is forced to use the pre configured STN service or window In this case the user will not see the STN menu even when the configured service or window does not exist COMMENT Enables the input of free text enabling administrators to describe an entity or provide a short explanation of the intended use of the USER entity or when COMMENT is used for a PUBLICKEY for the user public key The whole comment must be enclosed in double quotes if the comment includes spaces The content will not be used for any processing CPU SET Defines a set of CPUs used when processes except SFTPSERV processes are invoked directly by SSH2 for SFTPSERV processes the attribute SFTP CPU SET is used instead CPUs are assigned via a round robin algorithm among all the configured CPUs that are available The value can be a CPU number e g 2 a range of CPUs e g 3 4 or a comma separated list of CPU numbers and CPU ranges enclosed in parentheses e g 2 5 7 9 The default is to start user processes in the same CPU in which the SSH2 process is running In this case the processing loa
86. be presented to the remote host for publickey authentication However some servers will deny authentication after a maximum number of inacceptable keys are presented which can create a problem if you have many keys To overcome this problem use the IDENTITY option to present only the key that has been advertised as authorized key to the target server PORT port The port to connect to on the remote host COMPRESSION TRUEIFALSE Specify weather data compression should be enabled on the SSH session This option has the same effect as the C command line option CIPHERS ciphers Specify a comma separated list of ciphers for encrypting the session MACS macs Specify a comma separated list of MAC algorithms USER user Specify the user to log in as on the remote machine This option has the same effect as specifying the user runtime parameter AllowedAuthentications methods Specify the authentication methods that are allowed for user authentication The value is a comma separated list of method names without any spaces See SSH2 parameter CLIENTALLOWEDAUTHENTICATIONS for the possibility to restrict the sftp clients authentication methods A typical usage of this option is to connect to an SSH2 daemon is running on a different port than the standard port 22 gt sftposs oPort 2222 S Stba01 burgt 10 0 0 201 Connecting to 10 0 0 201 sftp gt R lt num requests gt 228 e SSH and SFTP Client Reference HP NonStop SSH Ref
87. be transferred to the remote system The next step will configure the public key for the remote user To Configure the Public Key on the Remote System The OpenSSH implementation keeps a directory called ssh for each user A file named authorized keys is located in the ssh directory that contains the public key of each trusted key of a remote system In order to add the public key contained in the file created in the prior step the UNIX command cat can be used to add the content to the existing content in the file The following commands are again executed on the remote system this time using normal user logon credentials burgt np dev gt pwd home burgt burgt np dev gt cd ssh burgt np dev ssh gt more pubkey ssh rsa AAAAB3NzaClyc2EAAAABEQAAATEAKGR ncHRVEJteOC1lEMSkMgrrXxpdcc 6Lke jp7mcFKYNa0tMgP 4eknTyFXUX 2jm1K7AKDh1iJe52aqNJTBAIPIM Btt HboBKwjuZtb2 f1HG4LEA71NymoVcuABVyr1DvWPtpNzCNjaD0qdkR9yM1DZH DCD OqdneLJQ8B3RXbK11 U TB s RSA key burgt np dev ssh gt cat pubkey gt gt authorized_keys burgt np dev ssh gt In the commands above e The user s home directory is home burst e The public key was transferred to the remote system under the location home burgt ssh pubkey e The final command adds pubkey to authorized_keys Please note the double gt gt if you use only one gt you will overwrite authorized_keys with the content of pubkey After this step you can now retry the step To conn
88. been ER EEE oes EE A E ETE SE Components of the SSH2 Software Package eseeeeeeeeeeeiereesreeiereresrsrrreerereerse Architecture Overview renere e e AE a AR E ES EE Aaen SSH2 Running as SSH Daemon Server eeceesceceeeeeseeceereeeneeees SSH2 Running as SSH Client eee cesecesecssecsseceecseesaeeeeenee Installation amp Quick Start Systemi REQUIPeMENtS ess peee sense capece sh ere cs seescdaesne depute dk sweet eee E a coy Acquiring the Product Archives cesccescceseceeceeceseceecaeecaeeeaeeaeeceeeaeenseeeneees Installation on the NonStop Server 0 0 cecesesccssecsseecsseceeeeceeeceseeseeaeeeeens Installing the SSH Components on the NonStop System Unlocking the Product with a License File ee ee eeeseesecreeeeeneeees SSH2 License and Version Information ccccssecseeceeseceeeeecseeeeceseeesereseeees Updating to a new version of the SSH2 file set 0 0 eee ecsseseeeeceeeeeeeeeeeeens Download of the object file Set ecceesceeccesceeseeeeceeeeeseceseceeeeseenneenes Installation of the new version ecesesesesecseeeeeecseeseceeeeeeseeeceeeaeeees Where configuration data is Stored cccceceesseeseesceeeeeeeeeeeeeeeeereeeees Migration Considerations rera eae en eaei eiren Installation of SFETPAPL aar e eaan ae ASe E TR EEEE eei Eas Quick Start and Guided Tour cccccceccsscssssesssceseecsseceeseecseseseecseeeseseecsseeeeseees Quick Starting the SSH2 System eee eseees
89. chess odes HES a csc eee we as 268 INFO WIN DOW lt window name gt ccccccccesscesssesseceessecseeceeseeceeecessecseseecaeseeseecsseensees 268 INPUT TIMEOUT lt inintites gt js2 2 eset sili ed ce Re ee i A 269 KILCE DYNAMIC YIN 35 occ S55 555s Soc eckca tee ce eS aac ES 270 TTS TORRENS tos ssveps eco eh oes ates SI aE ee ee 270 MAX OPENERS lt 1 ce seccosccessdet EET oc S E E eee ee ES 271 MAX OUD O ret sos oasis Ee a a a a 271 IA STOH DA AI A OP A AE A E AAE AE EE E eae see ce Ch Tap E ie etek Meet t te ot 271 NBOT TIMEOUT lt seconds gt ersin enito enesti reee eree EEEE eA EEE EErEE EREE ENES EEE Eno 271 NEGOT_TIMEOUT lt seconds gt ccccccssccssssessecessceesseceseceseeceseecuecseceecsuesseeeecsaeseseecsseeesaaes 271 OBEY lt editstile maime gt een ere etdssesopnestescesesceoetts ne rini test oI N EESE En e Sabena te hoes 271 OPEN lt STIN proCess Mame gt ooer ieee eea ip oE o EES i aeee E AE EEEE T E SENEE pE Epea 272 OPENER WAIT lt SecOnds gt oireet eenei eeta e e e a e 272 OUT lt tilename gt I STOP herea an eaa a a EER i aE dk ENEN E EAEN itia einn 272 OUTPUT RESET Y lN a e ee reee rA E Ere EE os ENEE E EEES ENEE ERE psi orat 272 FELD REE E AEE E E E E E N A eestidines Mewes 212 POOL DEEA E E EEEE E EE 273 PROMPT tex A E E A E A A O A EA 273 PFY REPLY CEN 4e repenre a a AREE E An i E ONR Eoia eant 274 RECV SIZE lt ih a e a i SE Aa AE Er ERa TONET E Noita 274 REPLY DELAY MAX lt Seconds gt ccccccsssessseces
90. client issues a get command against SFTPSERV on NonStop The transfer mode is specified by adding one of the following three characters after the file name separated by a comma no space allowed e D for delimited record transfer mode e T for transparent record transfer mode e U for unstructured transfer mode Examples 1 A file named relseq1 needs to be read record by record each transferred with the delimiter LF appended sftp gt get relseqli d This is identical to sftp gt get relseql as transfer mode D is the default transfer mode 2 Anentry sequenced file is to be transferred from a NonStop server to a Unix host sftp gt put entryseq u entryseq The transfer mode and file attributes can be used at the same time the transfer mode is appended to the file name first then file attributes lt file gt lt transfer mode gt lt file attributes gt 3 A key sequenced file is transferred between NonStop systems sftp gt put keyseq t keyseg t k 541 128 128 16 4072 Transferring ASCII files Both SFTP and SFTPOSS support transfers in ASCII mode If ASCII mode is enabled files will be automatically converted according to the server s newline convention for ASCII files If required the server s newline convention can be configured Furthermore if the target file is located in a Guardian subvolume an edit file will be created automatically without having to specify the file code explicitly in the file name The
91. commands interactively It is possible that a user specifies ci p tacl but the access of tacl may not be allowed for the user Therefore a new USER attribute ALLOW CI PROGRAM OVERRIDE determines if a user is allowed to use ci p The default value for attribute ALLOW CI PROGRAM OVERRIDE is NO With this enhancement if subsystem tacl is not allowed an EXEC request like tacl c lt cmd gt or tacl p lt program gt lt cmd gt will be automatically converted to ci c lt cmd gt and ci p lt program gt lt cmd gt respectively and handled accordingly In any case if subsystem tacl is not allowed then a user will not get a tacl prompt Default configuration The default configuration allows for subsystem tacl USER attribute ALLOWED AUTHENTICATIONS lists subsystem tacl as well as a command interpreter ALLOW CI YES If subsystem is requested by the client e g via ssh s usr host tacl then a TACL process is started after successful authentication and the user sees the TACL prompt If a shell request is requested by the client e g via ssh usr host and the terminal the client was started is of type TN6530 144 e Configuring and Running SSH2 HP NonStop SSH Reference Manual or TN6530 8 then a TACL process is started as well For any other terminal type a shell request will start a shell under OSS The user may request a specific command interpreter by specifying a remote command tacl p lt program gt e g ssh us
92. e Configuring and Running SSH2 HP NonStop SSH Reference Manual Parameter Meaning SFTPEDITLINEMODE SFTPEDITLINENUMBERDECIMALINCR SFTPEDITLINESTARTDECIMALINCR SFTPENHANCEDERRORREPORTING SFTPEXCLUSIONMODEREAD SFTPIDLETIMEOUT SFTPMAXEXTENTS SFTPPRIMARYEXTENTSIZE SFTPREALPATHFILEATTRIBUTEECHOED SETPSECONDARYEXTENTSIZE SFETPUPSHIFTGUARDIANFILENAMES SHELLENVIRONMENT SOCKETKEEPALIVE SOCKETRCVBUF SOCKETSNDBUF SOCKTCPMAXRXMT SOCKTCPMINRXMT SOCKTCPRXMTCNT SOCKTCPTOTRXMTVAL SSHAUTOKEXBYTES SSHAUTOKEXTIME SSHCTL SSHCTLAUDIT SSHKEEPALIVETIME STOREDPASSWORDSONLY STRICTHOSTKEY CHECKING SUBNET SUPPRESSCOMMENTINSSHVERSION TCPIPHOSTFILE TCPIPNODEFILE TCPIPRESOLVERNAME USETEMPLATES YSTEMUSER Controls handling of Guardian edit lines that are longer than the maximum Guardian edit line length Controls the Guardian edit line number decimal increment Defines at which line decimal incrementing of Guardian edit line numbers starts Can be used to get more detailed file transfer error information Defines file open exclusion mode of structured files Controls whether SFTPSERV stops after specified user idle time Default value for MAXEXTENTS for files created on the NonStop system Default primary extend size for files created on the NonStop system Helps using file attributes in SFTP commands with specific remote S
93. e The record delimiter is a local setting i e there is no negotiation of the record delimiter between ssh client and ssh server in the supported sftp protocol The entity reading from a structured file or Guardian edit file must add the record delimiter to each record read The entity writing to a structured file or Guardian edit file must split the received data accordingly and remove the record delimiter before writing the record Default The default for this parameter is LF RESTRICTIONCHECKFAILEDDEFAULT Use this parameter to define the outcome of restriction checks related to RESTRICTION PROFILE in cases in which no USER record was found for the Guardian user starting an outgoing SSH connection Parameter Syntax RESTRICTIONCHECKFAILEDDEFAULT TRUE FALSE Arguments TRUE Restriction checks will fail if a USER record could not be found FALSE Restriction checks will not fail if a USER record could not be found Default The default for this parameter is FALSE 106 e Configuring and Running SSH2 HP NonStop SSH Reference Manual SAFEGUARD PASSWORD REQUIRED For G Series and H Series RVU prior to H06 11 set this parameter according to the Safeguard PASSWORD REQUIRED configuration Parameter Syntax SAFEGUARD PASSWORD REQUIRED TRUE FALSE Arguments TRUE Safeguard PASSWORD REQUIRED is ON FALSE Safeguard PASSWORD REQUIRED is OFF Considerations e G Series and H Series RVU prior to H06 11 do not support PRIV logon o
94. either the value of parameter CUSTOMER or if that does not exist the customer name from the license file Although a license file is no longer required for NonStop SSH on H and J operating systems any existing HOSTKEY and SSHCTL file requires the customer name that was used to create the file If a license file exists the customer name will be extracted from that file entry SSH2 customer unless parameter CUSTOMER is set in which case the value of CUSTOMER is used If a license file does not exist and an existing HOSTKEY or SSHCTL file is accessed the parameter CUSTOMER must be set to the original value for the customer name e Multiple instances of the SSH2 object can share the same user database or use different user databases e Ifthe SSHCTL parameter points to a non existing file a new and empty user database will be created on startup SSH2 will abort at startup if the SSH database does not exist parameter SSHCTLAUDIT is true but the SSHCTL parameter value or its default value does not reference an audited disk An appropriate error message is issued in this case The parameters SSHCTLAUDIT and SSHCTL must be set consistently to avoid this abend If SSHCTLAUDIT is true at time of ssh database creation then SSHCTL must point to a volume that is audited e The user database can be created as an audited file allowing automatic replication of changes to another system as well as roll back of changes through TMF See the SSHCTLAUDIT sec
95. et Sect vce etic be aden ieee eee 209 STATUS CAA NNE scl See ee es 210 STATUS ORENER 32 35 opfesihscedcites hPa aec cps lonscbe needs dusancoieesesdesauecnenhces pase a sitennce che sea seesdeeee 211 Statistics Related Commands cccccccccccessssssccccsssesscssesccecsessessecscsesessscssesccscsesessessceesesssesscesceesensessees 212 STATISTICS SES SION fois ibe oberg te toere chub diss auccecobsadesdueane oneal sod esdnetanessptunmeeeecosses toueice 212 DISABLE S TA TIS TICS E cc edses stecece cesses sevaneds dccossusevencedeusshcnvecstedvombechecdendeeouecteeveestedeete 213 ENABLES TATISTIGS ccs cccocceeds codecs sisacdecceseedvcacdes deca E dovaecetecdes decades vesesdeemeteveeetes tee 213 RESETESTATIS FICS is se ses seventies dc cocstesedze ce dousvecvesedde de des ectease ce doussh cececdeedveshccededes E ENS 213 STATUS STATIS TICS sic cetecdes he codeselsecendh tov ee decdedes ds ealens setce de douceecettecdes be caccteadsge A Earn 213 Abort Session Command 2 ccc cc cae ses iegecdeecesessesewdty da cou sve decees octesensteued eg ee couctth Cbves E covecdvs E EET a 213 SSH and SFTP Client Reference 215 INtrOGU Ctl OMe fiche RAN eases SEs aseas Bue Se bas Se Becca Boned as Sas Beak eevee bk eeseasbtes 215 Starting the Guardian Client Programs cesccesccecceeeceseeeeecseecaeeeneeaeecaeeeneceneeeeeeenseeesesereeeeneeenaes 215 Starting the OSS Client Programs ccc cccssesssesseescessceesceseceseceseeeceseceseceaecnaec
96. following commands control this feature e ascii doslunixlmac changes to ASCII transfer mode and optionally sets the server s newline convention where the meaning of the newline convention specifier is as follows o dos lines are terminated by a CR LF sequence r n o unix lines are terminated by a LF n o mac lines are terminated by a CR r HP NonStop SSH Reference Manual SSH and SFTP Client Reference e 235 e binary changes to binary transfer mode The following sample illustrates how ASCII files can exchanged with an SSH daemon on a Windows server sftp gt ascii dos Newline convention is now dos File transfermode is now ascii sftp gt put textfile textfile txt Uploading textfile to test textfile txt sftp gt get textfile txt editfile Fetching test textfile txt to editfile sftp gt In the above sample editfile is created as Guardian edit file code 101 with the file correctly converted from the DOS ASCII format used by Windows When writing Guardian edit files SFTP and SFTPSERV convert TAB characters to spaces like FTP FTPSERV if decimal line numbering is enabled i e if parameter SFTPEDITLINESTARTDECIMALINCR is greater than or equal to 0 and parameter SFTPEDITLINENUMBERDECIMALINCR is not equal to 1000 Fix Command and Command History Within SFTP or SFTPOSS it is possible to list modify and re execute commands previously issued within the same SFTP or SFTPOSS session Command History His
97. gt lt uint4 gt lt str1 gt lt uintl gt GSSAPI minor status lt uint2 gt Highest byte of minor status lt uint3 gt Value of second highest byte of GSSAPI minor status lt uint4 gt Value of lowest 16Bit of GSSAPI minor status lt str1 gt GSSAPI error description for minor status 10 Value lt chr1 gt for GUARDIANATTRIBUTESEPARATOR not acceptable using default lt chr2 gt lt chr1 gt Separator lt chr2 gt Comma 10 Value lt str1 gt for SFTPEDITLINEMODE not a supported value lt str1 gt Value configured for parameter SFTPEDITLINEMODE 10 Value lt intl gt for SFTPEDITTABSIZE not acceptable lt str1 gt lt intl gt Number of spaces replacing a TAB lt str1 gt Error description 10 Value lt str1 gt for SFTPEXCLUSIONMODEREAD not a supported value 344 e Appendix HP NonStop SSH Reference Manual LOG LEVEL EVENT TEXT Description Variable Parts lt str1 gt Value configured for parameter SFTPEXCLUSIONMODEREAD 10 Value lt str1 gt for SFTPEXCLUSIONMODEWRITE not a supported value lt str1 gt Value configured for parameter SFTPEXCLUSIONMODEWRITE 10 request code lt int1 gt lt intl gt Request Code 10 APILIB error lt int1 gt lt int1 gt Error 10 SFTPSERV serving lt str1 gt lt str2 gt is stopping reason lt str3 gt lt str1 gt User name lt str2 gt Remote host TCP IP address lt str3 gt Reason 10 could not change to user s SFTP INITIAL DIRECTORY lt
98. help DELETE EXPORT FREEZE GENERATE IMPORT INFO RENAME THAW Commands operating on KNOWNHOST entity DELETE FREEZE INFO RENAME THAW Commands operating on PASSWORD entity DELETE FREEZE HP NonStop SSH Reference Manual SSHCOM Command Reference e 153 INFO RENAME General Commands INFO SSH2 INFO SYSTEM USER Miscellaneous Commands ASSUME MODE PROMPT TIME Use command HELP MODE to find out more about modes The following example shows the output in daemon mode mode daemon mode daemon OK switched to daemon mode help DELETE FREEZE INFO RENAME THAW Commands operating on RESTRICTION PROFILE entity DELETE RENAME General Commands ENABLE DISABLE FLUSH INFO DEFINE INFO SSH2 RESET RESOLVE ROLLOVER SET STATISTICS STATUS Miscellaneous Commands EXPORT MODE PROMPT TIME Standard NonStop Commands and Features The following NonStop Guardian standard commands and features are supported in SSHCOM e FC command to modify the last command used e OBEY command to obey a set of commands contained in an EDIT file 154 e SSHCOM Command Reference HP NonStop SSH Reference Manual e Processing of a file through the standard TACL way of RUN SSHCOM IN file e Pausing the display with the PAUSE command e Line continuation through the usage of the amp character Standard behavior is that for each command entered a message is displayed about the outcome i e if the command
99. interpreter given by CI PROGRAM should be started upon a shell request of a client that allocated a 6530 pseudo TTY such as 6530 SSH clients MR Win6530 and J6530 ALLOW CI PROGRAM OVERRIDE This attribute controls if a user is allowed to override the configured CI PROGRAM via tacl p or ci p command If the CI PROGRAM is set to DEFAULT i e command interpreter TACL gets started and ALLOWED SUBS YSTEMS contains tacl then this attribute is ignored because a user can start TACL and execute any command interpreter in that way In this case it is useless to try preventing tacl p commands The parameter is especially useful in cases where the user does not have tacl as ALLOWED SUBS YSTEM but needs to be allowed to execute some specific command interpreter or TACL macro If CI PROGRAM is configured with a specific command interpreter or macro and ALLOW CI PROGRAM OVERRIDE is set to NO then a user is restricted to execute the configured CI PROGRAM and will not get a TACL prompt Should the ALLOW CI PROGRAM OVERRIDE be YES then the user can execute a tacl p lt program gt or a ci p lt program gt command thus overriding the program configured in CI PROGRAM ALLOW GATEWAY PORTS This attribute is used to grant or deny gateway ports in the case of port forwarding initiated by a specific user If the value of this attribute is NO then any port forwarding request with SSH option g will be rejected by SSH2 ALLOW MULTIPLE REMOTE HOS
100. is NPNSO1 US SSH92 SSH2 17 07 31 04 20 object subvolume is NPNSO1 US SSH92 priority is 11 12 17 07 31 06 20 dumping configuration LOWEDAUTHENTICATIONS lt keyboard interactive password publickey gt LOWEDSUBSYSTEMS lt sftp tacl gt LOWFROZENSYSTEMUSER lt TRUE gt LOWINFOSSH2 lt ALL gt LOWPASSWORDSTORE lt TRUE gt LOWTCPFORWARDING lt true gt DITCONSOLE lt p gt UDITFILE lt SH54AUD gt UDITFILERETENTION lt 10 gt Gk et a a 322 e Monitoring and Auditing HP NonStop SSH Reference Manual Fh FH FH Fh FH FH Hh ODE PR MP Vt UDITFORMAT UDITMAXF ILELENGTH UTOADDAUTHPRINCIPAL lt FALSE gt UTOADDSYSTEMUSERS lt TRUE gt A lt 21 gt A A A AUTOADDSYSTEMUSERSLIKE lt templateuser gt B B B B B lt 20000 gt ACKUPCPU lt NONE gt ANNER lt gt URSTSUPPRESSION lt FALSE gt URSTSUPPRESSIONEXPIRATIONTIME lt 300 gt URSTSUPPRESSIONMAXLOGLEVEL lt 40 gt CACHEBURSTSUPPRESSION lt TRUE gt CIPCOMPATERROR lt gt CIPHERS twofish128 cbc blowfish cbc 3des cbc arcfour cast128 CLIENTALLOWEDAUTHENTICATIONS lt none gssapi with publickey password keyboard interactive gt CLIENTMODEOWNERPOLICY lt GUARDIAN gt COMPRESSION lt TRUE gt CONFIG lt gt CONF IG2 lt gt CONSOLEBURSTSUPPRESSION lt FALSE gt CPUSET lt gt CUSTOMER lt comForte GmbH gt DISCONNECTIFUSERUNKNOWN lt FALSE gt EMSBURSTSUPPRESSION lt FALSE gt ENABLESTATISTICSATSTARTUP
101. is resolved to HP NonStop SSH Reference Manual Configuring and Running SSH2 e 143 TACL Subsystem and Command Interpreter Configuration Enhanced EXEC Processing The processing of EXEC requests ssh client started with a remote command on the ssh command line has been enhanced in version 0097 to add flexibility It is now possible to let a user execute single TACL commands or TACL macros or a command interpreter other than TACL even though the subsystem TACL is not allowed for the user ALLOWED SUBS YSTEMS does not contain tacl Previously the execution of CI PROGRAM via TACL command on the SSH client command line was rejected if tacl was not an allowed subsystem Now the tacl subsystem can be removed from the list of ALLOWED SUBS YSTEMS but the execution of commands via tacl c lt command gt and tacl p lt program gt lt cmd gt is still allowed as long as the USER attribute ALLOW CTI is set to YES If an EXEC request is received and subsystem tacl is not allowed CI PROGRAM is left at the default value and CI COMMAND is not configured then either p or c must be specified Otherwise the user would get a TACL prompt which should not be allowed if tacl is not an allowed subsystem The enhanced EXEC processing includes the possibility to use subsystem tacl and CI PROGRAM independently Previously the subsystem tacl was initiated for an EXEC tacl request In order to be compatible with the previous behavior EXEC tacl still
102. key name gt This refers to the name of the key owned by the current user The key name cannot be altered lt date time gt Date or date and time in either of the following formats e DD Mon YYYY hh mm e DDMonYY hh mm e DD Mon YYYY e DDMonYY The second format requires surrounding quotes because it contains a comma commas are separators in SSHCOM COMMENT This optional attribute is used to associate additional textual information with the key LIVE DATE This optional attribute is used to set the LIVE DATE not valid before date for the key This attribute can only be set if the life cycle policy for User Private Keys is enabled determined by SSH2 parameter LIFECYCLEPOLICYPRIVATEUSERKEY If SSH2 parameter LIFECYCLEPOLICYPRIVATEUSERKEY is set to FIXED then field LI VE DATE can be modified by the SUPER SUPER user only unless explicitly denied in OBJECTTYPE USER record or those configured with full SSHCOM access In case the SSH2 parameter LIFECYCLEPOLICYPRIVATEUSERKEY is set to VARIABLE then every user can change field LIVE DATE for those keys the user owns EXPIRE DATE This optional attribute is used to set the EXPIRE DATE not valid after date for the key This attribute can only be set if the life cycle policy for User Private Keys is enabled determined by SSH2 parameter LIFECYCLEPOLICYPRIVATEUSERKEY If SSH2 parameter LIFECYCLEPOLICYPRIVATEUSERKEY is set to FIXED then field EXPIRE DATE can be modified by the SUPER SUPE
103. letters being upshifted Substitution parameters begin with at sign followed by a letter and an optional width in parentheses 0 Parameter letters are case independent Parameters marked GM are available only from Win6530 clients e A The group portion before the of the Guardian user name e B The user portion after the of the Guardian user name e D Date LCT in 8 digit format yyyymmdd e H Client ip from TCP IP in fixed decimal format twelve digits long E G 192 168 1 23 gt 192168001023 e I Client ip from TCP IP dotted decimal with dashes E G 192 168 1 23 gt 192 168 1 23 e J GMT juliantimestamp micro secs in decimal format e K Client ip from TCP IP converted to hex without dots E G 192 168 1 23 gt COA00117 e L The SSH process name without dollar e P STN process name without prefix e S STN Service name HP NonStop SSH Reference Manual STN Reference e 257 e T Time LCT in 6 digit format hhmmss e U The external user name alphabetic and numeric characters only e X STN expand node name without prefix e Y STN expand node number Substitution parameters 1 through 6 reference values returned by WSINFO WSINFO is supported by Win6530 and some other terminal emulators STNCOM WSINFO must be set to QUERY REQUIRED or MATCH Any fields not returned by the workstation are set to the null string Only alpha and numeric characters are used any others are discarded Al
104. limitation for SSHLIB other than what the application developer can imagine regarding remote control tasks executed via an SSH session S S start Application L E w Z l B In the figure above it is depicted how the application communicates with SSH using SSHLIB When initiating an SSH session via SSHLIB the library will start an SSH process in SSH API server mode to handle the actual communication for the application SSHLIB will then communicate via inter process messages IPC with the SSH process mapping the library calls to messages to be processed by SSH SSH will return required output and error information back to SSHLIB in the same fashion 240 e Controlling SSH and SFTP Clients on NonStop via an API HP NonStop SSH Reference Manual SSH Protocol Reference The SSH Protocol SSH is a protocol for encrypted network traffic and a set of associated programs which have its roots in the Unix domain The first version of SSH SSH version 1 or SSH1 became popular in 1995 and was replaced by an improved version SSH version 2 or SSH in 1997 In 2006 SSH version 2 became a proposed internet standard with the publication of a group of RFCs by the Internet Engineering Task Force IETF For more information on the SSH protocol we recommend the following reading e Secure Shell in Wikipedia http en wikipedia org wiki Secure_shell e A popular commercial SSH implementation for PC and Un
105. log file if logging to a file is enabled SELECT 210 e SSHCOM Command Reference HP NonStop SSH Reference Manual The SELECT option allows defining a specific set of attributes that will be displayed instead of the default attribute set there are two default sets one for detailed output and one for non detailed output An attribute name specified for lt attr gt must be one of the names displayed in the detailed status output WHERE The WHERE option can be used to filter channels Only those channels that fulfill all listed filter conditions lt attr filter gt will be displayed Each attribute filter must have the following format the space characters surrounding the lt operator gt field are mandatory lt attr gt lt operator gt lt value gt For information about lt attr gt please see under option SELECT The following operators are supported for lt operator gt lt gt for not equal lt lt gt and gt The value in lt value gt can be either a string quoted string or number FILTER STATISTICS If it is of interest to determine the number of channels matching the filter conditions the option FILTER STATISTICS can be specified If the optional ONLY is added then the status data is not displayed but just the total number of channels and the number of matching channels STATUS OPENER Status information about the currently existing openers i e processes that have opened the SSH2 process will be disp
106. log output generally for fatal errors to a central location The syntax is as follows lt text gt is any text up to 128 characters long Generally not used from STNCOM STOP SERVICE lt service names gt The specified service or all configured services will be marked as stopped The service name will not be displayed on menus and will be rejected if entered in response to the service prompt Use START SERVICE to resume the service Existing sessions will not be affected This command is not normally used HP NonStop SSH Reference Manual STN Reference e 279 STOP SESSION lt session name gt The specified session or all active sessions will be terminated STOP WINDOW lt window names The specified window or all configured windows will be stopped If a session is active on the window it will be immediately terminated Dynamic windows and automatically added windows will be deleted The window will no longer be available for new sessions Use START WINDOW to resume normal operation This command is not normally used TIME Displays the current date and time TRACE This command controls writing of a trace to a disk file The GTRED utility that is distributed in the SSH subvolume can be used to format the trace GTRED in lt trace file gt OUT lt list file gt GTRED formats EMS events recorded in the trace file using Guardian procedure EMSTEXT EMSTEXT by default uses the system template file which
107. lt FALSE gt FILEBURSTSUPPRESSION lt FALSE gt FULLSSHCOMACCESSGROUPI1 lt gt FULLSSHCOMACCESSUSERI1 lt gt GSSAUTH lt SGSSy gt GSSGEXKEX lt FALSE gt GSSKEX lt TRUE gt GUARD IANATTRIBUTESEPARATOR HOSTKEY lt HOST INTERFACE lt 0 0 gt INTERFACEOUT lt 0 3 0 gt INTERVALLIVEPRIVATEUSERKEY lt 730 gt INTERVALLIVEPUBLICUSERKEY lt 730 gt INTERVALPENDINGPRIVATEUSERKEY lt 0 gt lt p gt EY gt lt aes256 cbc twofish256 cbc twofish cbc aes128 INTERVALPENDINGPUBLICUSER IPMODE lt DUAL LICENSE lt NPN LIFECYCLEPOLICYPRIVATEUSER LIFECYCLEPOLICYPUBLICUSER LOGCACHEDUMPONABORT lt TRUE EY lt 0 gt gt 01 SUS SSH92 LICENSE gt KEY lt FIXED gt EY lt FIXED gt gt LOGCACHESIZE LOGCONSOLE LOGEMS LOGFILE LOGFORMATEMS LOGFTPSCO DRAIS mMhAHD hd HK HH HK AR EE eH Eh EHO OF EHD Oh hh Hh DO PH Hh hi LOGLEVELEMS LOGLEVELF ILE LOGMAXF ILELE MACS PARTIALSSHCO PARTIALSSHCO PORT PTCPIPFILTER PTYSERVER Shhh RESTRICTIONC MR hh a SFTPCPUSET HP NonStop SSH Reference Manual LOGF ILERETENTION LOGFORMATCONSOLE LOGFORMATF ILE SOLE LOGLEVELCACHE LOGLEVELCONSOLE RECORDDELIMITER SF TPALLOWGUARDIANCD lt 500000 gt lt gt lt SUSLOG gt LOGEMSKEEPCOLLECTOROPENED lt TRUE gt lt SH54LOG gt lt 10 gt lt 93 gt lt 16 gt lt 93 gt lt gt lt 50 gt lt 88 gt lt 70 gt lt 50 gt lt 20000 gt lt hmac shal
108. memory usage statistics in the log output at regular intervals Parameter Syntax LOGMEMORY number_of_ios Arguments number_of_ios A number that represents how many I O operations are to be conducted before SSH2 includes its memory usage in the log output Default The default is 0 meaning that memory usage will not be logged Considerations e Provides an easy way to correlate between memory usage of SSH2 and events in the log output Do not use if memory usage of SSH2 is not of interest to you MACS Use this parameter to specify which message authentication codes MAC are admissible for the SSH2 server Parameter Syntax MACS mac mac Arguments mac Specifies a MAC Currently the following MACs are supported by SSH2 o hmac shal HMAC SHAI digest length key length 20 bytes 160 bits o hmac md5 HMAC MD5 digest length key length 16 bytes 128 bits o hmac shal1 96 first 96 bits of HMAC SHAI digest length 12 bytes 96 bits key length 20 bytes 160 bits o hmac md5 96 first 96 bits of HMAC MD5 digest length 12 bytes 96 bits key length 16 bytes 128 bits Considerations For details about the MACs listed above please refer to standard SSH documentation such as the available RFCs Default If this parameter is omitted SSH2 will accept all MACs listed above Example MACS hmac shal 96 This will enforce the use of the hmac shal 96 MAC algorithm 100 e Configuring and Running SSH2 HP NonStop SSH Reference Ma
109. name yet with an invalid public key S SSH49 23Dec10 15 57 23 172 16 123 110 3945 comf us 172 16 123 110 terminated session SSSH49 23Dec10 15 57 23 172 16 123 110 3945 comf us 172 16 123 110 authentication denied method publickey authentication aborted by client The following shows an audit message for a user trying to access the system with an existing user name that is frozen SSSH49 23Dec10 17 16 07 172 16 123 110 1708 comf us 172 16 123 110 authentication failed method none User is frozen The following shows an audit message for a user trying to access a file for which his SYSTEM USER has no access rights S SSH49 23Dec10 17 22 42 172 16 123 110 1303 COMF US comf us 172 16 123 110 open tmp secret file mode read failed error 4013 Destinations for Audit Messages Similar as with log messages the SSH2 component can send audit messages to three destinations e a file configured with the AUDITFILE parameter e a device configured with the AUDITCONSOLE parameter e a collector configured with the AUDITEMS parameter By default the SSH2 component does not write audit messages at all It is possible to audit to one or more destinations at the same time Note that audit messages do not have a level as log messages have auditing is either turned on to a destination or it is not See the section Log File Audit File Rollover for information on how to assess the content of an audit file Customizing the
110. name and Guardian file attributes Use this parameter to specify additional separator character between Guardian file name and Guardian file attributes The standard separator is always supported Parameter Syntax GUARDIANATTRIBUTESEPARATOR separator Arguments separator The character to be allowed as a separator of Guardian file attributes Considerations e Use this parameter if a SFTP client does not support using commas in remote filenames e The configured separator character does not replace the default which is comma but is an alternate e Either the configured separator or the standard separator comma is supported but not a mix of both Default If omitted the only separator character is the comma Examples GUARDIANATTRIBUTESEPARATOR GUARDIANATTRIBUTESEPARATOR amp HOSTKEY Use this parameter to specify the filename of the host key file Parameter Syntax HOSTKEY filename Arguments filename Specifies the name of the host key file Considerations e SSH2 generates the local host key during startup if the configured host key file does not exist The type of the local host key is configurable via parameter HOSTKEYTYPE and the size of the key is determined by the value of parameter HOSTKEYBITS HP NonStop SSH Reference Manual Configuring and Running SSH2 e 81 e The host key is the private key that is used to authenticate the host against the clients The fingerprint of the host key will need to be configured
111. not supported NAMES SERVICE WINDOW NAMES LISTOBJECTS responses are limited to a single buffer with no error or continuation indication SCF NAMES WINDOW STN will return approximately 150 200 window names Some fields have different interpretations Some additional tokens are present SCF and NonStop ASAP ignore these See ZSTNDDL SPI support in STN is limited to the commands used for NonStop ASAP These commands can also be used from SCF but this is not recommended STNCOM is required for all configuration and is recommended over SCF even for those commands which are supported from SCF HP NonStop SSH Reference Manual STN Reference e 285 EMS Events The STN installation subvolume contains standard EMS files which provide additional details e ZSTNDDL DDL for event names e ZSTNTMPL template output file for EMSDIST It is recommended that ZSTNTMPL be installed using standard procedures Note In the following event descriptions event name and number are given followed by the EMS template for this event All references to lt 1 gt refer to the STN process that issued the event zstn evt stnlog value is 1003 lt 1 gt STNLOG lt 2 gt lt 2 gt text e CAUSE STNLOG messages can be generated by other components and also by the STNCOM command STNLOG The text is described in the documentation for the component which generated the message e EFFECT Refer to other documentation e RECOVERY Refer to other documenta
112. of a session and also after an application call to setmode 28 A script can be referenced by ADD SERVICE and ADD WINDOW commands ADD SCRIPT and ADD SERVICE WINDOW may be performed in any order although the script must be defined before a session attempts to use it Example script to turn off echo and turn off automatic LF on CR ADD SCRIPT NOECHO 20 0 7 0 ADD SERVICE S123 SCRIPT NOECHO ADD SERVICE The ADD SERVICE command defines a new service for STATIC and DYNAMIC window sessions The service will be available to sessions on any LISTENER as well as on SSH pseudo TTYs if the CI COMMAND MENU is set for the user as follows ADD SERVICE service name 7 TYPE DYNAMIC STATIC PROG program file name CPU cpunum cpunum cpunum ANY PRI priority TERM_TYPE TN6530 ANSI ANY MODE BLOCK CONV MENU HIDDEN VISIBLE LIB lib file name SWAP Svolume name USER groupnum usernum groupname username HP NonStop SSH Reference Manual STN Reference e 251 PARAM param text LPRANGE iprange name HOME home terminal name LIMIT max sessions RESILIENT YES NO DEBUGOPT OFF lt number gt LOGAUDIT YES NO LOGON REQ NONE SCRIPT script name WIN_PAT pattern The service name and the TYPE field are required all others are optional TYPE DYNAMIC STATIC CPU optional not allowed DEBUGOPT not allowed HOME not allowed LIB not allowed LIMIT not allow
113. off there is a third option min supported which reduces the progress output to the last line lt count gt bytes transferred in lt time gt seconds lt rate gt MB s Command progress will display the current setting on off or min 232 e SSH and SFTP Client Reference HP NonStop SSH Reference Manual Controlling Transfer Summary Summary information about each file transfer gets generated e g 165527760 bytes transferred in 86 seconds 1 8MB s By default the number of bytes transferred is set to the EOF value of a file This ensures consistency between the size of a file displayed by the Is 1 command and the summary information But the size of the actual content of a Guardian edit or structured file can differ greatly from the EOF value If it is of interest to see the actual number of bytes transferred in the transfer summary then a define SFTPABYTES TRANSFERRED can be set to ACTUAL ADD DEFINE SFTP BYTES TRANSFERRED CLASS MAP FILE ACTUAL The default value for this define is EOF meaning the bytes transferred line contains the EOF value of a file in case the transfer was successful The define must exist in the environment of the SFTP OSS client Specifying File Names on the NonStop System When specifying directories subvolumes or files on the NonStop system the SSH2 SFTP implementation supports flexible ways to deal with the various notations e Files and directories under the OSS file system are
114. omitted ALLOWEDAUTHENTICATIONS will be set to keyboard interactive password publickey Considerations e ALLOWEDAUTHENTICATIONS is only relevant if AUTOADDSYSTEMUSERS is set to TRUE e ALLOWEDAUTHENTICATIONS will not override any list of authentication methods explicitly configured for a user using SSHCOM ADD USER or ALTER USER Example ALLOWEDAUTHENTICATIONS keyboard interactive publickey See also AUTOADDS YSTEMUSERS ALLOWEDSUBSYSTEMS This parameter can be used to globally restrict the SSH user settings to those subsystems listed in the value for ALLOWEDSUBS YSTEMS which is a comma separated list of subsystem names If a subsystem is not mentioned in both this global list and the SSH user s attribute ALLOWED SUBS YSTEMS then the incoming subsystem request will be denied Parameter Syntax ALLOWEDSUBSYSTEMS subsystem subsystem Double quotes are required when setting the parameter via PARAM and more than one subsystem is listed PARAM ALLOWEDSUBSYSTEMS sftp tacl 54 e Configuring and Running SSH2 HP NonStop SSH Reference Manual Arguments subsystem Specifies an SSH subsystem to be allowed for incoming connections Valid values are o tacl o sftp Default If omitted ALLOWEDSUBSYSTEMS will be set to sftp tacl Considerations e In an environment with more than one SSH2 process accessing the same SSHCTL database this parameter can be used to force users to use one SSH2 process for SFTP sessions and the
115. on from a remote system and execute commands Please see description of lt user name gt under the ADD USER command for unconventional names that must be put in double quotes Daemon Mode Commands Operating on the RESTRICTION PROFILE Entity ADD RESTRICTION PROFILE The ADD RESTRICTION PROFILE command adds a new restriction profile to the database and has the following syntax ADD RESTRICTION PROFILE lt profile name gt LIKE lt existing restriction profile name gt COMMENT lt comment gt lt comment containing spaces gt CONNECT FROM lt host pattern gt lt host pattern gt lt host pattern CONNECT TO lt host ports gt lt host ports gt lt host ports gt PERMIT LISTEN lt host ports gt lt host ports gt lt host ports gt PERMIT OPEN lt host ports gt lt host ports gt lt host ports gt FORWARD FROM lt host pattern gt lt host pattern gt lt host pattern Only the lt profile name gt is mandatory in the command all other fields are optional The individual attributes have the following meaning and syntax lt profile name gt The name of the restriction profile to be added lt comment gt A comment describing the restriction profile If the comment contains spaces it must be enclosed in double quotes lt host pattern gt One or more patterns used to match addresses or names of hosts Wildcard characters any number of characters and
116. on the remote systems that connect to the SSH2 process running on the NonStop system The fingerprint of the host key file is displayed during startup of the process It can also be seen via SSHCOM command INFO HOST KEY e In order to prevent unauthorized usage of the host key file i e moving it to other systems the file is stored in a proprietary format and encrypted The host key file is secured as e The customer name configured via parameter CUSTOMER or if that does not exist the customer name held within the license file for the SSH2 program is used as an input for host based key encryption When you plan to duplicate the host key and user database onto other NonStop systems such as a disaster recovery system you need to make sure the parameter CUSTOMER or the license file of that other system has the same customer name in it Otherwise the host key file and user data base cannot be used on the other system If you purge the HOSTKEY and SSHCTL files and restart the SSH2 process a new HOSTKEY and SSHCTL file will be created using either the value of parameter CUSTOMER or if that does not exist the customer name from the license file e Although a license file is no longer required for NonStop SSH on H and J operating systems any existing HOSTKEY and SSHCTL file requires the customer name that was used to create the file If a license file exists the customer name will be extracted from that file entry SSH2 customer unless par
117. on your SSH2 installation subvolume and send the result SSH2 Status If possible please run SSHCOM against a running instance of the SSH2 process execute the INFO SSH2 command and send the output Clients Servers Which SSH SFTP clients and daemons are communicating with the NonStop platform via SecurFTP SSH Please provide platform information product names and version numbers e Problem Description O O Detailed description Please describe the problem expected versus observed behavior Context Installing the product and having a problem getting it to work or Product has been running successfully this is a new issue or any other detail describing the context Frequency How often does the problem occur sporadically frequently always Occurrence Where does the problem occur on all workstations or sessions only on selected workstations or session Error Message Is there an error message generated Please specify the exact text The error message may be taken from EMS from a log file or captured from a screen Reproduction Please describe the exact steps that led to the problem HP NonStop SSH Reference Manual Troubleshooting e 331 General SSH2 Error Messages Errors that impact the operation of the SSH2 process are reported as error logs or warning messages Log messages are written to SSH s log destinations as configured by the LOGCONSOLE LOGFILE and LOGEMS parameters Error log messages have a log l
118. one of the configured IP addresses in INTERFACEOUT according to a round robin algorithm that selects an IP address by first selecting an IP process should there be more than one IP processes configured in SUBNET taking the CPU the IP process is running in for the round robin selection Then one of the IP addresses of that IP process which is also listed in INTERFACEOUT is selected In this way the outgoing connections are distributed over all CPUs the configured IP processes are running in Multiple Target IP Address Selection With DNSMODE set to FIRST or if an IP address is specified for the target host multiple target IP addresses do not occur But if parameter DNSMODE is set to ALL and a name is specified as target host then the host name may get resolved to multiple IP addresses If that is the case one IP address must be selected for the actual connection This is done in a round robin fashion over all target IP addresses a specific SSH2 process has seen in the recent past This means that the target IP address is selected from the list of resolved IP addresses by checking how often an outgoing connection has been established in the last time interval and picking the IP address with the smallest number of outgoing connections happened during the past interval Information about connections established before the start of that interval will be dropped In this way the outgoing connections are distributed over all IP addresses a specific host name
119. or alter KEY attributes LIVE DATE and EXPIRE DATE Both dates will be determined by the CREATION DATE and the values of parameters INTERVALPENDINGPRIVATEUSERKEY and INTERVALLIVEPRIVATEUSERKEY VARIABLE A user can specify the L VE DATE and EXPIRE DATE when generating or importing a private key or when altering the private key By not specifying these attributes ina GENERATE KEY or IMPORT KEY command the values for LI VE DATE and EXPIRE DATE will be automatically set depending on the CREATION DATE and the values of parameters INTERVALPENDINGPRIVATEUSERKEY and INTERVALLIVEPRIVATEUSERKEY Default The default for this parameter is DISABLED resulting in the same behavior as before the introduction of this parameter Example LIFECYCLEPOLICYPRIVATEUSERKEY FIXED Considerations e Users with full SSHCOM access can set or modify KEY attributes LI VE DATE and EXPIRE DATE even when the life cycle policy for user private keys is set to FIXED See also INTERVALLIVEPRIVATEUSERKEY INTERVALPENDINGPRIVATEUSERKEY LIFECYCLEPOLICYPUBLICUSERKEY This parameter controls the life cycle of user public keys If enabled a not valid before date and a not valid after date can be defined for each individual key This can be achieved by setting the dates explicitly via entity USER PUBLICKEY attributes LIVE DATE and EXPIRE DATE or implicitly via globally defined length of the key pending HP NonStop SSH Reference Manual Configuring and Running
120. passed on the startup line as follows lt parameter name gt lt parameter value gt lt parameter name gt lt parameter value gt The following example demonstrates how to start multiple SSH2 instances that share the same SSHCONF configuration file listening on different subnets using the same port gt PARAM CONFIG SSHCONF gt RUN SSH2 NAME SSH00 CPU 0 NOWAIT SERVER SUBNET ZTCO PORT 22 gt RUN SSH2 NAME SSH01 CPU 1 NOWAIT SERVER SUBNET ZTC1 PORT 22 gt RUN SSH2 NAME SSH02 CPU 2 NOWAIT SERVER SUBNET ZTC2 PORT 22 gt RUN SSH2 NAME SSH03 CPU 3 NOWAIT SERVER SUBNET ZTC3 PORT 22 For a complete description of the RUN SSH2 command see the Starting SSH2 section Starting SSH2 Note The SSH2 process must be started and run under the SUPER SUPER logon When started using a different user ID the process will issue a warning message and terminate You create a SSH2 process by issuing a TACL RUN command using the following syntax RUN SSH2 runoptions mode paramname paramvalue Following is a description of each aspect e runoptions are the standard Guardian RUN options such as IN CPU or TERM e mode defines the run mode of the SSH2 process The so called run mode defines which functionality that instance will allow The following run modes are defined DAEMON runs a daemon process that provides the SFTP service to remote clients No other functionality is p
121. remote IP address 4 SubsystemEv Successful sessionId Puser remoteAddress sessionId SESSION LOG ID ent Faction object ZYoutcome user SSH username remoteAddress remote IP address action subsystem object name of subsystem Joutcome granted 312 e Monitoring and Auditing HP NonStop SSH Reference Manual Event Id Event Name Conditions Pattern Token Values SftpOpenFile Event SftpTouchFil eEvent Failed error detail available Failed error detail not available Successful Failed error detail available Failed error detail not available Successful sessionId Yuser remoteAddress action Yobject Youtcome error error sessionld Yuser remoteAddress action Yobject Youtcome sessionld Yuser remoteAddress action Zobject Youtcome mode mode sessionId Yuser remoteAddress action object mode mode outcome error error sessionld Yuser remoteAddress action Yobject Youtcome mode Ymode sessionld Yuser remoteAddress Faction Zobject Youtcome mode mode sessionId SESSION LOG ID Puser SSH username remoteAddress remote IP address action subsystem object name of subsystem outcome denied or failed error error detail sessionId SESSION LOG ID Puser SSH username remoteAddress remote IP address action subsystem object name o
122. rights of the various contributors to the open source components of SSH2 are acknowledged OpenSSL Copyright Statement The OpenSSL toolkit is licensed under a dual license the OpenSSL license and the original SSLeay license See the license text below OpenSSL License Copyright c 1998 2000 The OpenSSL Project All rights reserved Redistribution and use in source and binary forms with or without modification are permitted provided that the following conditions are met Redistributions of source code must retain the above copyright notice this list of conditions and the following disclaimer Redistributions in binary form must reproduce the above copyright notice this list of conditions and the following disclaimer in the documentation and or other materials provided with the distribution All advertising materials mentioning features or use of this software must display the following acknowledgment This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit http www openssl org The names OpenSSL Toolkit and OpenSSL Project must not be used to endorse or promote products derived from this software without prior written permission For written permission please contact openssl core openssl org Products derived from this software may not be called OpenSSL nor may OpenSSL appear in their names without prior written permission of the OpenSSL Project Redistributions of any form w
123. session is connected to that window The application that was running on that window during the previous session will in general repeat its prompt but otherwise the session resumes exactly where it left off For example a TACL will still be logged on and have its environment intact Specific operation during such a reconnection is described below 1 STN first notifies the workstation user that the session is being reconnected to a resilient window with the message STN70 Reconnecting to resilient window ZWNnnnn Last access lt time gt 2 Then STN displays information about any application programs running on the window example STN70 application Y1G7 SSYSTEM SYS00 TACL STN70 application 1 175 SSYSTEM SYS00 FUP The application line is repeated for each opener of the window including process name cpu pin or posix pid and the object file name This helps clarify exactly what is running in the resumed session 3 Finally the session is then resumed with handling dependent on the application I O that was active when the previous session was disconnected e ITI conversational read or writeread pending The application I O is completed with febreak 111 For TACL and most other applications this repeats the prompt For OSS posix reads fesigint 4523 is returned For bin sh and most other applications this repeats the prompt e ITI conversational no read or writeread pending This happens when TACL is PAUSE d etc Guar
124. set Shared ports will not be limited However any DEFINE PTCPIP4FILTER TCP PORTS passed to SSH2 at startup will remain in effect Default The default for this parameter is Considerations e Use this parameter to limit shared ports when round robin filtering is enabled for multiple SSH2 servers configured as generic processes This can also be achieved by adding the define PTCPIP FILTER TCP PORTS for the generic process possible since G06 28 H06 06 e In case the define PTCPIP FILTER TCP PORTS causes unwanted behaviour it is possible to disable the propagation of defines completely see parameter PROPAGATEDEFINES See also PROPAGATEDEFINES PTYSERVER Use this parameter to specify the name of an STN process serving as a pseudo terminal PTY server Parameter Syntax PTYSERVER processname Arguments processname Specifies the name of an STN process Default The default for this parameter is PTY Considerations e Value is used as default value for USER attribute PTY SERVER e Please refer to the Enabling Full TTY Access section for details RECORDDELIMITER Use this SFTP related parameter to define the end of record indicator in files transferred from a remote host to a structured file on NonStop The parameter is relevant if the SFTP server on NonStop is used for file transfer or if the SFTP client on NonStop is used and the SFTP command ASCII is not issued before the file transfer i e the tran
125. should not cause problems Please see section TACL Subsystem and Command Interpreter Configuration and check your USER configuration accordingly for those users that do not have tacl configured in ALLOWED SUBS YSTEMS Version 4 3 Describes changes in SSH2 release 96 Documentation for the following new features has been added e Added additional information for parameters AUTOADDAUTHPRINCIPAL and SFTPREALPATHFILEATTRIBUTEECHOED e Added section Controlling SSH and SFTP clients on NonStop via an API e Explained new USER attribute PTY SERVER in section Database for Daemon Mode Version 4 2 Describes changes in the SSH2 release 94 Documentation for the following new features has been added e Added description for new parameters BURSTSUPPRESSION EMSBURSTSUPPRESSION CONSOLEBURSTSUPPRESSION FILEBURSTSUPPRESSION CACHEBURSTSUPPRESSION BURSTSUPPRESSIONEXPIRATIONTIME and BURSTSUPPRESSIONMAXLOGLEVEL HP NonStop SSH Reference Manual Preface e 15 Added additional information for parameter SHELLENVIRONMENT Added additional information for authentication with password on procedure USER_AUTHENTICATE_ Various additions and changes in the STN Reference section Version 4 1 Describes changes in the SSH2 release 93 Documentation for the following new features has been added Added Migration Considerations section Added description of new parameter SFTPDISPLAYGUARDIAN controlling the format of filenames in SFTP information
126. stops e This parameter set is disabled if a thawed OBJECTTYPE USER record exists in Safeguard i e any FULLSSHCOMACCESSGROUP lt j gt parameter configuration is ignored in this case See also e FULLSSHCOMACCESSUSER lt i gt e See table in SSHCOM Access Summary in section SSHCOM Command Reference FULLSSHCOMACCESSUSER lt i gt This parameter set allows granting administrative SSHCOM command privileges to users other than super super Admin users are defined via the parameter set FULLSSHCOMACCESSUSER lt i gt where lt i gt is a number between and 99 Parameter Syntax FULLSSHCOMACCESSUSER lt i gt lt group gt lt user gt 78 e Configuring and Running SSH2 HP NonStop SSH Reference Manual Arguments lt group gt lt user gt The Guardian logon name of the account that will have full SSHCOM access Logon ids and alias names are not supported Default By default none of the parameters are set i e only users configured in the Safeguard OBJECTTYPE USER record if such exists and super super unless explicitly denied in OBJECTTYPE USER can access privileged commands Example FULLSSHCOMACCESSUSER1 admin joe FULLSSHCOMACCESSUSER2 admin jim FULLSSHCOMACCESSUSER3 super jane Considerations e Some of the privileged commands in SSHCOM are critical to the security of the system Therefore granting access to other user accounts than super super must be carefully considered e The user super super has always full a
127. str2 gt lt str1 gt User name lt str2 gt Exception text Updating sessions record for user lt str1 gt failed lt str2 gt lt str1 gt User name lt str2 gt Exception text Updating sessions record removing port lt int1 gt for user lt str1 gt failed lt str2 gt lt int1 gt Port lt str1 gt User name lt str2 gt Exception text Deleting all user sessions records failed lt str1 gt lt str1 gt Exception text Deleting sessions record for user lt str1 gt process lt str2 gt failed lt str3 gt lt str1 gt User name lt str2 gt Process name lt str3 gt Exception text Event Category INFO LOG LEVEL EVENT TEXT Description Variable Parts 50 50 50 50 50 50 50 50 50 server credentials acquired successfully lt str1 gt deleting credential cache lt str2 gt lt str1 gt Session Name lt str2 gt Kerberos credentials cache file name lt str1 gt GSS calls completed sucessfully lt str1 gt Session Name lt str1 gt No system user name supplied user credential cache will not be created lt str1 gt Session Name No system user name supplied user credential cache will not be created lt str1 gt processing GSSAUTH_INIT_SECURITY_CONTEXT_REQUEST for user lt str2 gt lt str1 gt Session Name lt str2 gt User initiating GSSAPI authentication lt str1 gt processing GSSAUTH_ACCEPT_SECURITY_CONTEXT_REQUEST lt str1 gt Session
128. the NonStop platform and has added additional functionality See the copyright statements in chapter Appendix Authentication using User Names and Passwords The SSH protocol allows for the authentication using user names and passwords This mechanism is less secure than Public Key Authentication discussed in the next section and that is why most implementations allow to disable authentication using user names and passwords It is up to the SSH server to specify both the allowed and required means of authentication comForte s SSH implementation currently supports the following means of authentication e When running as SSH client the SSH2 package allows authentication using either a private key configured using the KEY entity in the SSH2 user database see next section or a password to be entered interactively or configured using the PASSWORD entity in the SSH2 user database e When running as SSH daemon the SSH2 package currently supports both password verified against the Guardian user password and public key authentication configured in the PUBLICKEY attribute of the USER entity of the SSH2 database Public Key Authentication Introduction to Public Key Authentication Terminology Public Key Authentication makes use of asymmetric cryptography Without going too much into details we explain and define some terms here e A key pair consists of a public and a private key While it is possible to derive the public key from
129. the private key the opposite is not possible e The private key is normally kept secret and can only be accessed by the entity using it for authentication Among other things a private key can be used for signing bits of information without the private key nobody else can do this for a given key pair e The public key can be distributed freely as it contains only public information Using the public key documents signed using the private key can be checked for authenticity When distributing public keys it is important to make sure nobody has altered the public key during the distribution process e A fingerprint is a cryptographic shorthand for a public key A public key basically is a set of bytes however it is hard to compare a long stream of bytes That is why fingerprints are used to verify public key Two popular formats for fingerprints are MD5 32 bytes of hex characters and bubble babble 16 words out of the bubble babble word set The terms key pair public key and private key are all used to specify a key pair or a part of it gt Public Key Authentication and SSH The SSH protocol uses public key cryptography for authentication both of the server daemon to the client as well as optionally for authenticating the client This implies that if the client uses a key pair to log on to the server both the client and the server will 242 e SSH Protocol Reference HP NonStop SSH Reference Manual e have the
130. the reason for disconnecting Cause The SSH client gracefully terminated the SSH session Effect The SSH session is closed Recovery Any corrective action depends on lt disconnect reason gt It may be required on the remote SSH client side Contact the comForte support if lt disconnect reason gt indicates an SSH protocol error lt session id gt User auth method mismatch available lt remaining methods gt lt requested method gt lt remaining methods gt List of SSH authentication methods that are supported by SSH2 that have not been tried by the SSH client lt requested method gt Authentication method requested by the SSH client Cause The SSH client tried to use an authentication method not supported by SSH2 Effect The remote SSH user cannot be authenticated Recovery Configure an authentication method for SSH client that is supported by SSH2 e g public key authentication lt session id gt Authentication of user lt user name gt failed lt error detail gt HP NonStop SSH Reference Manual Troubleshooting e 333 lt user name gt Name of the remote user lt error detail gt Describes the reason for the authentication failure Cause An error occurred during the authentication of the user Typical errors are User not found lt user name gt does not exist in the SSHCTL User is frozen lt user name gt exists in the SSHCTL but is frozen Effect The remote SSH user cannot be authenticated The sessio
131. the specified CPU HP NonStop SSH Reference Manual STN Reference e 261 ANY Uses any available CPU for the backup process The first attempt is with the buddy CPU if that fails other CPUs are then used starting with CPU numbers closest to the primary until a backup is successfully started This method assures that a backup will be created any time two CPUs are available If a backup process is already running it is stopped A new backup process is created in the appropriate CPU BANNER Y N The BANNER command controls the display of menus on remote session initiation The default is BANNER Y When BANNER N is used to disable banners no welcome messages or menus are displayed when a remote workstation connects to STN Note BANNER N may interfere with 6530 emulators configured to automatically transmit the service name or may interfere with emulator scripts BANNER_TIMEOUT lt minutes gt BANNER_TIMEOUT allows for automatic termination of sessions waiting at the STNO2 Service menu for an extended time This releases resources used by idle connections BANNER_ TIMEOUT 0 the default disables the timeout Sessions will not be terminated at the STN02 Services prompt The timeout can be specified in the range 3 14400 3 minutes to 10 days When the STNO2 Service menu is unanswered for the specified length of time the session is terminated If IDLE_WARNING is set to a non zero value then a warning message will be displayed once a
132. to remote address listen port host port Forward remote port to local address These cause sshoss to listen for connections on a port and forward them to the other side by connecting to host port forward them to the other side by connecting to host port Enable compression Do not execute a shell or command Allow remote hosts to connect to forwarded ports option Process the option as if it was read from a configuration file Invoke command mandatory as SSH2 subsystem S process connect using this SSH2 process gt sftposs usage sftposs vCZ b batchfile o ssh2_option H error_prefix J info_prefix K query_prefix B buffer_size R num_requests S ssh2 process user host file file Typical start of an SSH session from OSS to a remote system tmp sshoss u sauer linuxdevipv6 SSH client version T9999H06_22Jan2014_comForte_SSHOSS_0097 GSSAPI authentication disabled You have no private keys in the key store Trying password authentication Enter u sauer linuxdevipv6 s password Add password for u sauer linuxdevipv6 to the password store yes no no Linux linux dev 2 6 32 40 server 87 Ubuntu SMP Tue Mar 6 02 10 02 UTC 2012 x86_64 GNU Linux Ubuntu 10 04 4 LTS Welcome to the Ubuntu Server Last login Sat Apr 21 11 28 48 2012 from 10 0 0 194 u sauer linux dev Example for initiating an SSH session from OSS to a remote NonStop server using an IPv6 address home test sshos
133. to them The indication of a format 2 file is a plus sign directly appended to the file code of the Guardian file attributes similar to the file code shown by FILEINFO for format files Examples sftp gt get remote local 101 28 56 128 sftp gt put local remote 0 238 e SSH and SFTP Client Reference HP NonStop SSH Reference Manual Controlling SSH and SFTP Clients on NonStop via an API Customers who need to access SSH and SFTP clients programmatically can use additional API modules which are separately licensed e The SFTPAPI module allows an FTPAPI application to establish an SFTP session instead of an FTP session Minor changes in the FTPAPI application code converts the application to an SFTPAPI application This is possible because the same header file SYSTEM ZTCPIP FTPEXTH and library file SYSTEM ZTCPIP APILIB is used as it is for FTPAPI e The SSHAPI SSHLIB module provides a general way to access and control an SSH client on NonStop providing a means for automating tasks on a remote system or when using loopback on the local system The following sections give a short overview For more detailed information see the SFTP API Reference Manual and the SSHLIB Reference Manual SFTPAPI The SFTP API allows applications that previously used the FTP API to convert to SFTP in an easy manner In many cases the conversion can be accomplished with only a few program changes In the ideal case programs do not need to be ch
134. to transfer structured files Per default each logical record of a structured file is read and an end of record delimiter is added LF n before the record is transferred This transfer mode delimited record transfer mode corresponds to the FTP ASCII transfer of 234 e SSH and SFTP Client Reference HP NonStop SSH Reference Manual structured files STRUCT R Additionally the following two transfer modes are supported transparent transfer of records and unstructured transfer of structured files The transparent transfer mode allows transferring records containing LF n characters inside a record These files cause problems when being transferred in delimited record transfer mode as this character is used as end of record delimiter This problem does not occur in transparent transfer mode but this mode can effectively be used for transfers from one NonStop server to another only other SFTP implementations are not aware of the transparent mode implementation The unstructured transfer mode uses the Guardian option unstructured access of structured files when opening a Guardian structured file If the unstructured mode is enabled SFTP and SFTPSERV read the structured file physically rather than logically record by record This transfer mode corresponds to the FTP BINARY transfer of structured files STRUCT F Files can only be read in unstructured transfer mode i e if NonStop SFTP command put is used or a remote sftp
135. user name is specified the command will display the current value assumed Otherwise it will change the value to the user name provided The User ALL The username ALL is reserved to specify all local NonStop system users in conjunction with the KNOWNHOST entity If a KNOWNHOST is set to the user ALL it means that all local system users can access that host Note that the user ALL has no special meaning for the KEY or PASSWORD entity INFO SYSTEM USER KEY KNOWNHOST and PASSWORD entities are each maintained via a set of CLIENT mode commands like GENERATE KEY ALTER KNOWNHOST and FREEZE PASSWORD The INFO SYSTEM USER lists all KEY KNOWNHOST and PASSWORD records assigned owned by a specific local Guardian system user Both the KEY and the KNOWNHOST entity are associated with a single Guardian system user Besides providing an overview of the system user related client mode records the INFO SYSTEM USER lists additionally the remote ssh user names i e keys to the damon mode USER records that are mapped to a specific local system user or that are configured with OWNER field set to the specific local system user The command has the following syntax INFO SYSTEM USER lt system user name gt lt partial system user name gt DETAIL If no user name is specified the command will display the entries for the current or assumed system user The wildcard character can be used alone to select all entries or it can be precede
136. was used LAST MODIFIED Maintenance Last time the public key entry was modified HP NonStop SSH Reference Manual The SSH User Database e 149 The RESTRICTION PROFILE entity has the following properties RESTRICTION PROFILE The name for the restriction profile referenced by a USER entity COMMENT Comment text for the restriction profile CONNECT FROM IP addresses the user is allowed to connect from CONNECT TO IP addresses a user is allowed to connect to PERMIT LISTEN Local ports the user is allowed to use for port forwarding PERMIT OPEN Target host and port combinations the user is allowed to use for port forwarding FORWARD FROM Remote hosts the user can access ssh tunnels from LAST MODIFIED Record maintenance Last time the record was modified Database for Client Mode Format and Content of the Database In client mode the SSH2 database contains three entities which are all related to a local Guardian system user KEYs are private user keys used to authenticate to remote systems PASSWORDs are passwords used to authenticate to remote systems KNOWNHOSTs are remote systems that are authenticated by configuring their IP addresses port numbers and public keys All three entities contain a set of properties that are used when a local Guardian system user initiates an outgoing connection Access to the client mode records is controlled by the local Guardian user name which is stored in client mode records Client
137. window The AUTODEL_WAIT parameter allows a grace time that starts when the last opener closes the window If another open occurs within the grace time then the window and the session continue running If the timer expires without any new opener then the window is deleted The time given can be in the range from 0 to 20 seconds the default is 3 seconds A value of zero disables the feature deleting the window immediately when the last opener closes Starting with SPR TO801 ABE this command is not relevant with regard to AUTO_ADD_WIN since that parameter is no longer supported BACKUP CPU lt cpu gt NONE BUDDY ANY BACKUPCPU controls the application backup process BACKUP is a synonym for BACKUPCPU Displays the current setting along with the current backup status NONE Stops a backup process if one is already running No new backup processes are created lt cpu gt Specifies a number in the range O through 15 inclusive The application will use the specified CPU for its backup process If a backup process is already running it is stopped A new backup process is created in the specified CPU BUDDY Toggles the low order bit of the primary CPU number to determine the backup CPU number This pairs CPUs for backup purposes in even odd groups 0 to 1 2 to 3 14 to 15 This avoids the problem of configuring a specific CPU number If a backup process is already running it is stopped A new backup process is created in
138. workstation The session can be either SECURE or PLAIN This event is written to the specified AUDITCOLL collector not to the standard 0 EMS event collector HP NonStop SSH Reference Manual STN Reference e 287 EFFECT None RECOVERY None informational only zstn evt auditcoll disconnect value is 1025 lt 1 gt AUDITCOLL disconnect lt 2 gt lt 3 gt lt 4 gt lt 2 gt full name of the window node stn window lt 3 gt remote IP address lt 4 gt remote IP port CAUSE A session has terminated This event is written to the specified AUDITCOLL collector not to the standard 0 EMS event collector EFFECT None RECOVERY None informational only zstn evt auditcoll wsinfo value is 1026 lt l gt AUDITCOLL lt 2 gt lt 3 gt lt 4 gt wsinfo lt 5 gt Outcome lt 6 gt lt 2 gt full name of the window node stn window lt 3 gt remote IP address lt 4 gt remote IP port lt 5 gt WSINFO text received from the workstation if any lt 6 gt text GRANTED or DENIED CAUSE WSINFO is set to REQUIRED or MATCH for a 6530 session The information returned by the workstation is given and the outcome is GRANTED if the session was allowed to continue or DENIED if the WSINFO requirements were not met This event is written to the specified AUDITCOLL collector not to the standard 0 EMS event collector EFFECT None RECOVERY None informational only zstn evi max outq value is 1027 lt 1 gt ST
139. xr x 1200 Feb 11 15 10 drwxr xr x 608 Dec 31 12 04 OArwxXr X r xX 80 Feb 27 2004 public_html drwxr x 48 Feb 27 2004 pubs drwxr xr x 48 Feb 9 20 45 put rw r r 1011018 Feb 9 20 40 putfiles sftp gt Change to directory put list the files there note that the directory is empty 72 Feb 14 07 31 1200 Feb 11 15 10 Show local working directory sftp gt lpwd Local working directory home tb sftp gt Verify the remote working directory sftp gt pwd Remote working directory home burgt put sftp gt Transfer local file al10000 to remote system sftp gt put al0000 Uploading a10000 to home burgt put al0000 al0000 100 9900 0 0KB s 00 00 sftp gt List files on remote system note the new file al0000 72 Feb 14 07 31 1200 Feb 11 15 10 9900 Feb 14 07 31 a10000 Leave the SFTP client sftp gt bye home tb Transfer Progress Meter SFTP SFTPOSS client displays a progress indicator during file transfers if enabled The progress meter can be enabled via command progress on and disabled via command progress off Entering the command progress without option will switch between the states progress enabled and progress disabled If progress is disabled the only line displayed for a download is Fetching lt remote file gt to lt local file gt and for an upload the line Uploading lt local file gt to lt remote file gt is shown In addition to option values on and
140. yes no no Have a lot of fun m horst np dev gt Note For a production installation you may want to copy the SSHOSS program to an OSS standard bin directory renaming it to ssh Alternatively you may also create a symbolic link At the TACL prompt run the SSH client to execute a command on a remote system as follows SDATA1 MHSSH 286 gt run ssh m horst 10 0 0 201 whoami SSH client version T9999H06_22Jan2014_comForte_SSH_0097 You have no private keys in the key store Trying password authentication Enter m horst 10 0 0 201 s password Add password for m horst 10 0 0 201 to the password store yes no no m horst SSYSTEM ZSSH 287 gt To Establish a Port Forwarding Tunnel with the NonStop SSH Client Forwarding Local Port to Remote Port You can create port forwarding channels for both the OSS SSH client SSHOSS and the Guardian SSH client SSH The following example illustrates how to establish a port forwarding tunnel for telnet sessions over SSH using the Guardian SSH client SUS SSH90 46 gt run ssh N L 5021 localhost 23 joe 10 0 0 111 SSH client version T9999H06_22Jan2014_comForte_SSH_0097 The N option suppresses the start of a remote shell The L option tells SSH2 to listen on port 5021 and forward any incoming connection to the remote SSH daemon and further to a telnet server on the same host listening on port 23 The localhost in the command line refers to the target host of the forwarding tun
141. 1 date time process name See also e AUDITFILE AUDITFORMATCONSOLE AUDITFORMATEMS e Audit Messages in the chapter entitled Monitoring and Auditing AUDITMAXFILELENGTH Use this parameter to control the maximum size of an audit file Parameter Syntax AUDITMAXFILELENGTH length Arguments length A number representing the maximum log file length in kilobytes Values must fall within the following constraints Maximum 40 000 or 40 MB Minimum 100 KB Default The default length is 20000 KB Considerations e Once acurrent audit file reaches the maximum size a log rollover will occur The current file will be closed and a new file will be opened The new file will be named based on the audit round robin file set specified by the AUDITFILE and AUDITFILERETENTION parameters If the file name already exists any existing contents will be purged See also e AUDITCONSOLE AUDITFILE AUDITFILERETENTION e Audit Messages in the chapter titled Monitoring and Auditing AUTOADDAUTHPRINCIPAL Choose whether the PRINCIPAL should be automatically added if and only if either the password or the keyboard interactive authentication method was successful and only if the gssapi with mic authentication was executed successfully on Kerberos level but failed on SSH2 level only because none of the configured values for USER attribute PRINCIPAL matched the principal name found in the Kerberos ticket received from the SSH SF
142. 1 gt Session Name lt str2 gt Name of USER record lt intl gt Source port lt str3 gt Normalized local host address lt str1 gt failed to open channel reason lt str2 gt lt str1 gt Session Name lt str2 gt Description lt str1 gt channel request failed lt str1 gt Session Name lt str1 gt error on channel lt str2 gt lt str1 gt Session Name lt str2 gt Exception text lt str1 gt Remote Forwarding Error lt str2 gt lt str1 gt Session Name lt str2 gt Error text lt str1 gt error on ssh session lt str2 gt lt str1 gt Session Name lt str2 gt Exception text lt str1 gt aborting SSH session reason lt str2 gt lt str1 gt Session Name lt str2 gt Reason lt str1 gt forwarding from lt str2 gt to lt str3 gt denied SSH2 parameter lt str4 gt set to false HP NonStop SSH Reference Manual Appendix e 349 LOG LEVEL EVENT TEXT Description Variable Parts lt str1 gt Session Name lt str2 gt Normalized originator host address and port lt str3 gt Normalized target host address and port lt str4 gt ALLOWTCPFORWARDING 20 lt str1 gt forwarding from lt str2 gt to lt str3 gt denied USER lt str4 gt not found in database and PARAM lt str5 gt set to true lt str1 gt Session Name lt str2 gt Normalized originator host address and por lt str3 gt Normalized target host address and port lt str4 gt Guardian user name lt str5 gt RE
143. 1989 1996 1997 Sun Microsystems Inc 1989 1990 1991 Transarc Corporation OSF software and documentation are based in part on the Fourth Berkeley Software Distribution under license from The Regents of the University of California OSF acknowledges the following individuals and institutions for their role in its development Kenneth C R C Arnold Gregory S Couch Conrad C Huang Ed James Symmetric Computer Systems Robert Elz 1980 1981 1982 1983 1985 1986 1987 1988 1989 Regents of the University of California Contents Preface Who Should Read This Guide ccceecceeceessesceeseeeseeeseeeeceeeceeeeeeeeeseeeeeesreneeensees Related Reading eree eaa E EEE E E O EE Document History cccceeseesceeseeseeeeceeeceecesecesececesecaecaeceaecnaecaeecaeenaeeneeeneeeas Introduction The SSH Solution eaha e a haet aaia e EV EEEa a EE E ETNE Fully Compliant with the SSH Protocol Specification 0 0 0 0 cee Strong Authentication and Multiple Cipher Suites 0 eee Support of Full Screen Terminal Access 0 ccscceseecessecseeeeecseeeenees Built in User Baserri oaa E E ERE E EEEE Central Key Store nseri iuris osi ensues isha cs ERES oE euE EEEE Secure SFTP Transfer i cs iis henri mn heei e Sa T TCP and FTP Port Forwarding eee cecesecseeeceseceeeeeceeeeeceseeeceeeaeeees Single S19N ONics snein EE a a E AREA E KE EEs TOP IPy6 rn ar a iit heal Ooh event He aei A E eed i tbionks The SSH Protocol oiire coset
144. 2 RENAME US o a e r E a E ae Sel eae dates 184 THAW USER a a a Stig ate herbs ra E e E E N R 185 Daemon Mode Commands Operating on the RESTRICTION PROFILE Entity sses 185 ADD RESTRICTION PROFILE 0 ececsescsesssesecneesecseeecsecseesecnecaeesecneeeesaeceessecseeeesseeneeees 185 ALTER RESTRICTION PROPILE c sccssesescrsssesonercssecoseneenesssenessesssenenencnserosenensersnenes 187 HP NonStop SSH Reference Manual Contents e vii DELETE RESTRICTION PROBILE amp oc 5 souseste suited leversesstani en E A E E 189 INFO RESTRICTION PROPFILE c cccccssssssscsscsssssssscccsscssssscescecvesssssscessessensssssessesessaes 189 RENAME RESTRICTION PROFILE ccccccccccccccesssssccsccscsessessssccesssssessesscsesessessesseesees 189 Client Mode Commands Overview ccecceessessccccessssscesccecsesssscsseccsessessssececeessesessescsessessesssesseesees 190 ASSUME SERS E A A Res 191 INFOS YSTEM USERS se4 cist 8h ieee A Baie ta a Mae i E E E 191 Client Mode Commands Operating on the KEY Entity eee ecesesessecsseeeeeseceeesecneeessecnesseenaeseeeas 192 BAT R A REA A D AEA oii Sash Le Ere hens cos O Nth Aide AD ee AE ade cee TEE 192 UBD ES EA B Bll a D Ce ne er mt el Eee 193 EXPORT IKE Ys 222s cestct tees cies Bete eae ts soe een eet ead a teneh ee ane ae teat ake 193 PREBZEVKEY ecissecthcctoe T E oan Ge ek eas cack AE TNS E E en techie N 194 GENERATE A a E ate ta eet ist A Mote anes E ah ic ie cae E ote
145. 2 on a non audited disk volume SSH2 will fail to open the SSHCTL with error 80 Invalid operation on audited file or non audited disk volume For testing you may add SSHCTLAUDIT FALSE to the startup parameters to work around this problem For a production installation however it is strongly recommended that you have SSHCTL audited Use the SSHCTL parameter to specify a filename on an audited disk volume if required A normal startup output looks similar to the following screen shot SSSHO1 20Jan14 15 34 01 52 20 SSSHO1 20Jan14 15 34 01 52 10 SSH2 version T9999H06_22Jan2014_comForte_SSH2_0097 SSSHO1 20Jan14 15 34 01 53 10 config file SQAHPSSH TO801ABK ztclcfg SSSHO1 20Jan14 15 34 01 53 10 config2 file SSSHO1 20Jan14 15 34 01 54 20 object filename is BWNS02 SQAHPSSH TO801ABK SSH2 SSSHO1 20Jan14 15 34 01 54 20 object subvolume is BWNS02 SQAHPSSH TO801ABK priority is 150 SSSHO1 20Jan14 15 34 01 54 20 dumping configuration fil x lt log configuration gt def LOWEDAUTHENTICATIONS lt keyboard interactive password publickey gt LOWEDSUBSYSTEMS lt sftp tacl gt LOWFROZENSYSTEMUSER lt FALSE gt LOWINFOSSH2 lt ALL gt LLOWPASSWORDSTORE lt TRUE gt LLOWTCPFORWARDING lt TRUE gt UDITCONSOLE lt gt UDITFILE lt SQAHPSSH TO801ABK ZTC1LAUD gt DITFILERETENTION lt 10 gt DITFORMAT lt 21 gt DITMAXFILELENGTH lt 1000 gt UTOADDAUTHPRINCIPAL lt FALSE gt UTOADDSYSTEMUSERS lt TRUE gt ACKUPCPU lt NONE gt ANNER KS
146. 20 originator allowed for FTP lt str1 gt Session Name lt str2 gt Normalized originator host address and port lt str3 gt Normalized target host address and port 20 lt str1 gt listen request on lt str2 gt denied port forwarding not licensed lt str1 gt Session Name lt str2 gt Normalized address and port to bind 20 lt str1 gt forwarding from lt str2 gt denied only port 20 originator allowed for FTP data connections lt str1 gt Session Name lt str2 gt Normalized originator host address and port 20 lt str1 gt request rejected user lt str2 gt is not mapped to a SYSTEM USER lt str1 gt Session Name lt str2 gt User name 20 lt str1 gt session rejected SSH2 not licensed for general usage lt str1 gt Session Name 20 Expected IPv6 address for parameter lt str1 gt because IP mode is lt str2 gt but found TCP IPv4 address lt str3 gt Using value lt str4 gt instead lt str1 gt Parameter name lt str2 gt TCP IP mode lt str3 gt Value configured for parameter lt str4 gt Normalized interface address value HP NonStop SSH Reference Manual Appendix e 355 LOG LEVEL EVENT TEXT Description Variable Parts 20 20 20 20 20 20 20 20 20 20 20 20 Expected IPv6 address for parameter lt str1 gt because IP mode is lt str2 gt but found IPv4 address lt str3 gt Using value lt str4 gt instead lt str1 gt Parameter nam
147. 20 np dev np comforte de FTP server Version 6 5 OpenBSD Linux port 0 3 3 rea dy Name 127 0 0 1l user m horst 331 Password required for m horst Password 230 Have a lot of fun 230 User m horst logged in ftp gt dir 200 PORT command successful 150 Opening BINARY mode data connection for bin I1s total 2062 rYw r r drwxr xr x 1 m horst users 6340 Jun 19 2003 Xdefaults 5 m horst users 168 Jun 19 2003 Documents rw r r 1 m horst users 990000 Jan 19 15 00 ktest2 rwxr xr x 1 m horst users 1000000 Jan 19 14 58 ktestbig drwxr xr x 2m 3 drwxr xr X horst users 80 Jun 19 2003 public_html m horst users 192 Nov 23 08 13 sshtest 226 Transfer complete 1766 bytes received in 0 05 seconds 34 49 Kbytes s ftp gt Due to the nature of the FTP protocol the forwarding of an FTP session is more complex than for example a telnet session an FTP session usually consists of a data and a control channel each established in a different direction The HP NonStop SSH Reference Manual Installation amp Quick Start e 43 remote SSH daemon must support the forwarding of FTP sessions not all SSH daemon implementations are able to handle FTP forwarding Similar to the example under Forwarding Remote Port to Local Port in section To Establish a Port Forwarding Tunnel with the NonStop SSH Client the R option can be used to forward an FTP connection from a remote host to the local host To Connect a Remote SCP
148. 2JAN2014_ABK 2014 01 24 14 42 45 368 OPEN ssh01 ALTER USER SUPER OPERATOR ALLOWED AUTHENTICATIONS gssapi with mic password OK user SUPER OPERATOR altered 2 Note gssapi with mic is the standard name in RFC 4462 for GSSAPI based user authentication Including gssapi with mic in the list of allowed authentications will also enable GSS API based key exchange and the gssapi keyex user authentication method gssapi keyex is a variant of gssapi with mic that reuses the security context established during GSSAPI key exchange GSSAPI authentication can be automatically enabled for newly added users either by using the SSH2 ALLOWED AUTHENTICATIONS configuration parameter or by enabling gssapi with mic in the ALLOWED AUTHENTICATIONS attribute of a user that has been configured with the SSH2 AUTOADDS YSTEMUSERSLIKE parameter Authorizing Kerberos Principals for Logon For customers using a Kerberos solution Kerberos authentication via GSSAPI allows the SSH2 daemon to securely identify the user s Kerberos principal name such as the Microsoft Active Directory user ID Using this unique Kerberos identity users can be authorized to access one or more NonStop user accounts The authorization can be controlled either implicitly or explicitly as described in the following sections Implicit Authorization Implicit authorization takes advantage of the Kerberos default authorization rule If host H
149. 30 Host key Bubble Babble lt str1 gt lt str1 gt Key bubble babble 50 lt str1 gt connected SSH tunnel to FTP server at lt str2 gt lt str1 gt Session Name lt str2 gt Normalized target host address and port 50 Accepted connection from lt str1 gt port lt int1 gt sessionid is lt str2 gt lt str1 gt Normalized originator host address lt int1 gt Tunnel originator port lt str2 gt Session Name 50 lt str1 gt connection closed by FTP client lt str1 gt Session Name 50 lt str1 gt connection closed by FTP server closing SSH session lt str1 gt Session Name 50 lt str1 gt user lt str2 gt connects via SSH host at lt str3 gt to FTP server on port lt str4 gt lt str1 gt Session Name lt str2 gt User name lt str3 gt Normalized target host address and port lt str4 gt Normalized FTP target host and address 40 lt str1 gt received password from FTP client sending SSH authentication request method none lt str1 gt Session Name 40 lt str1 gt received quit command from FTP client lt str1 gt Session Name 40 lt str1 gt received FTP server welcome attempting to login with SSH credentials HP NonStop SSH Reference Manual Appendix e 365 LOG LEVEL EVENT TEXT Description Variable Parts 40 40 30 30 30 30 40 40 30 50 50 50 lt str1 gt Session Name lt str1 gt received password request sending user p
150. 4 DELETE SCRIPT lt seript name gt mrna a a E 264 DELETE SERVICE lt service name gt ccccccssecesscesssesesceesseceeeeeeseeceeecesaeceeceecsaecseseecsseensees 264 DELETE WIN DOW lt window name gt cccccccecsccesscessecsssceeseeceeeeeesseceseecsaeseeeeecsseensees 264 DEV_SUBTYPE BOSCOMP WINDOW lt 00 gt 0 cceececccccssseeesseeeceesececnseeeeeeneeeesenaees 264 DYNAMIC PRE nnd 5 cessc3cr258 he ee be aunts as Dae O N EEES 264 DYN CPU Cpu pu sinen harea oe absent coseas E E EEE a E EEE EE EEES ee ES E ihe 265 DYN WIN MAX lt N i a NE E AES EEEE EEE EEE A EE A ET T 265 EXI a R ee enone 265 1 E A E pee T 265 FESESSDOWN lt rror code gt irei iaeiei eriein eeri ii ie iaeei KeS SiR iR S 265 FRAGSIZE SI r R R AEA a EAA eE Ea A EAA AEAEE E R 265 GWN ALLOC h a a E TA AE EE E EAA tae Sana E RA 266 HELP ALL command verae reeet eoe EREE Aee EEE ee sclccetandacdeestcacussecedeavincessencecdesaces 266 IDLE WARNING AOS ne a VEREA E E A EE REA ia 266 NFO AD GEE R E ee eee 266 INFO IPRANGE lt iprange name gt oo eee eeeesceseceseceseceseceaeceeceaeceaecsaecsaecaaeeaeeeaesaeeeas 266 INFO PROCES S ces segaseds seeds eld cv E r EA Ea tucsove leedin catia coveacssantanece ATE R 267 INFO SCRIPT lt seript name gt Fia eiii ienesa eoi ireren oe EEEE EE aieia oeae SE PASSERES EE Sa 268 INFO SER VICE lt service name gt ccececssccesscessecesecesseecseceeeseeceseecseceeeeecsuecseeeecsaeensees 268 TINO STN eee copes
151. 4 55 version version Version STN B21 04JAN2013 Vproc TO0801H01_24JAN2013_ABE Link gmt 04JAN2013_230358 Program object file SQAHPSSH TO801ABE SIN type 800 Node T Process SSTN 0 1164 Started at 2013 01 07 14 28 Time running Od Oh 32m Backup process 1 1175 Last backup takeover no takeovers yet exit Exit Comments It is possible to add comments in IN files OBEY files and at the interactive prompt Any text following an exclamation mark is treated as comment text A comment line is continued on the next line if the last character is an ampersand Note A single exclamation mark alone entered at the STNCOM terminal prompt means repeat last command unchanged while a single exclamation mark in an IN or OBEY file is treated as comment line HP NonStop SSH Reference Manual STN Reference e 249 STNCOM Commands Note STN is also delivered as component of comForte s SecurTN product a fully functional secure Telnet server STN supports several commands and features related to the Telnet server functionality For clarity these commands and features are not part of this manual STNCOM supports the following abbreviated keywords in commands Command Abbreviation SERVICE SER SESSION SESS WINDOW WIN ABEND Immediately stops the STN process creating a ZZSA dump file If STN is running with a backup the backup will take over Use this command only on direction from support staf
152. 4 only IPv6 only or both HP NonStop SSH Reference Manual Configuring and Running SSH2 e 87 Parameter Syntax IPMODE ip mode Arguments ip mode The IP mode the SSH2 process will be running in The following IP modes are supported o IPV4 TCP IP version 4 is supported only o IPV6 TCP IP version 6 is supported only o DUAL Both TCP IP versions 4 and 6 are supported Default The default value for this parameter is IPV4 Example IPMODE IPv6 Considerations e The IPMODE parameter of SSH2 corresponds to the TCP IP monitor process option FAMILY The configuration of SSH2 parameter SUBNET or define TCPIP PROCESS NAME must not contradict the value of IPMODE i e if IPMODE is set to IPv4 then the TCP IP process cannot be configured with FAMILY IPv6 and vice versa e Similarly the configuration of SSH2 parameters INTERFACE and INTERFACEOUT must be set consistently with setting of parameter IPMODE See also SUBNET INTERFACE INTERFACEOUT LICENSE Use this parameter to specify a different location for the SSH2 license file Note If you purchased NonStop SSH with the NonStop Operating System Kernel for H Series and J Series NonStop platforms you will not need a license file anymore Parameter Syntax LICENSE file Arguments file Specifies the name of the SSH2 license file Considerations e Ifthe file name is not fully qualified SSH2 will add the home subvolume of the object file to the file name e
153. 5 Describes changes in SSH2 release 87 Documentation for the following new features has been added HP NonStop SSH Reference Manual Preface e 19 Description for SSH2 log message memory cache related parameters LOGCACHESIZE LOGLEVELCACHE and LOGCACHEDUMPONABORT have been added Log cache related SSHCOM commands SET LOGCACHESIZE SET LOGLEVELCACHE SET LOGCACHEDUMPONABORT FLUSH LOGCACHE and CLEAR LOGCACHE were described Added description for SSHCOM commands STATUS SSH2 STATUS SESSION STATUS CHANNEL and STATUS OPENER The document now contains a description for file retention related SSHCOM commands ROLLOVER LOGFILE and ROLLOVER AUDITFILE Version 3 4 Describes changes in SSH2 release 86 Documentation for the following new features has been added A description for SSH2 parameter ALLOWEDSUBS YSTEMS has been added Parameter CLIENTALLOWEDAUTHENTICATIONS and ssh client option AllowedAuthentications has been added Finer control of full SSHCOM access via SSH2 parameters FULLSSHCOMACCESSUSER lt i gt and FULLSSHCOMACCESSGROUP lt j gt are now described The document now contains text about parameters SFTPEDITLINESTARTDECIMALINCR SFTPEDITLINENUMBERDECIMALINCR and SFTPEDITLINEMODE enhancing the control over Guardian edit lines written to NonStop line numbers handling of edit lines that are too long Added description for parameter SFTPUPSHIFTGUARDIANFILENAMES SSH2 parameter STOREDPASSWORDSONLY has been described V
154. 7 Configuring a Service Men er esiitertisii iinit is iese e a ee EEE AN k ea e iTi i a 127 Configuring an STN Service or WindoW esesseeesessereresesssesesrereererssesrsreessesrsrerrerserseseseeerens 127 Forcing TACL Access via Server side Configuration seseseeeeesseerersrretereerrsrsrrrreresrsrrerees 128 Using TELSERV as Service Provider ss eseseeseesrerereessrstererseeeeererereresesrerersreseenensrerersenersee 129 Granting Access without SSH Authentication ssesesesesseeiesesseereresstststetetstsstteetstssestntereteensesrsesesee 129 Single Sign on with GSSAPI Authentication ssseeeeseseeeeeseessrstsreresrererstsretrrstsretreretseseseetreretsrerreree 130 Ove EW Ep ieee E E EEE E SE EEE ee E E A ee 130 Pr regui Sesa eers aee E E E E OES E EEEE EEEE ne R iE 130 Configuration of the GSSAPI Interface Process eesseeeeseseeeeieesserserreererersesrerersesrsreerers 130 Enabling GSSAPI Authentication for a User Account 0 eee eecesececeeeeceeeecneeeeceaeceseeees 131 Authorizing Kerberos Principals for Logon cc ccesssesscsecseeeecseeeeceaeceeesecaeceessecseeseenaeseeeas 131 Restricting Incoming and Outgoing Connections cceeceeeeceecseesecseeeeceseeeeeaecseeecsaecasesessessrenaeeeeees 132 Rejecting Gateway POTIS ie iiie dina nie aa tn ieee i ll eto eee 132 Restricting External Access to SSH2 Process ccescssssscssesseesceeeeeceseceeesecaeeecesecseeseeneeeeeas 132 Restricting Internal Access to Remot
155. 9 Considerations e This parameter should be set to TRUE only if compatibility to previous behavior is required e Even if ALLOWFROZENSYSTEMUSER is set to TRUE the methods password and keyboard interactive will always fail due to the FROZEN state because Safeguard is involved and will not authenticate a frozen user Example HP NonStop SSH Reference Manual Configuring and Running SSH2 e 55 ALLOWFROZENSYSTEMUSER FALSE ALLOWINFOSSH2 This parameter defines the set of users that are allowed to execute the SSHCOM command INFO SSH2 Parameter Syntax ALLOWINFOSSH2 ALL PARTIALSSHCOMACCESS FULLSSHCOMACCESS Arguments ALL PARTIALSSHCOMACCESS FULLSSHCOMACCESS Valid values are o ALL Every user is allowed to execute SSHCOM command INFO SSH2 o PARTIALSSHCOMACCESS Only users configured with partial SSHCOM access are allowed to execute SSHCOM command INFO SSH2 o FULLSSHCOMACCESS Only users having full SSHCOM access are allowed to execute SSHCOM command INFO SSH2 Default If omitted ALLOWINFOSSH2 will be set to ALL This is compatible with the behavior before introduction of the parameter i e prior to version 0092 Example ALLOWINFOSSH2 ALL See also FULLSSHCOMACCESSUSER lt i gt FULLSSHCOMACCESSGROUP lt j gt PARTIALSSHCOMACCESSUSER lt k gt PARTIALSSHCOMACCESSGROUP lt n gt ALLOWPASSWORDSTORE This parameter controls whether users are allowed to use stored passwords for connections to remote SSH daemons
156. A license is no longer required for TNS E systems If a license file exists then the customer name will be extracted from it e Please see the section on the HOSTKEY parameter for more information on the interaction of the license file with the host key file 88 e Configuring and Running SSH2 HP NonStop SSH Reference Manual e Please see the section on the SSHCTL parameter for more information on the interaction of the license file with the SSH2 database Default If omitted an SSH2 process will search for a file named LICENSE on the subvolume where the SSH2 object resides LIFECYCLEPOLICYPRIVATEUSERKEY This parameter controls the life cycle of user generated private keys If enabled a not valid before date and a not valid after date can be defined for each individual key This can be achieved by setting the dates explicitly via entity KEY attributes LIVE DATE and EXPIRE DATE or implicitly via globally defined length of the key pending time period after key generation and length of the period a key is in LIVE state Only a key in LIVE state may be part of a publickey authentication of the user owning a private key Parameter Syntax LIFECYCLEPOLICYPRIVATEUSERKEY DISABLED FIXED VARIABLE Arguments DISABLED Life cycle control for user generated private keys will not be enabled When a key is generated it is immediately in state LIVE and it will never expire FIXED Users without full SSHCOM access cannot set
157. ACCESSUSER PARTIALSSHCOMACCESSGROUP e The DAEMONMODEOWNERPOLICY is only applicable when issuing SSHCOM INFO USER or SSHCOM ALTER USER commands in daemon mode e The logged in guardian user who started the SSHCOM session and is a group manager of the OWNER field value automatically has partial access rights to the daemon mode USER records e If DAEMONMODEOWNERPOLICY NONE was not specified group managers eg lt groupname gt manager will always be treated as DAEMONMODEOWNERPOLICY BOTH regardless if LOGINNAME or GAURDIANNAME was specified e If SUPER SUPER is denied full SSHCOM access via an OBJECTTYPE USER DENY C entry the user SUPER SUPER can still be configured as the owner of a USER record and would get partial access rights 74 e Configuring and Running SSH2 HP NonStop SSH Reference Manual Also SUPER SUPER would have partial access rights for all USER records configured with a super group user as OWNER if the policy is GUARDIANNAME or BOTH Default The default value is NONE Examples DAEMONMODEOWNERPOLICY LOGINNAME See also e FULLSSHCOMACCESSGROUP lt j gt FULLSSHCOMACCESSUSER lt i gt PARTIALSSHCOMACCESSGROUP lt n gt and PARTIALSSHCOMACCESSUSER lt k gt e See Security within SSHCOM in section SSHCOM Command Reference about full and partial access rights DISCONNECTIFUSERUNKNOWN Use this parameter to specify that incoming connections are immediately disconnected when the supplied SSH user name could n
158. API related links shown below are of interest if Single Sign on will be configured see section Single Sign on with GSSAPI Authentication e http web mit edu Kerberos e http www ietf org rfc rfc4462 txt The following reading prerequisite documentation for administrators configuring SSH2 for IPv6 support e HP NonStop documentation TCP IPv6 Migration Guide e HP NonStop documentation TCP IPv6 Configuration and Management Manual The following TCP IPv6 related links may be helpful when preparing SSH2 IPv6 configuration e http en wikipedia org wiki IPv6 e http tools ietf org html rfc 1639 FTP Operation Over Big Address Records FOOBAR e http tools ietf org html rfc2428 FTP Extensions for IPv6 and NATs e http tools ietf org html rfc2460 Internet Protocol Version 6 IPv6 Specification e http tools ietf org html rfc4291 IP Version 6 Addressing Architecture e http www tcpipguide com free t_IPv6Addressing htm e http tools ietf org html draft ietf 6man text addr representation 04 e http tools ietf org html rfc4038 14 e Preface HP NonStop SSH Reference Manual Document History Version 4 4 Describes changes in SSH release 97 Documentation for the following new features has been added e Added STNCOM SSHCOM OUT command and STNCOM UAIPADDR command e Changed the range for STNCOM MAX_OPENERS and the max continuation command length for STNCOM SSHCOM
159. Aa E Eaa pao AEE S 227 SFTP Commands ess 2hcssevscsssseshhis ecsssscasoves bus cesbeesenas pubsasoathsid abne seaasebagen qua rtaes tas aaestaeseysens 231 Transfer Progress Meter ics ais iid stati a E A E E E EEE 232 Controlling Transfer SUMMATY areires eere E a e A AER EE E RE EEEE A 233 Specifying File Names on the NonStop System ssssesesseseesreersrerrerererrsrsrerreressrerrereersesrseee 233 Extended Syntax for Creation of New Guardian Files ceescsssesseccceseceeeesceeseeceaeeeseeeees 233 Transfer Modes for Structured Guardian Files 2 0 0 0 ceeeecsesseecsseeecsseceeesecseesessecaeeseeneeseeeas 234 Transferrin ASCH file Scies terp a Te e E EE aid homie EE E 235 Fix Command and Command History ssesesesesseeeesesssrereresssrstsrttererssesteretssesrsrerrersessesesreerees 236 Creation of Format 2 Guardian Files seseseeeeeeeeeseseeeseeresssesesrereerstserenrsseestsrerenrnersesesesenees 238 Controlling SSH and SFTP Clients on NonStop via an API 239 SFI eya nd ATEREA EATA EA R E 239 So a Vet ad BAIAT ETSI HIB NEE EEE EE 240 SSH Protocol Reference 241 The SSH Protocols o e ai ei E E EE E EE EE EEEE E S 241 Implementation OVervieW sn nienia e E AE E E aae 241 Supported Versions apenra a eh eina E e aE E K ea E A A S 241 Cipher Suites pee aE E E ERE E E EE AE E AE 241 Implementation of the SSH protocol 0 0 ceceesccsseeceecsseeeessecseeseceeeeeceecnaeeecsaeceeesecseeseeneeaeeaes 241 Authentication using User Names and Pa
160. Audit Format SSH2 allows users to customize certain aspects of the appearance of audit messages Using the AUDITFORMAT parameter you can add the current date to the log message header Please refer to the AUDITFORMAT parameter description for details Audit Reports No tool is provided with SSH2 to create audit reports However given the simple format of the audit messages any tool with sufficient text filtering capabilities can be used to create reports Using OSS to look at the audit file see section Viewing File Contents from OSS it is possible to create flexible reports with brief commands If you need help in doing so please contact the HP or comForte support team depending on which product you are using List of Audit Messages The following table shows the complete list of audit messages as created from release 89 on Note Not all audit event variations with different conditions are currently used but may be in the future Token values can be empty Audit event pattern can change in the future HP NonStop SSH Reference Manual Monitoring and Auditing 311 Event Event Name Conditions Pattern Token Values Id 1 Authenticatio Authentication sessionld Youser remoteAddress sessionId SESSION LOG ID nEvent successful action Zoutcome method method Mouser SSH username method not reason System user YosystemUser remoteAddress remote IP publickey and not address gssapi with mic
161. BUTORS BE LARY OR PROCUREMENT OF OR r LIABILITY INCLUDING NEGLIGENCE ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE One component of the ssh source code is under a 3 clause BSD license held by the Universit original Berkeley cod 1983 Copyright c The Regents o Redistribution and modification y of California e 1990 1992 1993 1995 f the University of California use in source and binary forms HP NonStop SSH Reference Manual since we pulled these parts from All rights reserved with or without are permitted provided that the following conditions Appendix e 371 are met 1 Redistributions of source code must notice this list of conditions and 2 Redistributions in binary form must notice this list of conditions and w 3 Neither t without s THIS SOFTWARE ANY EXPRESS OR IMPLIED WARRANTIES IS PROVIDED BY THE REGENTS AND CONTRIBUTORS INCLUDING IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICU retain the above copyright the following disclaimer reproduce the above copyright the following disclaimer in the documentation and or other materials provided with the distribution he name of the University nor the names of its contributors may be used to endorse or promote products derived from this software pecific prior written permission CAS IS AND BUT NOT LIMITED TO THE LAR PURPOSE ARE DISCLAIMED
162. CESSGROUP1 lt gt IACCESSUSERI1 lt gt SIPADDRESS lt FALSE gt lt 12229 gt lt gt lt gt lt SZPTYK gt TER lt ANY gt HECKFAILEDDEFAULT lt FALSE gt RDIANCD lt FALSE gt lt gt ODE lt none gt UMBERDECIMALINCR lt 1000 gt STARTDECIMALINCR lt 1 gt ERRORREPORTING lt 2 gt MODEREAD lt SHARED gt OUT lt 1 gt TS lt 900 gt XTENTSIZE lt 2 gt FILEATTRIBUTEECHOED lt FALSE gt YEXTENTSIZE lt 100 gt UARDIANFILENAMES lt FALSE gt ENT lt gt VE lt 1 gt lt 0 gt lt 0 gt lt 0 gt lt 0 gt lt 0 gt lt 0 gt lt SSSHO1 gt lt 1073741824 gt lt 3600 gt lt SSHDBK gt lt FALSE gt TIME lt 60 gt RDSONLY lt FALSE gt YCHECKING lt FALSE gt lt ZTC1 gt KEY TCPPORTS E T T TVAL AME TES E Hih Hih i S SUPPRESSCOMMENTINSSHVERSION lt FALSE gt TCPIPHOSTFILE TCPIPNODEFILE lt gt lt gt TCP IPRESOLVERNAME lt gt USEDISKFILEPREFIXFORFILENAME lt FALSE gt USERDATABASEUNDERTMFCONTROL lt FALSE gt Current configuratio LOGCONSOLE LOGEMS LOGFILE LOGFORMATCONSOLE LOGFORMATEMS LOGFORMATFILE LOGLEVELCONSOLE LOGLEVELEMS LOGLEVELFILE LOGMAXF I LELENGTH LOGF ILERETENTION LOGCACHESIZE LOGLEVELCACHE LOGCACHEDUMPONABORT AUDITCONSOLE AUDITEMS HP NonStop SSH Reference Manual n SQAHPSSH TO801ABK ZTC1LOG 93 16 93 50 20 50 1000 10 1024 0 0 current number of messages in cache
163. CESSIZE must precede PARAM TRACE FILE e CAUSE PARAM TRACE SIZE followed PARAM TRACE FILE e EFFECT PARAM TRACEASIZE is ignored so the trace file is opened with the default size e RECOVERY Reorder the PARAM list STNCOM commands can be used to stop and restart the trace using the desired size without shutting down STN zstn evt reply error value is 21 lt 1 gt Reply error lt 2 gt lt 2 gt error code e CAUSE An unexpected file system error was returned by REPLYX e EFFECT Usually none unless other errors are noted e RECOVERY If the problem persists contact Support zstn evt stopping value is 22 lt 1 gt Process stopping SHUTDOWN command e CAUSE The STNCOM command SHUTDOWN was entered e EFFECT The STN process terminates The backup process if any is stopped first Any active sessions are immediately terminated e RECOVERY Restart STN zstn evt cpuswitch valueis 23 lt 1 gt Primary process stopping CPUSWITCH command e CAUSE The STNCOM command CPUSWITCH was entered e EFFECT A backup takeover occurs and the old primary becomes the new backup e RECOVERY None informational only zstn evt enter debug value is 24 lt 1 gt Process entering debug e CAUSE The STNCOM command DEBUG was entered e EFFECT The STN process enters inspect debug at its current home terminal This will suspend all STN operation and can timeout any active sessions if the debug state is not exited within a short time
164. CO Should all IP addresses configured in a specific IP process be listed in parameter INTERFACE then only one listener for the ANY address is started against that IP process and not one for all listed configured IP addresses of that IP process If at least one IP address is listed in the parameter INTERFACE value that is configured in an IP process then there will be at least one listen started against the IP address If none of the IP addresses of the INTERFACE value match then no listener gets started If one IP process is configured via define TCPIP PROCESS NAME or parameter SUBNET then all IP addresses configured in INTERFACE must correspond to a subnet in the one IP address If more than one IP process is configured via parameter SUBNET then the values in INTERFACE may belong to any of the configured IP processes Listeners will only be started for those IP addresses that match a subnet of an IP process In case none of the INTERFACE values correspond to any of the subnets of an IP process then no listeners get started for that IP process 142 e Configuring and Running SSH2 HP NonStop SSH Reference Manual The same IP address may be configured in more than one IP process If that IP address is configured in INTERFACE then a listen on such an IP address is issued against each of the configured IP processes There may be the requirement to listen on specific IP addresses of some IP processes but to listen on the ANY address for oth
165. CONSOLE AUDITEMS AUDITFILE AUDITFILERETENTION AUDITFORMAT AUDITFORMATCONSOLE AUDITFORMATEMS AUDITFORMATFILE AUDITMAXFILELENGTH AUTOADDAUTHPRINCIPAL AUTOADDSYSTEMUSERS AUTOADDSYSTEMUSERSLIKE BACKUPCPU BANNER BURSTSUPPRESSION BURSTSUPPRESSIONEXPIRATIONTIME BURSTSUPPRESSIONMAXLOGLEVEL CACHEBURSTSUPPRESSION CIPCOMPATERROR CIPHERS Sets the list of allowed authentications for users automatically added to SSHCTL Sets the list of allowed subsystems which globally restricts the users settings of ALLOWED SUBSYSTEMS attribute Controls whether ssh users with a frozen Safeguard user configured as SYSTEM USER are allowed to authenticate Controls who is allowed to execute SSHCOM command INFO SSH2 Controls whether users are allowed to use stored passwords for connections to remote SSH daemons Allows global configuration of TCP port forwarding Determines whether audit messages are written to the console Determines whether audit messages are written to EMS Determines whether audit messages are written to a file Controls audit file rollover Controls the format of the audit messages that are written Controls the format of the audit messages that are written to the console Controls the format of the audit messages that are written to EMS Controls the format of the audit messages that are written to a file Controls the maximum size of the audit file Controls whether t
166. CY v rr r e EEr EEE P R EE EE eE E E oas 69 COMPRESSION a r ed a Be ed ee seeks 70 GBP a r e e 71 CONFIG Qiieeccclesthvcececcth tet toc a EN EO AE 71 CONSOLEBURSTSUPPRESSION ccccccecssccecssceceesececsessececnsseceeseeecessseeccnssseeeestecesenaeees 72 CRUSE IT i ote ced escoces caves oe stone Side E A A E OE A E E EA EE AE EA T 72 CUSTOMER A a e a a e Aae Ta et 73 DAEMONMODEOWNERPOLICY 0 0 ccccccecssccecsssecesssececesssececssscecesseeecessaeeccnssseeeenseeesesaeees 74 DISCONNECTIFUSERUNKNOW N cccccccccccccsssccesnsececesssececnsseeceesececessseeecsssseceenteeeeesaeees 75 DNSMODE e vectece cogseusegecteg od cneseusuctesdvadews staaedac vccbesevacbedecestassteecdegecstectvecbesesomseet 75 EMSBURSTSUPPRESSION ccccccccsssssccesscececssccecsessececessscecssececseseeecessaececssceeeenseeeesesaeees 76 ENABLESTATISTICSATSTARTUDP ccccccccccccsscccessececesssececssseeceeseecessseeecsssseeeenseeeessaeees 71 FILEBURSTSUPPRESSION kedani e e eair apesi een 71 FULLSSHCOMACCESSGROUPXj gt sss sessesseeseesesessersrrsteeessrstessererststessestestssersensreeesseeessreee 78 FULLSSHCOMACCESSUSERS gt 2 0 0 ccccccccesssccecssceceesseeecesssececesseeeeseeecessaeeecnssseceensesesesaeees 78 GSS AUTH EEEE TA SE EAE L E E AEE E AEA EEE E AE E TES 79 GSSGEXKEX ah EE E E EE E E A AE AEE E O EEE tee 80 E E E E SEE E A A E E E E EO E E EA E A ER tae 80 GUARDIANATTRIBUTESEPARATOR 0 occcccccccscccessseccesssececnsseeceeseeec
167. CYPUBLICUSERKEY is set to VARIABLE then every user with partial SSHCOM access can change field EXPIRE DATE LIVE DATE This optional attribute of an ssh user s PUBLICKEY entry is used to set the LIVE DATE not valid before date for the public key This attribute can only be set if the life cycle policy for User Public Keys is enabled determined by SSH2 parameter LIFECYCLEPOLICYPUBLICUSERKEY If SSH2 parameter LIFECYCLEPOLICYPUBLICUSERKEY is set to FIXED then field LI VE DATE can be modified by the SUPER SUPER user only unless explicitly denied in OBJECTTYPE USER record or those configured with full SSHCOM access In case the SSH2 parameter LIFECYCLEPOLICYPUBLICUSERKEY is set to VARIABLE then every user with partial SSHCOM access can change field LIVE DATE OWNER 178 e SSHCOM Command Reference HP NonStop SSH Reference Manual Similar to the Safeguard USER ALIAS field OWNER and to base new access rules on that field This allows an existing local user to modify all USER records that are configured with that local user as value for new USER attribute OWNER The allowed actions will be the same as defined by PARTIALSSHCOMACCESSUSER GROUP parameters The OWNER field for existing USER records will be assumed to be NONE New USER records will be set to OWNER NONE by default unless attribute OWNER is explicitly set to a different value The owner could be identical to the SYSTEM USER value could be SUPER SUPER or the group manager of the user c
168. Client to the NonStop Server The SCPOSS object must be available in OSS name space under the name scp and must be found via the PATH environment variable This can be achieved by creating a symbolic link to the installation location e g ln s G system zssh scposs usr bin scp The environment variable ENV must be set via user attribute SHELL ENVIRONMENT to ensure the PATH environment variable gets set appropriately This can be achieved e g by altering the user as follows etc profile is just an example and often not a good choice ALTER USER test us SHELL ENVIRONMENT etc profile Ensure that shell scripts executed via ENV do not produce any output on stdout After the preparation is done you can connect with an SCP client on a remote system to SSH2 listening on the NonStop server as follows test np dev02 testsftp gt rm bigtxt test np dev02 testsftp gt scp test us 10 0 0 196 bigtxt test us 10 0 0 196 s password bigtxt 100 640KB 640 0KB s 00 00 test np dev02 testsftp gt ls bigtxt bigtxt Using Public Keys to Authenticate Remote Users This section describes how SSH2 can authenticate remote users using public keys This involves creating a public key for the user on the remote system and making the public key known to SSH2 on the NonStop server After performing the steps described below you should be able to connect to the NonStop server with your remote SSH or SFTP client using only the public key without entering t
169. D start SSH2 with SAFEGUARD PASSWORD REQUIRED TRUE lt str1 gt Session name 10 lt str1 gt failed to create passive data connection tunnel from lt str2 gt to lt str3 gt lt str4 gt lt str1 gt Session Name lt str2 gt Normalized originator host address and port lt str3 gt Normalized target host address and port lt str4 gt Description 10 Invalid state lt int1 gt in FtpTunnelLayer Notify closing channel lt intl gt State 346 e Appendix HP NonStop SSH Reference Manual Event Category WARNING LOG LEVEL EVENT TEXT Description Variable Parts 20 gssapi kex failed lt str1 gt lt str1 gt Error message 20 lt strl gt GSS KEX disabled lt str2 gt lt str1 gt Session Name lt str2 gt Error text 20 lt str1 gt forwarding remote lt str2 gt connection from lt str3 gt to lt str4 gt failed lt str5 gt lt str1 gt Session Name lt str2 gt Protocol lt str3 gt Normalized originator host address and port lt str4 gt Normalized target host address and port lt str5 gt Description 20 lt str1 gt listen request from remote failed could not listen on lt str2 gt lt str3 gt lt str1 gt Session Name lt str2 gt Normalized address and port to bind lt str3 gt Error text 20 lt str1 gt listen on lt str2 gt terminated with error lt str3 gt lt str1 gt Session Name lt str2 gt Address and port to listen on lt str3 gt Error text 20 lt str1
170. D command please see that section for details Only the SUPER SUPER user unless explicitly denied in OBJECTTYPE USER record or those configured with full SSHCOM access can alter a password entry for other users DELETE PASSWORD The DELETE PASSWORD command deletes a password from the database and has the following syntax DELETE PASSWORD lt system user name gt lt remote user gt lt target host gt lt target port gt The individual attributes have the following meaning and syntax 200 e SSHCOM Command Reference HP NonStop SSH Reference Manual lt system user name gt A valid local GUARDIAN user who owns the password entry in the user database If lt system user name gt is omitted either the user being set with a previously issued ASSUME USER command or the issuer of the ADD PASSWORD command will be used as the default If lt system user name gt is specified it MUST be followed by a to separate it from the known host name that follows Only the SUPER SUPER user unless explicitly denied in OBJECTTYPE USER record or those configured with full SSHCOM access can delete a password entry for other users lt remote user gt The user name to be used on the remote system lt target host gt The DNS name or IP address of the target system lt target port gt The listening port of the remote SSH server If this optional attribute is omitted the default of 22 is used FREEZE PASSWORD The FREEZE PASSWORD
171. E LOGF ILERETENTION LOGFORMATCONSOLE LOGFORMATEMS LOGFORMATF ILE LOGLEVEL LOGLEVELCACHE LOGLEVELCONSOLE LOGLEVELEMS LOGLEVELFILE LOGMAXF ILELENGTH H Fh FH FH H H Hh FH FH Fh Hh H H 10 162 e SSHCOM Command Reference lt IPV4 gt lt BWNS02 SQAHPSSH TO801ABK LICENSE gt LIFECYCLEPOLICYPRIVATEUSERKEY lt DISABLED gt LIFECYCLEPOLICYPUBLICUSERKEY lt DISABLED gt lt TRUE gt lt 1024 gt lt gt lt gt LOGEMSKEEPCOLLECTOROPENED lt TRUE gt lt SQAHPSSH TO801ABK ZTC1LLOG gt lt 10 gt lt 93 gt lt 16 gt lt 93 gt lt 50 gt lt 50 gt lt 50 gt lt 20 gt lt 50 gt lt 1000 gt HP NonStop SSH Reference Manual MACS OWNER PARTIALSSHCO PARTIALSSHCO PAUTHSUPPRES PORT PTCPIPFILTER PTCPIPFILTER PTYSERVER RECORDDELIMI RESTRICTIONC SF TPALLOWGUA SFTPCPUSET SFTPEDITLI SFTPEDITLI SFTPEDITLI SFTPENHANCE SFTPEXCLUSI SFTPIDLETIME SF TPMAXEXTEN SFTPPRIMARYE SFTPREALPATH SFTPSECONDAR SFTPUPSHIFTG SHELLENVIRON SOCKETKEEPAL SOCKETRCVBUF SOCKETSNDBUF SOCKTCPMAXRX SOCKTCPMINRX SOCKTCPRXMTC SOCKTCPTOTRX SSH2PROCESSN SSHAUTOKEXBY SSHAUTOKEXTI SSHCTL SSHCTLAUDIT SSHKEEPALIVE STOREDPASSWO STRICTHOSTKE SUBNET ho H H Fh Fh Fh H Hh H Li Fh Fh Fh h H H E E E D O HA FH FH FR EFA HiH Hi Ph Ahh FH Fh Fh Fh FH Hi Ph H Fh Fh H H lt hmac sha1 hmac md5 hmac shal 96 hmac md5 96 gt lt RoGeR gt IAC
172. E is present EFFECT Future window names for this STN process use the traditional ZWNnnnn scheme If this error occurs for multiple STN processes then duplicate ZWN names can occur RECOVERY Correct the underlying error and restart the STN process zstn evt gwn allocated value is 1063 lt 1 gt GWN File lt 2 gt Allocated names lt 3 gt to lt 4 gt lt 2 gt GWN file name lt 3 gt first window name allocated to this STN process lt 4 gt last window name allocated CAUSE This STN process allocated reserved a block of window names from the GWN file EFFECT The specified window names will be used for future sessions for this STN process RECOVERY None informational zstn evt abend valueis 1 lt 1 gt Process abend due to lt 2 gt lt 2 gt provides a brief textual description CAUSE An unrecoverable internal error was detected EFFECT The STN process will abend and usually create a ZZSA dump file If a backup process is running it will take over if not STN will terminate RECOVERY If STN is not running with a backup process STN must be restarted Forward the ZZSA file to Support zstn evt alloc valueis 2 lt 1 gt Allocatesegment err lt 2 gt POOL SIZE lt 3 gt words lt 2 gt error code lt 3 gt requested size in words CAUSE An extended segment could not be allocated for the STN internal buffer pool EFFECT The STN process will abend and usually create a ZZSA dump file STN wi
173. ECTTYPE USER access configuration ignoring entry lt entry gt because type lt type num gt lt type name gt is REMOTE specific Cause SSH2 found an OBJECTTYPE USER entry with network id Effect SSH ignores that entry Recovery Add a local ACL OBJECTTYPE USER entry i e one without node spec 332 e Troubleshooting HP NonStop SSH Reference Manual Session Related SSH2 Errors Session related errors are reported as SSH2 warning log messages Warning messages have a log level of 20 Session Related Error Messages of SSH2 Daemon All messages related to a connection received by a remote SSH client are preceded by a session ID These messages adhere to the following format lt session id gt lt remote IP address gt lt remote port gt lt remote ip address gt is the IP address of the system the SSH client is connecting from and lt remote port gt is the port number assigned to the SSH client session on the remote side The messages are as follows lt session id gt Error lt error description gt lt error description gt Is a description of the error condition Cause An error occurred on the SSH session Typical errors include network related errors Effect The SSH session is closed Recovery Any corrective action depends on lt error description gt lt session id gt Disconnect from remote lt disconnect reason gt lt disconnect reason gt Is a description received from the remote client to describe
174. ER with DENY Create authority The parameter sets FULLSSHCOMACCESSUSER lt i gt and FULLSSHCOMACCESSGROUP lt j gt are ignored Non super super users configured with Create authority in the OBJECTTYPE USER record are granted full access to all daemon mode commands CLIENT MODE commands 156 e SSHCOM Command Reference HP NonStop SSH Reference Manual The user super super can execute any client mode commands for all users unless explicitly configured in the OBJECTTYPE USER with DENY Create authority The parameter sets FULLSSHCOMACCESSUSER lt i gt and FULLSSHCOMACCESSGROUP lt j gt are ignored If a person wants to execute an SSHCOM CLIENT MODE command affecting records for a specific Guardian user or alias lt user or alias gt must either be logged on as lt user or alias gt or meet these two qualifications e Have CREATE C authority on the OBJECTTYPE USER access control list e Bethe owner of the underlying Safeguard user ID of lt user or alias gt or be the group manager of the owner of the underlying Safeguard user ID of lt user or alias gt SSHCOM Access Summary Shortcuts used in the following table e SUPER SUPER SUPER e OU OBJECTTYPE USER e OUR OBJECTTYPE USER RECORD e FullSA FULLSSHCOMACCESSUSERi GROUPj e PartialSA PARTIALSSHCOMACCESSUSERk GROUPn User is Thawed OU User configured in User included in User included in Allowed USER Commands SUPER exists OUR FullSA PartialSA All
175. ESSION CONSOLEBURSTSUPPRESSION EMSBURSTSUPPRESSION and FILEBURSTSUPPRESSION are ignored regardless of their value HP NonStop SSH Reference Manual Configuring and Running SSH2 e 65 On the other hand when BURSTSUPPRESSION is FLASE the log targets settings enabled via target specific boolean parameters called EMSBURSTSUPPRESSION CONSOLEBURSTSUPPRESSION FILEBURSTSUPPRESSION and CACHEBURSTSUPPRESSION are used When BURSTSUPPRESSION is TRUE and the BURSTSUPPRESSIONMAXLOGLEVEL is smaller than the log level assigned to a log message then duplicates of that log message targets of either cache console EMS or file are not suppressed Default If omitted BURSTSUPPRESSION is set to FALSE Example BURSTSUPPRESSION TRUE See also BURSTSUPPRESSIONEXPIRATIONTIME BURSTSUPPRESSIONMAXLOGLEVEL CACHEBURSTSUPPRESSION CONSOLEBURSTSUPPRESSION EMSBURSTSUPPRESSION and FILEBURSTSUPPRESSION BURSTSUPPRESSIONEXPIRATIONTIME Use this parameter to configure at what interval log burst suppression for log messages of all log targets EMS Console File and Cache expires before a duplicate log messages is logged again Parameter Syntax BURSTSUPPRESSIONEXPIRATIONTIME number of seconds Arguments number of seconds Specifies the BURSTSUPPRESSIONEXPIRATIONTIME interval in seconds not to log duplicate log messages Considerations BURSTSUPPRESSION or one of the log target specific parameters CACHEBURSTSUPPRESSION CONSOLEBURSTSUPPR
176. ESSION EMSBURSTSUPPRESSION and FILEBURSTSUPPRESSION need to be set to TRUE otherwise the value of BURSTSUPPRESSIONEXPIRATIONTIME is ignored Default If omitted BURSTSUPPRESSIONEXPIRATIONTIME is set to 300 Example BURSTSUPPRESSIONEXPIRATIONTIME 240 See also BURSTSUPPRESSION BURSTSUPPRESSIONMA XLOGLEVEL BURSTSUPPRESSIONMAXLOGLEVEL Use this parameter to configure the maximum log level to suppress duplicate log messages for all log targets EMS console file and cache 66 e Configuring and Running SSH2 HP NonStop SSH Reference Manual Parameter Syntax BURSTSUPPRESSIONMAXLOGLEVEL detail Arguments detail A number is used to represent the level of suppression desired A valid number must be between 1 indicating no suppression and 100 indicating to suppress all duplicate log messages Considerations Burst suppression BURSTSUPPRESSION is ignored for log messages with a log level greater than a maximum log level defined by parameter BURSTSUPPRESSIONMAXLOGLEVEL Default If omitted BURSTSUPPRESSIONMAXLOGLEVEL is set to 40 Example BURSTSUPPRESSIONMAXLOGLEVEL 50 See also BURSTSUPPRESSION BURSTSUPPRESSIONEXPIRATIONTIME CACHEBURSTSUPPRESSION Use this parameter to configure burst suppression for duplicate log message of log target memory cache Parameter Syntax CACHEBURSTSUPPRESSION TRUE FALSE Arguments TRUE FALSE Specifies whether CACHEBURSTSUPPRESSION is enabled or not
177. ET STATISTICS STATISTICS SESSION The SSHCOM command has the following syntax STATISTICS STATS SESSION lt session id gt DETAIL WIDTH lt width gt LOG ONLY lt session id gt The internally assigned identifier positive integer of a session Alternatively the wild card character can be specified instead of a session id The individual options have the following meaning and syntax DETAIL If the DETAIL flag is set detailed information is displayed WIDTH The number lt width gt is the maximum number of characters per output line If WIDTH is not specified the default value 80 is assumed In order to avoid a new line when the terminal is configured with line wrapping on the line will only be filled with one character less than the specified width LOG ONLY Normally the output of the STATS command will be displayed at the terminal the SSHCOM was started With LOG ONLY flag set the output will be written to the log file if logging to a file is enabled 212 e SSHCOM Command Reference HP NonStop SSH Reference Manual DISABLE STATISTICS Disables gathering of statistics data Syntax DISABLE STATISTICS STATS ENABLE STATISTICS Enables gathering of statistics data Syntax ENABLE STATISTICS STATS RESET STATISTICS Resets statistics counters rates Syntax RESET STATISTICS STATS STATUS STATISTICS Displays status of statistics e g if gathering statistic
178. ET was evaluated DEFINE TCPIP PROCESS NAME was set to lt NPNSO1 ZTC1 gt TCP IP process is ZTC1 DEFINE SSH2 PROCESS NAME was set to lt NPNSO1 SSH42 gt Initializing SSH2 ADMIN run mode Initializing SSH2 CLIENT run mode Initializing SSH2 DAEMON run mode Loading private key from HOSTKEY Host key algorithm ssh dss Monitoring and Auditing 307 SSSH42 09Dec09 20 00 18 23 30 Host key MD5 fingerprint b0 0c7 86 e6 63 b8 2d 4b b7 78 84 ec dce 33 ed c9 SSSH42 09Dec09 20 00 18 23 30 Host key Bubble Babble xetig fegyg pidyn babyl kefod sigeh danyb gykyl sebuc curul fuxyx SSSH42 09Dec09 20 00 18 23 10 SSH2 Server listening on interface 0 0 0 0 port 42022 The following example shows some log messages when an SFTP client connects issues some commands and disconnects 09Dec09 20 15 42 96 10 0 0 78 3133 accepted connection from client 09Dec09 20 15 42 98 10 0 0 78 3133 client version string SSH 2 0 H_3 8 1pl1 09Dec09 20 15 43 05 10 0 0 78 3133 SSH session established O09Dec09 20 15 43 07 10 0 0 78 3133 none authentication for user comf us lowed 09Dec09 20 15 43 15 40 10 0 0 78 3133 signature ok authentication of comf us sful 09Dec09 20 15 43 17 50 10 0 0 78 3133 channel request for subsystem sftp ing sftp server 09Dec09 20 15 43 25 50 10 0 0 78 3133 launched program L SUS SSH87A SFTPSERV successfully NPNSO1 220B 45580213 09Dec09 20 17 20 24 40 10 0 0 78 3133 SSH session terminated gt 0 NONTDT
179. F file will be set However any DEFINE TCPIPA RESOLVER NAME passed to SSH2 at startup will remain in effect Default The default for this parameter is Considerations e Use this parameter to pass the value for the DEFINE TCPIPSRESOLVER NAME parameter to SSH2 servers configured as generic processes This can also be achieved by adding the define TCPIP RESOLVER NAME for the generic process possible since G06 28 H06 06 e Incase the define TCPIP RESOLVER NAME causes unwanted behaviour it is possible to disable the propagation of defines completely see parameter PROPAGATEDEFINES See also PROPAGATEDEFINES USETEMPLATESYSTEMUSER The SYSTEM USER of the template user is used for an automatically added user if the Boolean parameter USETEMPLATESYSTEMUSER is TRUE The value of USETEMPLATES YSTEMUSER is only relevant in case AUTOADDSYSTEMUSERS is set to TRUE and AUTOADDS YSTEMUSERSLIKE is configured defining the template USER record This allows the addition of users with the same dummy Guardian user ID or with the SYSTEM USER value of NONE Parameter Syntax USETEMPLATESYSTEMUSER TRUE FALSE Arguments TRUE SYSTEM USER of the USER template record is used for newly added USER record FALSE The SSH user name is used as SYSTEM USER for newly added USER record Default The default for this parameter is FALSE See also AUTOADDS YSTEMUSERS AUTOADDS YSTEMUSERSLIKE HP NonStop SSH Reference Manual Confi
180. FORE AFTER BOTH WELCOME_SEQ controls the sequence of the WELCOME display relative to the Enter Choice gt prompt The default setting is BEFORE which displays the WELCOME text before the Enter Choice gt prompt AFTER displays the WELCOME text after the response to the Enter Choice gt prompt BOTH displays the WELCOME in both places HP NonStop SSH Reference Manual STN Reference e 281 WIN_AVAIL_ ALWAYS Y N Controls availability of dedicated windows to connect to a new session Default N means availability is determined by WIN_AVAIL_C11 When set to Y a DEDICATED window is always available for connection to a new remote session request even if there is no active open from any application to that window WIN_AVAIL_C11 Y N Determines availability of a window when a static service is selected from the STN02 menu or a session attempts to connect to a dedicated window Set to Y the window is available if one or more control 11 requests are outstanding The default is Y Set to N the window is available if the window has one or more application openers If the window is available the session is connected to it if not STN13 error message is displayed followed by a repeat of the STNO2 service menu WSINFO NONE QUERY REQUIRED MATCH The command WSINFO requests workstation information using ESC 9e supported by the Win6530 and J6530 emulators by comForte The information fields HOST NAME IP ADDRESS and USER NAME are retrieved an
181. FTP clients Default secondary extend size for files created on the NonStop system Defines that all Guardian file names are to be treated all upper or all lower case Default value for USER attribute SHELL ENVIRONMENT Specifies whether keep alive messages are enabled for TCP IP sockets For setting the receive buffer size socket option Allows setting the send buffer size socket option Allows setting maximum time for TCP retransmission timeout socket option Allows setting minimum time for TCP retransmission timeout socket option Allows setting maximum number of continuous retransmissions prior to dropping a TCP connection socket option Allows setting maximum continuous time spent retransmitting without receiving an acknowledgement from the other endpoint socket option Controls the frequency of key re exchange on SSH sessions depending on the number of transferred bytes Controls the frequency of key re exchange on SSH sessions depending on a timer File name of user database Determines whether the user database file will be created as an audited file or not Controls the frequency of SSH keepalive messages Disabling password prompt for authentication method password allowing only to use stored passwords Determines if local users are allowed to connect to unknown hosts Specifies one or more TCP IP processes to use DEFINE TCPIP PROCESS NAME has precedence over this parameter Controls if SSH2
182. G lt detail gt Arguments lt detail gt The level of details Possible values 0 1 and 2 For value 0 the same level of detail gets produced as before introduction of parameter SFTPENHANCEDERRORREPORTING Value means increased detail level and 2 is the maximum detail level Considerations e The parameter can be set set for the SSH2 process checked by the SFTP server and for SFTP clients e For SFTP clients either PARAM SFTP or environment variable SFTPOSS must be used to configure the parameter e There are errors where additional details are not yet available Default If omitted value 0 is the default value Example SFTPENHANCEDERRORREPORTING 1 SFTPEXCLUSIONMODEREAD Use this parameter to set the exclusion mode of structured files that are opened for read via system procedure FILE_OPEN_ HP NonStop SSH Reference Manual Configuring and Running SSH2 e 111 Parameter Syntax SFTPEXCLUSIONMODEREAD lt exclusion gt Arguments lt exclusion gt The file open exclusion mode for read operations Valid values are SHARED EXCLUSIVE and PROTECTED Considerations e Ifa file is open for write by anther process shared or protected and this file is to be read by SFTP or SFTPSERV then reading this file will only fail if parameter is set to a different value than SHARED It can be required to force a failure in this scenario to ensure the process writing the file closes the file before the file transfer e Ifa ge
183. H as part of the RVU or as an independent product for G Series prior to G06 32 an STN PTY server will be pre installed as a generic process SSH ZPTY ZPTY Starting STN from TACL STN can be started using standard TACL commands It can also be configured as a generic process The example below shows how to start STN from scratch without a TACL routine 1 logon super super 2 volume S vol subvol 3 clear all 4 param 5 run stn name PTY pri 180 nowait 6 run stncom SZPTY Following is a detailed explanation of each step 1 logon super super Like SSH2 the STN PTY server must be started under user SUPER SUPER 2 volume vol subvol Point to the subvolume where STN is installed 3 clear all Clears all parameters for this tacl session 4 param Specify parameters All parameters are optional Except for TRACE SIZE and TRACE FILE they may be specified in any order HP NonStop SSH Reference Manual STN Reference e 245 PARAM BACKUPCPU cpu Specifies the backup CPU number The default is NONE See the STNCOM BACKUP BACKUPCPU command for a description of available options PARAM GWN TEMPLATE AAAnnn Controls session and window names Refer to section Session and Window Naming PARAM GWNAINITIAL RANDOM Controls session and window names Refer to section Session and Window Naming PARAM GWN FILE filename Controls session and window names Refer to section Session and Wi
184. H configuration in environments with many TCP IP processes but little traffic over each IP process Multiple Allowed Listen IP Address Configuration Before the introduction of support for multiple IP processes there has been support for multiple IP addresses There was just the restriction that all IP addresses had to be configured in one IP process and it was not possible to start a listen on a subnet of configured IP addresses It had to be either one IP address or all achieved by using the ANY address for listening Now it is possible to listen on a set of IP addresses which can be configured in a set of IP processes The set of listen IP addresses is specified via parameter INTERFACE and the set of IP processes is configured via parameter SUBNET Example Assuming INTERFACE is set to 1 2 3 4 1 2 3 5 and SUBNET is configured as ZTC1 which has configured subnets for 1 2 3 6 in addition to 1 2 3 4 and 1 2 3 5 In this case two listens are initiated against the IP process ZTC1 one for IP address 1 2 3 4 and one listen against IP address 1 2 3 5 In a different scenario the address 1 2 3 4 may be configured in process ZTC1 and 1 2 3 5 in process ZTCO Both processes are assumed to have other subnets With INTERFACE again set to 1 2 3 4 1 2 3 5 and SUBNET set to ZTCO ZTC1 the SSH2 process will again issue two listen operations but this time one for IP address 1 2 3 4 against IP process ZTC1 and for IP address 1 2 3 5 against IP process ZT
185. H session establishment The same effect can be achieved with SFTP clients by setting the SFTP OSS process priority to an appropriate value Version 1 7 Describes changes in SSH2 releases 0044 and later The SFTP client now supports passwords as means as authentication This is reflected in the following changes e The new entity PASSWORD has been added to the SSH2 user database in client mode This is documented in the sections SSH User Database and SSHCOM Command Reference e The Quickstart section has been updated to reflect an easier way to configure the SFTP client for a new remote host Version 1 6 Added description of new parameters which allow setting of DEFINES per config file to enable configuration as a generic process e TCPIPHOSTFILE sets TCPIPSHOST FILE e TCPIPNODEFILE sets TCPIPSNODE FILE e TCPIPRESOLVERNAME sets TCPIPSRESOLVER SNAME Version 1 5 Added documentation for the PTCPIPFILTERKEY parameter Version 1 4 Describes changes in SSH2 release 0040 This release has the following new features e OSS is no longer required to run the SSH2 process e New SSH2 configuration parameters SFTPPRIMARYEXTENTSIZE SFTPSECONDARYEXTENTSIZE SFTPMAXEXTENTS see section SSH2 Parameter Reference in chapter Configuring and Running SSH2 e The touch command has been added to SFTP client commands e Guardian filename syntax is supported in commands working on NonStop files or subvolumes residing in
186. H2 process e The parameter PORT reflects the port number SSH2 will listen on for incoming SSH connections e The parameter AUTOADDSYSTEMUSERS controls whether remote users can log on via SSH using a Guardian user ID or alias without configuring them explicitly via SSHCOM in the SSHCTL e The parameter ALLOWTCPFORWARDING controls whether port forwarding is generally allowed e The parameter STRICTHOSTKEYCHECKING controls whether client access to remote systems is limited to hosts with their public key explicitly configured as a KNOWNHOST entity in the SSHCTL 36 e Installation amp Quick Start HP NonStop SSH Reference Manual With this parameter set to false users will be prompted if they want to continue a connection to an unknown host Note When you start SSH2 in NOWAIT mode make sure you have disabled logging to the home terminal To do so set the following PARAM PARAM LOGCONSOLE 2 SSH2 will now start with the parameters specified in the command line It will output initialization messages to your terminal Please check these messages for any errors Note Set the DEFINE TCPIP PROCESS NAME or the parameter SUBNET accordingly if you want to run SSH2 over a TCP IP process other than ZTCO Upon first startup SSH2 will create a HOSTKEY for the DAEMON mode which may take a few seconds depending on the speed of your system SSH2 will also create the SSHCTL configuration data base Note If you have installed SSH
187. H2 e 63 AUTOADDSYSTEMUSERS TRUE See also AUTOADDS YSTEMUSERSLIKE USETEMPLATES YSTEMUSER AUTOADDSYSTEMUSERSLIKE Use this parameter to specify a user whose configuration in SSHCTL is used as default configuration when automatic adding of users to SSHCTL is enabled i e if parameter AUTOADDS YSTEMUSERS has a value of TRUE Parameter Syntax AUTOADDSYSTEMUSERSLIKE lt user name gt Arguments lt user name gt The name of a user The user must exist in the SSHCTL at the time a new user tries to logon and AUTOADDS YSTEMUSERS has a value of TRUE Considerations e Any automatically added user will have the same attributes as the default user except user name and system user e Incase the parameter AUTOADDS YSTEMUSERSLIKE is set to the name of a user not defined in SSHCTL and AUTOADDSYSTEMUSERS has a value of TRUE then any authentication of a new user will be rejected Default If omitted a user is added with hard coded default values if AUTOADDS YSTEMUSERS has a value of TRUE Example AUTOADDSYSTEMUSERSLIKE comf us See also AUTOADDS YSTEMUSERS USETEMPLATES YSTEMUSER BACKUPCPU Use this parameter to run as a NonStop process pair Parameter Syntax BACKUPCPU NONE ANY cpu Arguments NONE SSH2 will not run as a process pair ANY SSH2 will run as a NonStop process pair and will automatically select an available CPU for the backup process cpu A number value that represents a CPU on your system SS
188. H2 process and this local process will further forward to a telnet server on the local host listening on loopback address port 23 The localhost in the command line refers to the target host of the forwarding tunnel i e when using R option this is the local host After the SSH session is successfully established the SSH process will wait until the SSH session is terminated or it is stopped On the remote host 10 0 0 234 you can establish a telnet session over the SSH tunnel as follows testusr linux dev telnet 127 0 0 1 5021 TELNET Client T9558H0O1 19MAR12 IPMAAH Copyright Tandem Computers Incorporated 1992 1997 Trying Connected to 127 0 0 1 Escape character is WELCOME TO npns01 PORT ZTC1 23 WINDOW SZTNO PTYSYNS TELSERV T9553HO1 25SEP2009 IPMAEP Available Services OSS TACL EXIT Enter Choice gt In this example the remote telnet client started on host 10 0 0 234 connects through the tunnel to the telnet server on the local host that listens on loopback address 127 0 0 1 port 23 Encrypted File Transfer You can implement encrypted file transfers over SSH in various ways e Use the SFTP or SFTPOSS clients to initiate and control SFTP sessions from the NonStop server e Use an SFTP client on a remote system to initiate and control SFTP sessions to the NonStop server from a remote system e Forward FTP connections over an SSH session To Connect a Remote SFTP Client to the NonStop
189. H2 will run as a NonStop process pair and will start the backup process in the specified CPU Considerations 64 e Configuring and Running SSH2 HP NonStop SSH Reference Manual To learn more about how SSH2 can help users leverage the fundamentals of the NonStop system to provide NonStop SSH access please refer to the NonStop Availability section Default If omitted BACKUPCPU is set to NONE Example BACKUPCPU ANY BANNER Use this parameter to configure an authentication banner message to be displayed to SSH clients connecting to the SSH2 daemon Parameter Syntax BANNER filename Arguments Means no authentication banner is displayed filename Specifies the file name containing the authentication banner to be displayed Considerations e The BANNER file can be an edit file containing multiple lines Default If omitted BANNER is set to Example BANNER SSYSTEM SSH2 BANNER BURSTSUPPRESSION Use this parameter to configure log burst suppression for log message duplicates of all log targets EMS console file and memory cache Parameter Syntax BURSTSUPPRESSION TRUE FALSE Arguments TRUE FALSE Specifies whether BURSTSUPPRESSION is enabled or not o TRUE Duplicate log messages will be suppressed o FALSE Duplicate log messages will not be suppressed Considerations When BURSTSUPPRESSION is TRUE the log targets settings enabled via target specific boolean parameters called CACHEBURSTSUPPR
190. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT INDIRECT INCIDENTAL SPECIAL EXEMPLARY OR CONSEQUENTIAL DAMAGES INCLUDING BUT NOT LIMITED TO PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES LOSS OF USE HOWEVER CAUS LIABILITY OR TORT OUT OF THE USE OF THIS SOFTWARE SUCH DAMAGE 6 DATA OR PROFITS D AND ON ANY THEORY OF LIABILITY WHETHER IN CONTRACT OR BUSINESS INTERRUPTION STRICT INCLUDING NEGLIGENCE OR OTHERWISE ARISING IN ANY WAY EVEN IF ADVISED OF THE POSSIBILITY OF Remaining components of the software are provided under a standard 2 term BSD licence with the following names as copyright holders Markus Friedl Theo de Raadt Niels Provos Dug Song Aaron Campbell Damien Miller Kevin Steves Daniel Kouril Wesley Griffin Per Allansson Nils Nordman Simon Wilkinson modification are met 1 Redistributions of source code must notice 372 e Appendix Redistribution and use in source and binary forms with or without are permitted provided that the following conditions retain the above copyright this list of conditions and the following disclaimer HP NonStop SSH Reference Manual 2 Redistributions in binary form must reproduce the abo notice this list of conditions and the following dis documentation and or other materials provided with th ve copyright claimer in the e distribution THIS SOFTWARE IS PROVIDED BY THE AUTH
191. INFO USER and ALTER USER All USER attributes can be modified but the most critical ones which are ALLOWED AUTHENTICATIONS and SYSTEM USER can only be modified by users with full SSHCOM access Additional restrictions apply depending on the setting of parameter LIFECYCLEPOLIC YPUBLICUSERKEY Users with partial SSHCOM access can specify the LIVE DATE and EXPIRE DATE when adding or altering a user s public key only if LIFECYCLEPOLICYPUBLICUSERKEY is set to VARIABLE Parameter Syntax PARTIALSSHCOMACCESSUSER lt k gt lt group gt lt user gt Arguments lt group gt lt user gt The Guardian logon name of the account that will have partial SSHCOM access Logon ids and alias names are not supported Default By default none of the parameters are set i e only users with full SSHCOM access can execute privileged commands Example PARTIALSSHCOMACCESSUSERI1 admin joe PARTIALSSHCOMACCESSUSER2 admin jim PARTIALSSHCOMACCESSUSER3 super jane Considerations e Some of the privileged commands in SSHCOM are critical to the security of the system Therefore granting access to other user accounts than super super must be carefully considered e The parameters must be set contiguously i e if one parameter PARTIALSSHCOMACCESSUSER lt k gt is not defined the checking of PARTIALSSHCOMACCESSUSER lt i gt parameters stops e This parameter set is valid whether a thawed OBJECTTYPE USER record exists in Safeguard or not But if a user 1s con
192. IPv6 SSH2 Release Due to database record versioning there is no change made in the SSH2 database by an SSH2 object with IPv6 support that would cause problems when an SSH2 object without IPv6 support accesses this database Therefore a backout of an SSH2 IPv6 release to a pre IPv6 SSH2 release does not represent a problem Obviously any change to CI PROGRAM that was made using format TELNET lt ip address gt lt port gt with an IPv6 IP address for the lt ip address gt part will no longer work in an IPv4 environment and must be changed back to using an IPv4 address Similarly any changes to RESTRICTION PROFILE that include IPv6 addresses should be reverted If a copy of restriction profiles had been made then simple rename commands will be sufficient RENAME RESTRICTION PROFILE lt active profile name gt lt saved IPv6 profile gt RENAME RESTRICTION PROFILE lt saved IPv4 profile gt lt active profile name gt For example RENAME RESTRICTION PROFILE ABC ABC_IPV6 RENAME RESTRICTION PROFILE ABC_copy ABC If there are RESTRICTION PROFILE records left containing IPv6 addresses patterns then these do not represent a problem these IPv6 addresses patterns would just not match when checked against IPv4 addresses being processed by an SSH2 process without IPv6 support IPv6 addresses stored in the ADDRESSES field of KNOWNHOST entities will be ignored by SSH2 processes without IPv6 support A KNOWNHOST entry with an IPv6 address as part of
193. IPv6 address OK host name hostv6 resolved to fe80 250 56ff fea7 4bdc formatted last 4 bytes as dotted quad fe80 250 56ff 254 167 75 220 The TCP IP defines in the context of the SSH2 process are relevant for host name resolving not those in the context of SSH client processes Please see SSHCOM command INFO DEFINE ROLLOVER AUDITFILE This command can be used to force a rollover of the configured audit file The current audit file will be renamed to an audit archive file and a new audit file is opened if the AUDITFILE parameter is not set to and the parameter AUDITFILERETENTION is set to a non zero value The command has the following syntax ROLLOVER AUDITFILE The ROLLOVER command can only be executed by super super unless explicitly denied in OBJECTTYPE USER record or a user granted full SSHCOM access ROLLOVER LOGFILE This command can be used to force a rollover of the configured log file The current log file will be renamed to an archive file and a new log file is opened if the LOGFILE parameter is not set to and the LOGFILERETENTION parameter is set to a non zero value The command has the following syntax ROLLOVER LOGFILE The ROLLOVER command can only be executed by super super unless explicitly denied in OBJECTTYPE USER record or a user granted full SSHCOM access HP NonStop SSH Reference Manual SSHCOM Command Reference e 165 EXPORT SSHCTL The EXPORT SSHCTL command will export the content of the SSH
194. IRE DATE NONE LIFE CYCLE STATE LIVE LAST MODIFIED 20Apr12 16 00 LAST USAGE 20Apr12 16 02 SYSTEM USER ulrich LLOW SHELL YES HELL PROGRAM DEFAULT HELL COMMAND NONE HELL ENVIRONMENT NONE LLOW CI YES I PROGRAM DEFAULT I COMMAND NONE LOW PTY YES Y SERVER SPTYO1 LOW TCP FORWARDING YES LOWED SUBSYSTEMS sftp tacl LOW GATEWAY PORTS YES LOW MULTIPLE REMOTE HOSTS YES RESTRICTION PROFILE NONE gay pe E p DPPP Pry raAaandarnnn y E HP NonStop SSH Reference Manual SSHCOM Command Reference e 183 PRIORITY 1 CPU SET DEFAULT SFTP INITIAL DIRECTORY G LOCKED SFTP GUARDIAN FILESET Stemp us Sus SFTP SECURITY read write purge rename list mkdir rmdir symlink SFTP PRIORITY 100 SFTP CPU SET DEFAULT LAST LOGON 20Apr12 16 02 LAST UNSUCCESSFUL ATTEMPT NONE LAST AUTH METHOD publickey LAST PUBLICKEY testkey3 LAST IP ADDRESS fe80 a00 8eff fe00 dl14e LAST MODIFIED 20Apr12 16 07 STATUS THAWED Following are the specific fields output by INFO USER and their meaning STATUS Displays whether the user is in a FROZEN or THAWED state PUBLICKEY This field displays fingerprints of the public keys associated with a specific user For each public key the name and associated fingerprints are displayed The last modification and last usage timestamp are also displayed for each public key LAST LOGON The timestamp of the last successful logon of the user Note For user supe
195. IRED This is actually not an explicit database field but its value will be determined by the three database fields CREATION DATE LIFE DATE and EXPIRE DATE The database also contains some additional information collected by SSH2 about each key record e LAST USE Record usage Last time the record was used e LAST MODIFIED Record maintenance Last time the record was modified Client mode record type PASSWORD holds user password information for the Guardian user initiating a client connection on NonStop PASSWORD records are added when a user confirms a password is to be stored or via SSHCOM command ADD PASSWORD Database key to the PASSWORD entity consists of e USERID HOST the user name sent to the remote system and the IP address and port of the remote system e USER the name of the Guardian user the public key was generated for The PASSWORD entity has the following additional properties e STATUS whether the password is frozen or thawed The database also contains some additional information about each password record collected by SSH2 e LAST USE Record usage Last time the record was used e LAST MODIFIED Record maintenance Last time the record was modified Client mode record type KNOWNHOST holds remote host key information for the Guardian user initiating a client connection on NonStop KNOWNHOST records are added when a user accepts a remote host key or via SSHCOM command ADD KNOWNHOST Database key to the KNOWNHOST entity
196. IT Pathway are handled cleanly e OSH Posix applications are handled cleanly e Multiple Guardian applications for example a FUP or SCF prompt started from a TACL are handled cleanly LOGAUDIT YES NO LOGAUDIT YES is intended for PROGRAM SYSTEM SYSTEM TACL and will generate an AUDIT event when the TACL process first logs on No additional event is generated if the TACL logs off changes users or if a second TACL process is started on the same terminal Note that STN has a default ADD SERVICE TACL which has the default setting of LOGAUDIT NO so to use this feature with the SERVICE named TACL it is necessary to first DELETE SERVICE TACL to remove the default then ADD SERVICE TACL LOGAUDIT YES etc to define a new service LOGAUDIT NO is default SCRIPT script name Default is no SCRIPT Script name refers to a list of setmodes defined by the ADD SCRIPT command These setmodes will be performed at session initiation and whenever setmode 28 is performed by the application ADD SCRIPT and ADD SERVICE can be specified in any order If the SCRIPT is not defined no error message is generated and no setmodes are performed ADD SCRIPT will take effect on the next session created for the service WIN_PAT pattern Pattern must begin with a pound hash sign and the remainder must be letters numbers period and substitution parameters Except for substitution parameters all other characters are copied directly to the window name with
197. ITFILE e New parameter lt service gt after MENU property of USER attribute CI PROGRAM HP NonStop SSH Reference Manual Preface e 21 Version 2 7 Manual has been revised to correctly reflect the way HP NonStop SSH is delivered Version 2 6 Describes changes in SSH2 release 0080 Documentation for the following new features has been added e Configuration of an alternate command interpreter or a service menu for USERs working with a 6530 SSH sessions e Granting access without SSH user authentication The chapter STN Reference has been added documenting the STN pseudo TTY server The chapter SFTP Client Reference has been renamed to SSH and SFTP Client Reference reflecting that the chapter does now also document the SSH client program Version 2 5 Describes changes in SSH2 release 0074 e Added documentation for several new SSH2 parameters BANNER SAFEGUARD PASS WORD REQUIRED SSHAUTOKEXBYTES SSHAUTOKEXTIME and SSHKEEPALIVETIME e Changes reflecting support of keyboard interactive authentication in SSH2 DAEMON run mode The documentation now reflects that HP NonStop SSH is also delivered as an independent product for G Series Version 2 4 The documentation now reflects that SSH2 is also delivered with the HP NonStop H series release version updates RVU for HP Integrity NonStop servers beginning with H06 11 under the product name HP NonStop SSH Version 2 3 Describes changes in SSH2 release 0070 e Added section
198. K 2014 01 24 15 42 47 440 OPEN ssh01 ALTER USER comf mh publickey keyl fingerprint 87 34 41 65 e5 df e3 30 6 46 22 02 19 24 le f2 sftp initial directory home mh OK user comf mh altered exit exit SDATA1 SSH2 13 gt Note The ALTER USER command will only work if the user already exists in the SSH2 userbase This will be the case if you followed the other quick tour steps You may also create a new user with the SSHCOM ADD USER command After this step you can now retry the step To connect to a remote SSH daemon with the NonStop SSH client You will not be prompted for the NonStop user s password Instead SSH2 will authenticate the user with the public key configured for the remote user Using Public Keys to Logon to Remote Systems This section explains the steps required to use public keys to authenticate to the remote system with a NonStop SSH or SFTP client This involves generating a key pair for the NonStop user and configuring the public key on the remote system For additional information on public key authentication please refer to the Public Key Authentication section in the SSH Protocol Reference chapter Note The commands illustrated in the following steps will implicitly depend on the user issuing the commands It is assumed all commands executed under the same user ID To Generate a Key Pair for a NonStop User First we will generate the key pair and store the private key in the SSH2 user datab
199. K The minimum is 12K and the maximum is 25M Starting with STN version B20 STN trace files are secured OOOO and CLEARONPURGE to better protect any sensitive data Trace files which are created by explicit STNCOM command or a PARAM at STN startup contain all data to and from the remote terminals including sensitive data like passwords Even when SSL or SSH encryption is used to protect the data in motion the data is unencrypted in trace files Always follow best practices with trace files 280 e STN Reference HP NonStop SSH Reference Manual Starting with STN version B08 trace files will include INFO STN output at the beginning Warning Tracing can noticeably affect response time and CPU usage UAIPADDR Y N STNCOM command UAIPADDR controls the inclusion of the workstation remote IP address on USER_AUTHENTICATE_ calls This IP address is included in certain Safeguard records VAIPADDR should only be used on Guardian releases H06 26 or later or JO6 15 or later Using the parameter on earlier releases will cause an abend of the STN process and a ZZSA dump file created in the STN object file subvol STN formerly used PROCESSOR_GETINFOLIST_ items 3 and 60 to retrieve the Guardian version number but in certain cases the reported version number can be incorrect leading to an STN abend UAIPADDR N default omits the IP address on USER_AUTHENTICATE_ calls Safeguard records will not include the IP address This can safely be used on all G
200. LOG ID format 10 0 0 78 1218 if available e local user id present only in some audit messages e user and remote IP address comf us 10 0 0 78 e a string describing the operation and the outcome authentication granted method password password ok Sample Audit Messages The following listing shows the audit messages written for a single download of a file G datal ushome test6 from the user comf us at remote IP address 10 0 0 78 10 15 31 12 10 0 0 78 1256 comf us 10 0 0 78 authentication granted d password password ok System user COMF US 15 31 13 10 0 0 78 1256 COMF US comf us 10 0 0 78 subsystem sftp granted 15 31 22 10 0 0 78 1256 COMF US comf us 10 0 0 78 open al ushome test6 mode read granted error 0 9 22Dec10 15 31 25 10 0 0 78 1256 COMF US comf us 10 0 0 78 close G datal ushome test6 size 173 173 bytes read 0 bytes written 9 o 9 e 9 10 15 31 13 10 0 0 78 1256 COMF US comf us 10 0 0 78 list t 9 t 4 h 4 E 4 a 4 a 4 The following shows an audit message for a user trying to access the system with a non existing username wronguser 310 e Monitoring and Auditing HP NonStop SSH Reference Manual S SSH49 22Dec10 15 43 07 172 16 123 103 1831 wronguser 172 16 123 103 authentication failed method none System user wronguser does not exist The following shows an audit message for a user trying to access the system with an existing user
201. M USER value could be SUPER SUPER or the group manager of the user configured in SYSTEM USER or could be any other local system user PRINCIPAL When Kerberos is implemented on the system this attribute is used to explicitly specify which Kerberos principal s are authorized to logon to this user account using gssapi with mic authentication To define an access control list with multiple principals within a single command the PRINCIPAL attribute can be repeated within a single ADD USER command Note Specifying one or more Kerberos principals using this attribute will override the default Kerberos authorization tule which implicitly grants access to the Kerberos principal with a matching local account name The PRINCIPAL attribute may have the following values e lt user gt lt REALM gt A fully qualified Kerberos principal name will authorize a specific Kerberos principal to access this user account HP NonStop SSH Reference Manual SSHCOM Command Reference e 171 e lt REALM gt This pattern will authorize any principal in the given REALM to access this user account e This pattern will authorize any principal in any REALM i e anybody with a valid service ticket to access this user account Note Specifying a wildcard pattern as principal is useful when delegating authorization to the resource started for this user i e CI PROGRAM or SHELL PROGRAM CAUTION When specifying a wildcard PRINCIPAL user access should b
202. N LOG ID detail available Yaction Yobject Yerror size size user SSH username bytes_read bytes read Yobytes_written aan remoteAddress remote IP bytes written address action close object file name error error detail size file size bytes_read number of bytes read bytes_written number of bytes written Failed error sessionld Z user remoteAddress sessionId SESSION LOG ID detail not action Yobject size size Ybytes_read user SSH username available bytes read bytes_written bytes written HP NonStop SSH Reference Manual Monitoring and Auditing e 315 Event Event Name Conditions Pattern Token Values Id remoteAddress remote IP address action close object file name size file size bytes_read number of bytes read bytes_written number of bytes written 10 SftpPurgeFil Successful sessionId Puser remoteAddress sessionId SESSION LOG ID eEvent Faction Zobject outcome Jouser SSH username remoteAddress remote IP address action purge object file name outcome granted Failed error sessionId Yuser remoteAddress sessionId SESSION LOG ID detail available action Yobject Youtcome error huser SSH username Terror remoteAddress remote IP address action purge object file name outcome denied or failed error error detail Failed error sessionld Yuser
203. N window lt 2 gt exceeds max_outq lt 3 gt lt 2 gt name of window lt 3 gt maximum number of queued output messages CAUSE The number of queued output messages for a session exceeded the limit given by STNCOM command MAX_OUTQ This is unusual application behavior EFFECT The session is terminated RECOVERY If the problem persists contact Support zstn evt stop process value is 1028 288 e STN Reference HP NonStop SSH Reference Manual lt 1 gt STN window lt 2 gt stopping process lt 3 gt status lt 4 gt lt 2 gt name of window lt 3 gt process name lt 4 gt status code CAUSE STN is automatically stopping the process previously created for a dynamic window at session termination when KILL_DYNAMIC Y EFFECT The specified process is stopped RECOVERY None informational only zstn evt pool used value is 1033 lt 1 gt STN Buffer pool used lt 2 gt lt 3 gt used lt 4 gt kw size lt 5 gt kw Indicates STN memory pool usage goes above 80 or back down below 80 lt 2 gt OVER or UNDER lt 3 gt the threshold percentage as sent by the POOL_WARNING command default 80 lt 4 gt the current amount of memory used unit 1024 words lt 5 gt the total size of the pool unit 1024 words as configured by PARAM POOL_SIZE CAUSE Every minute STN checks the buffer pool usage and compares the percentage used against POOL_WARNING If the amount has changed from under the threshold to over or fr
204. NAHANHENNWNN NH T Fe Z lgo Z PU BRA T Incoming ssh connections are identified by the remote IP address and remote port separated by a colon 10 0 0 78 2928 in the above example This log id is displayed as SESSION LOG ID in the output of SSHCOM command STATUS SESSION status session status session SID SESSION LOG ID R USER NAME STRI TIM CHCNT AUTH USR 10 0 0 78 3133 S COMF US 09Dec09 20 15 1 comf us Using the WHERE option with the STATUS SESSION command the session status can be filtered to display just the status for a given session log id while the session is still established status session where session log id 10 0 0 78 3133 status session where session log id 10 0 0 78 3133 SID SESSION LOG ID R USER NAME STRI TIM CHCNT AUTH USR 10 0 0 78 3133 S COMF US 09Dec09 20 15 1 comf us Please see chapter SSHCOM Command Reference for details about the STATUS SESSION command Note Since IPV6 address support the session log id may become too large for display in the STATUS SESSION brief output It has been removed in SPR TO801 ABE and can be determined via STATUS SESSION detail Starting with SPR TO801 ABE the brief output now contains the following columns SID R USER NAME STRT TIM Start time CHCNT Channel count AUTH USR Authenticated user and AUTH Authentication method Log Level Each log message has a level associated with it The level is a
205. NCR to 40000000 e This parameter is only considered when a Guardian edit file is written i e either if a remote sftp client issues a put command to the SSH2 server on NonStop specifying a Guardian destination file with code 101 or if a sftp client on a NonStop server issues a get command specifying a local Guardian destination file with file code 101 e Ifa get command is executed by a sftp client on the NonStop server then the parameter must be set in the environment of the sftp client as PARAM for SFTP running in the Guardian environment or as environment variable for SFTPOSS running in the OSS environment See also SFTPEDITLINEMODE SFTPEDITLINESTARTDECIMALINCR SFTPEDITLINESTARTDECIMALINCR This parameter controls at which line number the decimal increment defined by parameter SFTPEDITLINENUMBERDECIMALINCR starts Parameter Syntax SFTPEDITLINESTARTDECIMALINCR lt number gt Arguments lt number gt The value is 1000 times the line number Default The default value is 1 i e decimal increment is not used Examples Start decimal increment at line number 40000 SFTPEDITLINENUMBERDECIMALINCR 40000000 Start decimal increment at line number 0 000 SFTPEDITLINENUMBERDECIMALINCR 0 Considerations 110 e Configuring and Running SSH2 HP NonStop SSH Reference Manual e The setting of this parameter is only relevant if parameter SFTPEDITLINESTARTDECIMALINCR is set to a number between 0 and 99999999 e Previousl
206. NTMPL using standard installation procedures This will ensure that STN EMS messages will be displayed correctly To Start the SSH2 Component Note The SSH2 process must be started and run under the SUPER SUPER logon When started using a different user ID the process will issue a warning message and terminate 1 SSH2 can be started easily At the TACL prompt issue the following commands CLEAR ALL PARAM RUN SSH2 NAME SSHO1 CPU 1 ALL amp PORT 22 amp AUTOADDSYSTEMUSERS true amp ALLOWTCPFORWARDING true amp STRICTHOSTKEYCHECKING false Following are details on these instructions e SSHO1 is the process name of the SSH2 process Setting the process name to SSHnn with nn being the number of the CPU in which SSH2 is started will allow the NonStop SSH and SFTP clients to automatically find the SSH2 process handling the SSH protocol layer for them e Ina production environment it is recommended to specify run option NOWAIT as well as run options TERM and OUT with a virtual home terminal as value e g TERM ZHOME OUT ZHOME Please replace ZHOME with VHS or other process name as needed When you start SSH2 in NOWAIT mode make sure you have disabled logging to the home terminal To do so set PARAM LOGCONSOLE e The keyword ALL designates that the SSH2 component will be allowing all supported functionality For more information see chapter Configuring and Running SSH2 for details on the run modes of the SS
207. Name lt str1 gt security context was fully accepted for principal lt str2 gt lt str1 gt Session Name lt str2 gt Client principal name lt str1 gt processing GSSAUTH_VERFY_MIC_REQUEST 358 e Appendix HP NonStop SSH Reference Manual LOG LEVEL EVENT TEXT Description Variable Parts 50 50 50 50 50 50 50 50 50 50 50 50 50 lt str1 gt Session Name lt str1 gt caching credentials for user lt str2 gt lt str1 gt Session Name lt str2 gt User initiating GSSAPI authentication lt str1 gt credentials cache file name is lt str2 gt lt str1 gt Session Name lt str2 gt Kerberos credentials cache file name lt str1 gt processing GSSAUTH_GET_MIC_REQUEST lt str1 gt Session Name lt str1 gt GSSAPI interface opened lt str1 gt Session Name lt str1 gt GSSAPI interface closed lt str1 gt Session Name lt strl gt Exception in GSSAUTHContextService OnWriteRead returning error 22 lt str1 gt Session Name SFTPOSS version lt str1 gt starting lt str1 gt SSH2 version lt str1 gt forwarding remote lt str2 gt connection from lt str3 gt to lt str4 gt lt str1 gt Session Name lt str2 gt Protocol lt str3 gt Normalized originator host address and port lt str4 gt Normalized target host address and port lt str1 gt closed forwarded remote lt str2 gt connection from lt str3 gt to lt str4 gt lt str5 g
208. Name lt str2 gt Protocol lt str3 gt Normalized originator host address and port lt str4 gt Normalized target host address and port 50 lt str1 gt closed forwarded lt str2 gt connection from lt str3 gt to lt str4 gt lt str5 gt lt str1 gt Session Name lt str2 gt Protocol lt str3 gt Normalized originator host address and port lt str4 gt Normalized target host address and port lt str5 gt Reason 50 lt str1 gt closed forwarded lt str2 gt connection from lt str3 gt accepted on lt str4 gt lt str5 gt lt str1 gt Session Name lt str2 gt Protocol lt str3 gt Normalized originator host address and port lt str4 gt Normalized target host address and port lt str5 gt Reason 50 lt str1 gt client session opened lt str1 gt Session Name 10 Please contact License Manager hp com for a full license 50 lt str1 gt added host as KNOWNHOST lt str2 gt to database upon user request lt str1 gt Session Name lt str2 gt Known host 50 lt str1 gt local system user lt str2 gt aborted connection to unknown host disconnecting because remote host key not verified lt str1 gt Session Name lt str2 gt Login name 50 lt str1 gt connection failed error lt str2 gt lt str1 gt Session Name lt str2 gt Exception text 50 lt str1 gt client session closed disconnecting from server lt str1 gt Session Name 50 lt str1 gt client session closed lt str1 gt Session Name
209. O04 and one in cpu 5 with port 22 subnet ztc1 and name ABC05 an invocation of client SSH with no S and p params connecting to a remote Unix box will find one of the two SSH2 processes depending in which cpu the client SSH was started ABC04 if SSH was started in a cpu other than 5 and ABCO05 if it was started in cpu 5 4 Ifall process names fail the client will terminate with an error message The process names of the SSH2 instances serving the clients must be correctly configured to facilitate this heuristic method For example you could decide to start an SSH2 instance in every CPU of your system naming the instances according to the number of the CPU they are running in RUN SSH2 NAME SSH00 CPU 0 RUN SSH2 NAME S SSHO1 CPU 1 After you have started multiple SSH2 instances in the manner described above the distribution of the client processes over CPUs will also ensure that the sessions are distributed across the available SSH2 instances This distribution of client processes can either be achieved manually or by using any standard load distributor tool available on your system Load Balancing Inbound SSH Sessions For incoming sessions SSH2 can facilitate the round robin filtering feature of TCPIPv6 In addition parallel round robin filtering allows you to start multiple SSH2 listening processes in different processors that share the same port To enable round robin filtering with SSH2 you have to c
210. OFILE shows information about a restriction profile or a set of restriction profiles o RENAME RESTRICTION PROFILE renames a restriction profile HP NonStop SSH Reference Manual SSHCOM Command Reference e 167 Daemon Mode Commands Operating on the USER Entity ADD USER The ADD USER command adds a new user to the database and has the following syntax ADD USER lt user name gt ALLOW CI yes no ALLOW CI PROGRAM OVERRIDE yes no ALLOW GATEWAY PORTS yes no ALLOW MULTIPLE REMOTE HOSTS yes no ALLOW PTY yes no ALLOW SHELL yes no ALLOW TCP FORWARDING yes no ALLOWED AUTHENTICATIONS lt method gt lt method gt lt method gt ALLOWED SUBSYSTEMS lt subsystem gt lt subsystem gt lt subsystem gt CI COMMAND lt command gt CI PROGRAM lt filename gt MENU MENU lt service gt FORCE COMMENT lt comment gt lt comment containing spaces gt CPU SET lt cpu gt lt cpu range gt lt cpu range list gt FROZEN LIKE lt existing user name gt OWNER lt system user name gt NONE PRINCIPAL lt user gt lt REALM gt lt REALM gt PRIORITY 1 lt priority gt PTY SERVER DEFAULT lt process name gt PUBLICKEY lt key name gt FINGERPRINT lt fingerprint value gt FILE lt filename gt FINGERPRINT lt fingerprint value gt FILE lt filename gt COMMENT lt comment gt LIVE DA
211. ONDARYEXTENTSIZE lt 100 gt SFTPUPSHIFTGUARDIANFILENAMES lt FALSE gt SHELLENVIRONMENT lt gt SOCKETKEEPALIVE lt 1 gt SOCKETRCVBUF lt 0 gt SOCKETSNDBUF lt 0 gt SOCKTCPMAXRXMT lt 0 gt SOCKTCPMINRXMT lt 0 gt SOCKTCPRXMTCNT lt 0 gt SOCKTCPTOTRXMTVAL lt 0 gt SSHAUTOKEXBYTES lt 1073741824 gt SSHAUTOKEXTIME lt 3600 gt SSHCTL lt SSHDBK gt H Hh FH h Fh hhh Hh H H 10 38 e Installation amp Quick Start HP NonStop SSH Reference Manual SSHCTLAUDIT lt FALSE gt SSHKEEPALIVETIME lt 60 gt STOREDPASSWORDSONLY lt FALSE gt STRICTHOSTKEYCHECKING lt FALSE gt SUBNET lt SZTC1 gt SUPPRESSCOMMENTINSSHVERSION lt FALSE gt TCPIPHOSTFILE lt gt TCPIPNODEFILE lt gt TCPIPRESOLVERNAME lt gt 1 20Jan14 15 34 01 55 10 CRYPTOPP version H06_12Dec2013_comForte_CRYPTOPP_0028 1 20Jan14 15 34 01 57 20 TCP IP process is ZTC1 L 20Jan14 15 34 05 35 20 Converted INTERFACE 0 0 0 0 L 20Jan14 15 34 05 35 20 Converted INTERFACEOUT 0 0 0 0 20Jan14 15 34 05 36 20 Define TCPIP PROCESS NAME did not exist Parameter was evaluated and define will be added 1 20Jan14 15 34 05 36 20 DEFINE TCPIP PROCESS NAME was set to lt BWNS02 SZTC1 gt 1 20Jan14 15 34 05 37 20 SSH config database BWNS02 SQAHPSSH TO801ABK SSHDBK is udited A backup should be made after every config change 20Jan14 15 34 05 39 10 SSH config database BWNS02 SQAHPSSH TO801ABK SSHDBK SS T999 SSH SSH
212. OR AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES INCLUDING BUT NOT LIMITED TO THE OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT INCIDENTAL SPECIAL EXEMPLARY OR CONSEQUENTIAL DAMAGES NOT LIMITED TO PROCUREMENT OF SUBSTITUTE GOODS OR SERV DATA OR PROFITS OR BUSINESS INTERRUPTION HOWEVER CAUS THEORY OF LIABILITY WHETHER IN CONTRACT STRICT LIABIL INCLUDING NEGLIGENCE OR OTHERWISE ARISING IN ANY WAY O THIS SOFTWARE EVEN IF ADVISED OF THE POSSIBILITY OF SUC SOpenBSD LICENCE v 1 19 2004 08 30 09 18 08 markus Exp HP NonStop SSH Reference Manual MPLIED WARRANTIES ARE DISCLAIMED NDIRECT INCLUDING BUT CES LOSS OF USE ED AND ON ANY TY OR TORT UT OF THE USE OF H DAMAGE Appendix e 373
213. PHOSTFILE TCPIPNODEFILE or TCPIPRESOLVERNAME were specified the corresponding defines propagated contain the values taken from these parameters i e the defines in SSH2 process context will be overwritten If define TCPIP PROCESS NAME exists in the process context it will be propagated and the SUBNET parameter value will be ignored see parameter SUBNET If define TCPIPSPROCESS NAME does not exist in the process context the SUBNET parameter value will be used to create a define TCPIP PROCESS NAME and it will be propagated to newly started TACL and shell processes If define CIPS COMPAT ERROR exists in the SSH2 process context it will be propagated and the CIPCOMPATERROR parameter value will be ignored see parameter CIPCOMPATERROR If define CIP COMPAT ERROR does not exist in the process context a CIPCOMPATERROR parameter value other than will be used to create a define CIPS COMPAT ERROR and it will be propagated to newly started processes The processing of TCP IP related defines and corresponding parameters is limited to creation overwriting of defines If neither of the SSH2 TCP IP parameters are set then the existing TCP IP defines parameters determine the processing The actual processing is solely done in the TCP IP runtime libraries i e if the relevant TCP IP parameters like TCPIP4RESOLVER ORDER and TCP IP related defines are set then the resolver order should be as configured There is a special pr
214. PU cycles on your NonStop host The natural question how much CPU resources does encryption consume has no simple answer it will depend on many factors e In general o How many SSH connections are created the initial setup of an SSH session involves a public key operation which require some CPU intensive calculations o The key sizes used for the public private key pairs both on the host and on the client using a more secure 1024 bit key pair will cause more overhead for the initial setup than a 512 bit RSA key pair o The selected cipher for bulk encryption for example a cipher using 168 bit 3DES will consume more CPU cycles than a 128 bit ARCFOUR based cipher suite e For SFTP traffic o The throughput of the transmitted data How many files of which size are transmitted in which time o Type of data read structured or non structured files o The SFTP client used and the system it is run on o Speed of file listings depends on the way an SFTP client makes use of the file attributes received from the SFTP server So there is no general answer to the question the answer will depend on your individual system use However measurements show that today s NonStop systems aren t as bad in number crunching and that s what encrypting and decrypting is basically about as one would think The following sections will show the results of some selected measurements The conclusions drawn from these can be used to estimate what per
215. R STATISTICS If it is of interest to determine the number of sessions matching the filter conditions the option FILTER STATISTICS can be specified If the optional ONLY is added then the status data is not displayed but just the total number of sessions and the number of matching sessions STATUS CHANNEL Status information about the currently existing ssh channels in the SSH2 process will be displayed The command has the following syntax STATUS CHANNEL lt channel id gt DETAIL WIDTH lt width gt LOG ONLY SELECT lt attr gt lt attr gt WHERE lt attr filter gt lt attr filter gt FILTER STATISTICS ONLY J lt channel id gt The internally assigned identifier positive integer of a channel Alternatively the wild card character can be specified instead of a channel id The individual options have the following meaning and syntax DETAIL If the DETAIL flag is set detailed information is displayed WIDTH The number lt width gt is the maximum number of characters per output line If WIDTH is not specified the default value 80 is assumed In order to avoid a new line when the terminal is configured with line wrapping on the line will only be filled with one character less than the specified width LOG ONLY Normally the output of the STATUS command will be displayed at the terminal the SSHCOM was started With LOG ONLY flag set the output will be written to the
216. R user only unless explicitly denied in OBJECTTYPE USER record or those configured with full SSHCOM access In case the SSH2 parameter LIFECYCLEPOLICYPRIVATEUSERKEY is set to VARIABLE then every user can change field EXPIRE DATE for those keys the user owns 192 e SSHCOM Command Reference HP NonStop SSH Reference Manual DELETE KEY The DELETE KEY command deletes a key from the database and has the following syntax DELETE KEY lt system user name gt lt key name gt The individual attributes have the following meaning and syntax lt system user name gt This refers to a valid GUARDIAN user who owns the key in the SSH key store If lt system user name gt is omitted either the user being set in a previously issued ASSUME USER command or the issuer of the ALTER KEY command will be used as the default If lt system user name gt is specified it MUST be followed by a to separate it from the key name Only the SUPER SUPER user unless explicitly denied in OBJECTTYPE USER record or those configured with full SSHCOM access can delete keys from other users lt key name gt This refers to the name of the key to be deleted EXPORT KEY The EXPORT KEY command exports a single private public key pair or just the public key of a key pair into a GUARDIAN or OSS file If both keys are exported private and public then they are stored into a single file The command has the following syntax EXPORT KEY lt system user name gt
217. RECTORY when defined in Safeguard or from the Guardian default subvolume of the SYSTEM USER If the option LOCKED is used a user will not be allowed to leave that path by issuing a cd command For example if a value of home jdoe is used only access to directories below is allowed Access to upper level directories such as home or usr or will not be allowed Specifying option LOCKED results in a pseudo root visible for the user i e a pwd command will show as current directory If a value G LOCKED is used then the user can only access Guardian files and no OSS files SFTP PRIORITY A number specifying the priority of the SFTPSERV processes for this user Following are the values allowed in this parameter and their meanings Value Meaning 1 199 Use the given priority value 1 Use the same priority as the SSH2 process starting SFTPSERV The default value is 100 SFTP SECURITY This parameter is comprised of a comma separated list of allowed operations for the user with operations enclosed in brackets The operations allowed are as follows e LIST allows perusal of files e READ allows downloading of files to the remote system e WRITE allows uploading of files from the remote system e PURGE allows deletion of files on the NonStop system HP NonStop SSH Reference Manual SSHCOM Command Reference e 173 e RENAME allows renaming of files on the NonStop system e MKDIR allows creatio
218. RESETEN then INPUT_TIMEOUT applies even if output is being displayed giving additional security Default is Y See also INPUT_TIMEOUT PAUSE PAUSE suspends the STNCOM prompt Use BREAK to return to the STNCOM prompt 272 e STN Reference HP NonStop SSH Reference Manual POOL POOL verifies the integrity of STN s internal buffer pool and provides useful information for tuning PARAM POOLASIZE POOL e TOTAL SIZE Shows word size of pool e IN USE Shows words currently in use in the user buffer area e HIGH Shows the highest value of IN USE since process startup or the most recent backup takeover e GETS Shows total number of buffer allocation requests e PUTS Shows total number of buffer releases e REJECTS Shows the number of requests that failed due to pool exhaustion or fragmentation e TRIMS Shows the number of trims where a large buffer is allocated and the unneeded trailing portion is released while the front part is still used e BUFS IN USE Shows number of buffers allocated not yet released HIGH specifies the highest value of BUFS IN USE e RECEIVE msgs Shows total user data and system messages on RECEIVE e BYTES RCVD Shows total bytes read on RECEIVE e BYTES REPLIED Shows total bytes replied to RECEIVE e FRAGMENTS Shows number of fragments e FRAGSIZE Shows size of fragment PROMPT lt text gt This command redefines the prompt sent to the terminal for new STNCOM input It is also ava
219. RTS SOCKTCPMINRXMT SOCKTCPMAXRXMT SOCKTCPRXMTCNT and SOCKTCPTOTRXMTVAL has been added Added description of new SSHCOM client mode command INFO SYSTEM USER to section Client Mode Commands Overview Added description for new parameters LIFECYCLEPOLICYPUBLICUSERKEY INTERVALPENDINGPUBLICUSERKEY and INTERVALLIVEPUBLICUSERKEY Added description for new parameter ALLOWINFOSSH2 Added description for new parameters PARTIALSSHCOMACCESSGROUP lt n gt and PARTIALSSHCOMACCESSUSER lt k gt Added description for new SFTP OSS commands append and lappend 16 o Preface HP NonStop SSH Reference Manual e Added description for new support for creation of format 2 files in an SFTP session e Added description for support of option oBindAddress for SFTP OSS and SSH OSS clients e Added description of option LIKE for SSHCOM command ADD RESTRICTION PROFILE e Updated section Starting SSH2 with new run modes e Added documentation of additional commands in section Statistics Related Commands e Added sections Transfer Progress Meter and Controlling Transfer Summary e Updated section Viewing File Contents from Guardian with SHOWLOG e Added description of new commands FESESSDOWN and REPLY_DELAY_MAX in section STNCOM Commands e Added appendix Event Summary Changes in SSH2 release 92 that are incompatible with previous releases e Output of SSHCOM commands that contains IP addresses in some form has been modified to allow for th
220. S FROZEN The fields of the output of INFO KNOWNHOST have the following meaning COMMENT A comment as entered when adding or altering the known host 206 e SSHCOM Command Reference HP NonStop SSH Reference Manual KNOWNBY The system user who is allowed to connect to the known host ADDRESSES Specifies a comma separated list of IP addresses or DNS names that identify the target host from which the public key associated with this known host entry is accepted PORT The target port number of the remote host associated with this known host entry ALGORITHM The key exchange algorithm to be used Valid values are SSH DSS and SSH RSA PUBLICKEY The MDS and or bubble babble fingerprint of the known host s public key COMMENT An optional comment associated with the known host entry The comment must be enclosed in double quotes if it contains spaces LAST USE The timestamp of the last usage of the known host LAST MODIFIED The timestamp of the last modification of the known host STATUS Whether the known host is FROZEN or THAWED RENAME KNOWNHOST The RENAME KNOWNHOST command is used to rename a knownhost entry in the SSH database A knownhost entry can only be renamed by the SUPER SUPER user unless explicitly denied in OBJECTTYPE USER record or those configured with full SSHCOM access or by the user who owns the knownhost The command has the following syntax RENAME KNOWNHOST lt old system user name gt lt o
221. S Manual HP NonStop SSH Reference Manual Preface e 13 The following reading is recommended documentation for NonStop users of SSH SFTP clients and users connecting to NonStop using remote ssh sftp scp clients e HP NonStop documentation Guardian User s Guide e HP NonStop documentation Open System Services Shell and Utilities Reference Manual if using OSS e HP NonStop documentation HP NonStop TACL Reference Manual e HP NonStop documentation File Utility Program FUP Reference Manual Generally users should get familiar with Guardian name space Guardian file attributes and Guardian structured files when connecting from remote sftp scp clients planning to transfer Guardian specific files to and from a NonStop system This is not required if only files from and to the OSS environment will be transferred It is expected that administrators and users gain knowledge about the SSH standard before using SSH implementations There are many good books about SSH Here we only mention one e SSH The Secure Shell The Definitive Guide Daniel J Barret et al O Reilly The following links may also serve as a starting point for SSH related information e http tools ietf org html rfc4251 e http tools ietf org html draft ietf secsh filexfer 02 e http en wikipedia org wiki Secure_Shell e http wiki filezilla project org SFTP_specifications e http www openssh org The Kerberos GSS
222. SH client It provides fully functional terminal access to remote systems and like SSH2 as a daemon supports execution of full screen applications such as vi or Emacs with the NonStop terminal as input and output device It also allows establishing TCP and FTP port forwarding channels e SSH is the Guardian version of the SSH client It allows you to create remote shells and execute remote commands and it supports port forwarding channels Note SSH and SSHOSS will connect to a remote SSH daemon via a SSH2 process which handles the SSH protocol layer To Connect to a Remote SSH Daemon with the NonStop SSH Client You can create shell sessions with a remote SSH daemon both with the OSS SSH client via SSHOSS and the Guardian SSH client via SSH From an OSS shell run the SSHOSS client to create a secure shell session with a remote system as follows 40 e Installation amp Quick Start HP NonStop SSH Reference Manual home mh G datal mhssh sshoss comf mh 10 0 0 201 SSH client version T9999H06_22Jan2014_comForte_SSHOSS_0097 WARNING REMOTE HOST IDENTIFICATION UNKNOWN The host public key fingerprint is babble xelol vifez cefis gimiv nepof zemid latut zahoz hyrun hipop hixex MDS 04 bb 3c a0 66 d4 bf e3 60 b8 3 31 49 d9 86 a6 Continue and add the host to the knownhost store yes no yes Trying password authentication Enter m horst 10 0 0 201 s password Add password for m horst 10 0 0 201 to the password store
223. SH2 e 85 INTERVALLIVEPUBLICUSERKEY This parameter is related to a user public key s life cycle configuration of database entity USER It determines the length of the interval a user public key stays in state LIVE Parameter Syntax INTERVALLIVEPUBLICUSERKEY number of days Arguments number of days The number of days a user public key will be in state LIVE after leaving state PENDING and before reaching state EXPIRED Default The default value for this parameter is 730 i e 2 years Example INTERVALLIVEPUBLICUSERKEY 1460 Considerations e The life cycle configuration of existing user public keys will not be modified due to this parameter If existing keys need to participate in life cycle control then they must be configured via ALTER USER PUBLICKEY command specifying the LIVE DATE and EXPIRE DATE command options e Parameter value is ignored if life cycle for user public keys is disabled i e if LIFECYCLEPOLICYPUBLICUSERKEY is set to DISABLED e Parameter value is ignored if USER PUBLICKEY attributes L VE DATE and EXPIRE DATE are specified in ALTER USER PUBLICKEY commands if a user is allowed to specify these attributes according to the key lifecycle policy See also LIFECYCLEPOLIC YPUBLICUSERKEY INTERVALPENDINGPUBLICUSERKEY INTERVALPENDINGPRIVATEUSERKEY This parameter is related to a user private key s life cycle configuration of database entity KEY It determines the length of the interva
224. SH2 process is configured with FAMILY INET 6 then no communication is possible at all TCP IPv6 Considerations Using Link Local Addresses for Loopback While it is possible to use link local addresses within a network segment without problems there are restrictions using link local addresses for a loopback connection with a TCP IP CLIM involved The CIP TCP IP implementation requires specifying a local TCP IP address to bind to when trying to establish a loopback connection via CIP TCP IP Error 4022 is the result if no specific local IP address is bound in this case A local bind address can be specified via the sftp and ssh client option oBindAddress lt bind address gt see sections SSH Client Command Reference and SFTP Client Command Reference Another way to ensure a local bind address is set depends on the SSH2 parameter INTERFACEOUT If the value of that parameter is not the any address 0 0 0 0 or 0 0 but a specific IP address valid for the configured SUBNET then this configured local IP address is bound for every outbound connection Alternatively the IPv6 address 1 can be used as target address without the need for specifying a local bind address 140 e Configuring and Running SSH2 HP NonStop SSH Reference Manual TCP IPv6 Migration and Backout Start Using TCP IPv6 After the TCP IP processes have been prepared for IPv6 support the SSH2 processes can be enabled for IPv6 by restarting them with parameter IPMODE se
225. SION LOG ID detail available action Yobject target link Zoutcome huser SSH username error error remoteAddress remote IP address action symlink object file name link link name outcome denied or failed error error detail Failed error sessionld Yuser remoteAddress sessionId SESSION LOG ID detail not action Yobject target link Zoutcome huser SSH username available remoteAddress remote IP address Joaction symlink object file name link link name 318 e Monitoring and Auditing HP NonStop SSH Reference Manual Event Event Name Id Conditions Pattern Token Values outcome denied or failed 16 PtyEvent Successful sessionId Puser remoteAddress sessionId SESSION LOG ID action Yobject Youtcome huser SSH username remoteAddress remote IP address action ptyallocate object pty name Foutcome granted Failed sessionld Yuser remoteAddress sessionId SESSION LOG ID action Yobject outcome user SSH username remoteAddress remote IP address Joaction ptyallocate object empty outcome denied or failed 17 ShellEvent No forced command sessionld Yuser remoteAddress sessionId SESSION LOG ID Faction object outcome huser SSH username remoteAddress remote IP address action shell object shell program outcome granted
226. SSH as a secure transport for other applications e g sftp The subsystem is specified as the remote command Runtime options relevant only for port forwarding L ftp isten port host port Specifies that the given listen port on the local client host is to be forwarded to the given host and port on the remote side This works by allocating a socket to listen to listen port on the local side Whenever a connection is made to this port the connection is forwarded over the secure channel and a connection is made to host and port from the remote machine Specifying the ftp prefix will enable dynamic port forwarding of FTP sessions forwarding both FTP control and data connections over the SSH session The g gateway option controls weather all connections or only those originating from localhost will be forwarded R ftp listen port host port Specifies that the given listen port on the remote daemon host is to be forwarded to the given host and port on the local side This works by allocating a socket to listen to listen port on the remote side Whenever a connection is made to this port the connection is forwarded over the secure channel and a connection is made to host and port from the local machine Specifying the ftp prefix will enable dynamic port forwarding of FTP sessions forwarding both FTP control and data connections over the SSH session The g gateway option controls weather all connections or only those or
227. STEM TACL MENU HIDDEN USER SUPER SUPER PRI 199 LIMIT 3 258 e STN Reference HP NonStop SSH Reference Manual Explanation of example settings MENU HIDDEN this service is for use only by system administrators and only in case of emergency General users won t see the service on the STNO2 Services menu avoiding confusion and minimizing undesired access attempts USER SUPER SUPER keeps unauthorized users away from this service minimizes denial of service PRI 199 high priority is sometimes essential for systems maintenance tasks such as stopping a looping application LIMIT 3 While only one window might be enough allows extras just in case LOGON REQ automatically set with RESILIENT YES protects reconnection to previous sessions and minimizes denial of service See INPUT_TIMEOUT for additional security that may be appropriate for resilient services ADD WINDOW The ADD WINDOW command defines the file system access points that application programs are to use to exchange data with the remote terminal sessions Prior to SPR TO801SABE ADD WINDOW was performed automatically for dynamic sessions when AUTO_ADD_WIN was enabled and an application open request was received for an undefined window The AUTO_ADD_WIN configuration parameter is no longer supported All openers of STN must refer to an existing window name ADD WINDOW window name TYPE DYNAMIC STATIC SU DEDICATED TERM_TYPE TN6530 ANSI ANY
228. STRICTIONCHECKFAILEDDEFAULT 20 lt str1 gt forwarding from lt str2 gt to lt str3 gt denied RESTRICTION PROFILE PERMIT OPEN for USER lt str4 gt does not include target host port lt str1 gt Session Name lt str2 gt Normalized originator host address and port lt str3 gt Normalized target host address and port lt str4 gt User name 20 lt str1 gt forwarding from lt str2 gt to lt str3 gt denied USER lt str4 gt not permitted to initiate TCP forwarding lt str1 gt Session Name lt str2 gt Normalized originator host address and port lt str3 gt Normalized target host address and port lt str4 gt Guardian user name 20 lt str1 gt forwarding from lt str2 gt to lt str3 gt denied RESTRICTION PROFILE FORWARD FROM for USER lt str4 gt does not include originator host lt str1 gt Session Name lt str2 gt Normalized originator host address and port lt str3 gt Normalized target host address and port lt str4 gt User name 20 lt str1 gt listen request on lt str2 gt denied SSH2 parameter lt str3 gt set to false lt str1 gt Session Name lt str2 gt Normalized address and port to bind lt str3 gt ALLOWTCPFORWARDING 20 lt str1 gt listen request on lt str2 gt denied USER lt str3 gt not found in database and PARAM lt str4 gt set to true lt str1 gt Session Name lt str2 gt Normalized address and port to bind lt str3 gt Guardian user name lt str4 gt RESTRICTIONCHECKFAILEDDEFAULT 20
229. Server You can connect with an SFTP client on a remote system to SSH2 listening on the NonStop server as follows m horst np dev02 gt sftp comf mh 10 0 0 199 Connecting to 10 0 0 199 comf mh 10 0 0 199 s password sftp gt dir al000 auditlog bashhist bench benchcpu benchs2k benchs3k cryptand emsacstm ftps fupcstm osstest osstzip randlmio rs120157 scfcstm secret sftpserv shhistor ssh stna48 t1000 t10000 t100000 t1000000 t10mio taclestm test test101 testbin testbin2 testbin3 testbin4 trace2 tracecap z1000000 zlmio zimio2 zimio3 zlmioftp z50mio zrandlim zzl0mio zzimio zzsal894 zzsa7884 zzshgd zzz10m zzzilmio sftp gt To Connect to a Remote SSH Daemon from the NonStop Server Using a NonStop SFTP Client At the TACL prompt run the SFTP client to create an SFTP session with a remote system as follows 42 e Installation amp Quick Start HP NonStop SSH Reference Manual SDATA1 MHSSH 20 gt run sftp m horst 10 0 0 201 SFTP client version T9999H06_22Jan2014_comForte_SFTP_0097 Connecting to 10 0 0 201 You have no private keys in the key store Trying password authentication Enter m horst 10 0 0 201 s password Add password for m horst 10 0 0 201 to the password store yes no no SEEP ls SL drwxr xr x drwxr xr x rw r r drwxr xr x rw r r 509 100 824 Jan 19 15 03 0 0 688 Nov 24 19 57 509 100 6340 Jun 19 2003 Xdefaults 509 100 168 Jun 19 2003 Documents 509 100 990000 Jan 19 15 00 ktest2 509 100 Ja
230. Starting port forwarding on the client system The following command will start a port forwarding daemon on the client system STB TBSSH79 13 gt run ssh S STBS79 N L 2323 127 0 0 1 23 comf tb 10 0 0 198 SSH client version T9999H06_22Jan2014_comForte_SSH_0097 You have no private keys in the key store Trying password authentication Enter comf tb 10 0 0 198 s password The client will not be active before the password is given at the prompt The port forwarding client listens for incoming connections on port 2323 127 0 0 1 23 is the IP address port of TELSERV on the remote system from the perspective of the remote NonStop host Connecting to the port forwarding client with a Telnet client The following command will direct local Telnet traffic to the port forwarding client who in turn will forward it to the remote NonStop system STB TBSSH79 2 gt telnet 127 0 0 1 2323 TELNET Client T9558H0O1 19MAR12 IPMAAH Copyright Tandem Computers Incorporated 2004 Trying Connected to 127 0 0 1 Escape character is WELCOME TO NPS762A PORT ZTC1 23 WINDOW SZTN1 PTYKFEK TELSERV T9553G06 24FEB2006 IPMAEF Available Services OSS TACL EXIT Enter Choice gt The following log message will show up in the SSH2 log file indicating that the session was indeed forwarded over the SSH session STBS79 08Ju108 07 54 46 08 50 NPNSO1 Z0D3 forwarding TCP connection from 127 0 0 1 5030 to 127 0 0 1 23 HP NonSt
231. Stop SSH Reference Manual Copyright 1995 19 OpenBSD project by 4 The Rijndael implemen and Paulo Barreto is with the following li version 3 0 Optimised ANSI Cc author Vincent Ri author Paulo Barr his code is hereb THIS SOFTWARE IS P OR IMPLIED WARRANT W ARRANTIES OF MERC ARE DISCLAIMED LIABLE FOR ANY DIR CONSEQUENTIAL DAMA SUBSTITUTE GOODS O BUSINESS INTERRUPT WHETHER IN CONTRAC OR OTHERWISE EVEN IF ADVISED OF 5 96 by David Mazieres lt dm lcs mit edu gt leaving this copyright notice intact tation by Vincent Rijmen in the public domain and distributed cense December 2000 ode for the Rijndael cipher now AES jmen lt vincent rijmen esat kuleuven ac be gt eto lt paulo barreto terra com br gt y placed in the public domain ROVIDED BY THE AUTHORS AS IS IES INCLUDING BUT NOT LIMITED TO HANTABILITY AND FITNESS FOR A PARTICULAR CT INDIRECT INCIDENTAL SPECIAL EXEMP GES INCLUDING BUT NOT LIMITED TO R SERVICES LOSS OF USE DATA OR PROFITS ION HOWEVER CAUSED AND ON ANY THEORY OF T STRICT LIABILITY OR TORT THE POSSIBILITY OF SUCH DAMAGE Modification and redistribution in source and binary forms is permitted provided that due credit is given to the author and the Antoon Bosselaers author Antoon Bosselaers lt antoon bosselaers esat kuleuven ac be gt AND ANY EXPRESS THE IMPLIED PURPOSE IN NO EVENT SHALL THE AUTHORS OR CONTRI
232. T to 0 zero disables the feature usually meaning the application will hang until Terminal Helper finally responds The signal can occur promptly after NBOT_TIMEOUT expires but can be delayed as much as 60 seconds NEGOT_TIMEOUT lt seconds gt This is the time allowed for IAC negotiations to complete defaulting to 20 seconds If the timeout expires usually due to the TN6530 client improperly configured with line mode disabled an STN50 message is displayed for 10 seconds then the session is terminated lt seconds gt can be in the range from 1 to 120 OBEY lt edit file name gt OBEY processes STNCOM commands from an EDIT format file lt edit file name gt specifies the EDIT file in which the commands are listed Commands can be nested up to six levels deep HP NonStop SSH Reference Manual STN Reference e 271 OPEN lt STN process name gt OPEN opens the specified STN process for subsequent commands lt STN process name gt specifies the process to be opened If another process is already open that process is closed If the OPEN fails all STNCOM commands requiring an application are rejected until a successful OPEN is completed The STN version and vproc are displayed after a successful OPEN before the STNCOM prompt Examples OPEN STN OPEN SSTN2 OPENER_WAIT lt seconds gt OPENER_WAIT specifies a timeout at the beginning of the session while waiting for the application to first open the window OPENER_WAIT allows val
233. TE lt date time gt EXPIRE DATE lt date time gt F Tis RESTRICTION PROFILE lt profile name gt SFTP CPU SET lt cpu gt lt cpu range gt lt cpu range list gt SFTP GUARDIAN FILESET lt pattern gt lt pattern gt SFTP INITIAL DIRECTORY lt directory path gt LOCKED SFTP PRIORITY lt number gt SFTP SECURITY lt sftp attr gt lt sftp attr gt SHELL COMMAND lt command gt SHELL ENVIRONMENT lt filename gt SHELL PROGRAM DEFAULT lt path gt MENU MENU lt service gt FORCE SYSTEM USER lt system user name gt NONE Only the lt user name gt is mandatory in the command all other fields are optional The individual attributes have the following meaning and syntax lt user name gt The name of the user to be added It is not required that this user is a Guardian user name but Guardian user names like ADMIN JOE or alias names can be used The important bit here is to be aware that this SSH user name is not used as logon name The actual Guardian user is defined by the attribute SYSTEM USER It is possible to specify a logon id in double quotes which allows to execute client commands like ssh 110 23 NonStop com But only if SYSTEM USER is set to 110 23 or the corresponding lt group gt lt user gt value or an alias with that logon id the operations on the NonStop server will be executed with logon i
234. TO IN WRITING WILL ANY COPYRIGHT HOLDER OR ANY OTHER PARTY WHO MAY MODIFY AND OR REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE BE LIABLE TO YOU FOR DAMAGES INCLUDING ANY GENERAL SPECIAL INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES 2 The 32 bit CRC compensation attack detector in deattack c was contributed by CORE SDI S A under a BSD style license Cryptographic attack detector for ssh source code Copyright c 1998 CORE SDI S A Buenos Aires Argentina All rights reserved Redistribution and use in source and binary forms with or without modification are permitted provided that this copyright notice is retained THIS SOFTWARE IS PROVIDED AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES ARE DISCLAIMED IN NO EVENT SHALL CORE SDI S A BE LIABLE FOR ANY DIRECT INDIRECT INCIDENTAL SPECIAL EXEMPLARY OR CONSEQUENTIAL DAMAGES RESULTING FROM THE USE OR MISUSE OF THIS SOFTWARE Ariel Futoransky lt futo core sdi com gt lt http www core sdi com gt 3 ssh keyscan was contributed by David Mazieres under a BSD style license 370 Appendix HP Non
235. TP SCP client during authentication phase Parameter Syntax AUTOADDAUTHPRINCIPAL TRUE FALSE Arguments TRUE FALSE Specifies whether to add PRINCIPAL 62 e Configuring and Running SSH2 HP NonStop SSH Reference Manual o TRUE PRINCIPAL will be added if and only if either the password or the keyboard interactive authentication method was successful and only if the gssapi with mic authentication was executed successfully on Kerberos level o FALSE PRINCIPAL will not be added even when either the password or the keyboard interactive authentication method was successful and the gssapi with mic authentication was executed successfully on Kerberos level Default If omitted AUTOADDAUTHPRINCIPAL is set to FALSE Example AUTOADDAUTHPRINCIPAL TRUE AUTOADDSYSTEMUSERS Use this parameter to control whether remote users can log on via SSH using a Guardian user ID or alias without configuring them explicitly via SSHCOM in the SSHCTL Parameter Syntax AUTOADDSYSTEMUSERS TRUE FALSE Arguments TRUE FALSE Specifies whether users logging on with a system User ID are automatically added to SSHCTL Following are the two valid options o TRUE system users are automatically added upon first login o FALSE logons of any user not contained in the SSHCTL will be denied Considerations e Values of parameters AUTOADDSYSTEMUSERS AUTOADDSYSTEMUSERSLIKE and USETEMPLATESYSTEMUSER are used together for automatic addi
236. TS When set to NO this attribute is used to restrict a user to a maximum of one remote host the user can establish a connection from at any time The restriction is based on the SSH user configured in the SSH2 database not the system user After disconnecting all sessions from one host the user can connect from a different host All SSH2 processes that access the same SSH2 database share the restriction If the attribute is set to YES then a user can establish sessions from different remote hosts at the same time ALLOW PTY This attribute is used to grant or deny the ability to allocate a pseudo TTY for a session The pseudo TTY enables the user to execute full screen interactive applications such as Emacs or vi ALLOW SHELL 176 e SSHCOM Command Reference HP NonStop SSH Reference Manual This attribute is used to grant or deny shell access to the user ALLOW TCP FORWARDING This attribute is used to grant or deny port forwarding for a user The value of this user attribute is ignored if the global SSH2 parameter ALLOWTCPFORWARDING is set to FALSE ALLOWED AUTHENTICATIONS This attribute is used to specify the authentication mechanisms that are allowed for this user lt method gt is one of the following authentication methods currently supported by SSH2 e password Password authentication facilitating the NonStop system s password authentication mechanism The password is validated against the SYSTEM USER s password Local authentic
237. The following SSHCOM commands show how to assign a PATHWAY PROGRAM as the initial program on a 6530 pseudo terminal gt RUN SSHCOM SSHO1 SSHCOM T0801H01_22JAN2014_ABK 2014 01 24 14 42 45 368 OPEN ssh01 ALTER USER PW USER CI PROGRAM SYSTEM SYSTEM PATHCOM amp CI COMMAND SPMON RUN PROGRAM LOGON PROG OK user PW USER altered Configuring a Service Menu STN can also display a service menu to 6530 clients connecting over SSH allowing users to access a service mapped to pre configured static windows or to a service program started on the dynamic window This feature allows the complete migration of an existing Telnet access configuration to SSH The following SSHCOM commands show how the STN service menu can be enabled for 6530 pseudo terminals gt RUN SSHCOM SSH01 SSHCOM TO0801H01_22JAN2014_ABK 2014 01 24 14 42 45 368 OPEN ssh01 ALTER USER SERVICE USER CI PROGRAM MENU OK user SERVICE USER altered 2 For non 6530 pseudo terminals the STN service menu can be enabled via gt RUN SSHCOM SSH01 T9000B03_02DEC2009_SSHCOM OPEN ssh01 ALTER USER SERVICE USER SHELL PROGRAM MENU OK user SERVICE USER altered 2 Unless configured otherwise STN will present TACL as the only available service Additional services can be added with STNCOM using the ADD SERVICE and ADD WINDOW commands Please refer to the STNCOM Commands section for further details Configuring an STN Service or Wi
238. _INIT An SSHz2 process has created the pseudo terminal PTY under its control Any application processes on the terminal are started by SSH2 STATUS WINDOW lt window names Displays current status information for the specified windows or for all windows The output format for sessions created via SSH is as follows lt window gt lt status gt lt a gt openers lt param list gt HP NonStop SSH Reference Manual STN Reference e 277 lt window gt Window name e g ZWNO002 lt status gt STARTED not in session STOPPED or IN SESSION lt a gt Indicates that either no or 1 or more applications have this window open lt param list gt Detailed information such as term_rows term_columns client IP address etc STIX RESET Displays cumulative statistics on the number of sessions STIX displays the counters STIX RESET displays then resets STNCOM_PROMPT lt text gt This command redefines the prompt sent by STNCOM to the terminal for new command input lt text gt may contain any displayable character except quote and may be 0 to 60 characters long Zero means to use the default STNCOM prompt Certain embedded commands case independent in lt text gt are replaced as follows e P the target process name e X the target expand node name e T the target system LCT time in format HH MM e D the target system LCT date in format yyyy mm dd e N ascii carriage return line feed This a
239. _PROMPT STNCOM_PROMPT e Redefines the prompt for all future STNCOM openers to an STN process e Does not take effect until the next STNCOM open see note below e Is stored in the configuration of the running STN process which is convenient e Is maintained on a backup takeover of STN e Must be re entered every time STN is started e Overrides PROMPT e Is included in SAVECFG output STNCOM_PROMPT is normally included in the OBEY or IN file used to configure STN at STN process startup if a prompt other than the default is desired However if STNCOM_PROMPT is manually entered from a conversational STNCOM session it does not take immediate effect However INFO STN will show the new setting To force immediate use of the new setting either stop and restart STNCOM or use the OPEN command to reopen the same STN process The new STNCOM_PROMPT setting will then be used by STNCOM STNCOM_PROMPT Example 11 gt stncom ZPTY STNCOM T0801H01_22JAN2014_ABK 2014 01 24 15 25 12 354 OPEN Szpty TO801HO1_22JAN2014_ABK 15 25 info stn STNCOM_PROMPT t AE stncom prompt P stncom_prompt P Accepted info stn CHOICE_TEXT nEnter Choice gt STNCOM_PROMPT WSP ST WELCOME OFF time time 19Decll 09 15 46 35 open Szpty open Szpty SZPTY time time 19Decl1l 09 16 09 71 SZPTY STNLOG lt text gt Provides a means to enter log messages to the STN EMS output It is intended for the SSL process to send
240. a aa e ea ei aei WSINFO NONE QUERY REQUIRED MATCH ossee WINSCRIPT_FIRST YUN ereinen ei irsi ei Session and Window Naming 0 cc ceccesesccssesseseceseceeeceeeeceaseeeeceaeeneesecaeeeeens GWN Related STNCOM Commands eee eceecceeeeeeeeeeeeeeseeneees GWN Related EMS Events cee eeeceecseecseeeseeeeeeeeeeeeeeeeseeeeeeeeeeees SCF and SPLvscecetcidetibes edie bgn wie edith AERE REE E Eea EMS Events puera e idee ee i a Client Messages at the Remote Workstation cccesessssessecreeeecneeeecneeeeeeaees STN Application I O Handling 0 0 cee eecesecseecceseceeesecneseecsaecessecaeeeesaesneeeeens Monitoring and Auditing Introduction 33 h 204 Hates ee Ai a he hie ae ie ae Log Messages aa deb aac dete bende chang oped E E N EE R E Content of Log Messages seesseseeeseesesesisreereserseseserreesesrerrerserees Performance Considerations MtPOdUCON e p n eee Bien ieee a Performance Analysis of SSH Session Establishment sseseeeeeeeereeeeeerereeee Performance Running as SSH Daemon ssessseesseeeeresesrseerereersesrrreeress Performance Analysis of SFTP Traffic seeeeeeeeeseeeeeeeereeesesrrrerereerrerrrererseseeee SFTPSERV Performance of ls Command with Wildcards Performance When Running as SSH Client 0 cee eeeeeseeeeeeeeeeeeeee HP NonStop SSH Reference Manual Contents e xi Troubleshooting 331 Anla gO UC KO a v3 co s EN E EEEE S SE E de patseveeg ideas co Stew rovers ou alee nate ay sts
241. a customer name is set either via license file or via parameter CUSTOMER it will be used for encryption decryption of the SSHCTL database records and the HOSTKEY file Parameter Syntax CONFIG customer Arguments customer Specifies the customer name If spaces are included then if the parameter value contains one or more commas or spaces it must be included in double quotes Example CUSTOMER comForte 21 GmbH Considerations e The parameter CUSTOMER has precedence over the customer name in the license file e When you plan to duplicate the host key and user database onto other NonStop systems such as a disaster recovery system you need to make sure the parameter CUSTOMER or the license file of that other system has the same customer name in it Otherwise the host key file and user data base cannot be used on the other system If you purge the HOSTKEY and SSHCTL files and restart the SSH2 process a new HOSTKEY and SSHCTL file will be created using either the value of parameter CUSTOMER or if that does not exist the customer name from the license file if that exists e Although a license file is no longer required for NonStop SSH on H and J operating systems any existing HOSTKEY and SSHCTL file requires the customer name that was used to create the file If a license file exists the customer name will be extracted from that file entry SSH2 customer unless parameter CUSTOMER is set in which case the value of CUSTOMER is u
242. a single ALTER USER command RESET This option is used to reset an attribute of the current user to the default value For each attribute that should be reset there must be a separate occurrence of the RESET option An attempt to set and reset an attribute will result in an error message The following attributes can be reset e SFTP INITIAL DIRECTORY e SYSTEM USER e SFTP SECURITY e SFTP PRIORITY e SFTP GUARDIAN FILESET RESTRICTION PROFILE Specifies the name of a RESTRICTION PROFILE entity If configured for a user then the restrictions defined in the RESTRICTION PROFILE record will be applied for all incoming and outgoing connections related to the user SFTP CPU SET Defines a set of CPUs used when SFTPSERV processes are invoked directly by SSH2 for non SFTPSERV processes the attribute CPU SET is used instead CPUs are assigned via a round robin algorithm among all the configured CPUs that are available The value can be a CPU number e g 2 a range of CPUs e g 3 4 or a comma separated list of CPU numbers and CPU ranges enclosed in parentheses e g 2 5 7 9 The default is to start user processes in the same CPU in which the SSH2 process is running In this case the processing load is spread by using multiple SSH2 processes and starting these SSH2 processes in different CPUs If no value is specified the value will be reset to the default The default is to use the value of SSH2 parameter SFTPCPUSET to determine a CPU
243. a single command on that system using the SSH client from OSS STB TBSSH79 8 gt run ssh S STBS79 burgt 10 0 0 12 pwd SSH client version T9999H06_22Jan2014_comForte_SSH_0097 You have no private keys in the key store Trying password authentication Enter burgt 10 0 0 12 s password Add password for burgt 10 0 0 12 to the password store yes no yes home burgt STB TBSSH79 9 gt run ssh S STBS79 burgt 10 0 0 12 pwd SSH client version T9999H06_22Jan2014_comForte_SSH_0097 home burgt 224 e SSH and SFTP Client Reference HP NonStop SSH Reference Manual STB TBSSH79 10 gt Note that the password for the remote system is stored after the first issuing of the command and that the next time entering the password is no longer needed Using the SSH client to create a port forwarding daemon The following example shows how to use port forwarding to tunnel a Telnet session between two NonStop systems through SSH to encrypt the network traffic It is based on the following assumptions e An SSH2 daemon is installed on the remote NonStop system with Port forwarding allowed That requires the parameter ALLOWTCPFORWARDING to be set to true e The IP address on the remote NonStop system is 10 0 0 198 A TELSERV is running on port 23 on that IP stack e A guardian user named COMF TB exists on the remote system The concept of port forwarding can be applied to any TCP protocol which uses a single port on the server side of the connection
244. a single user will be displayed For unconventional user names which must be put in in double quotes please see the lt user name gt description under ADD USER If used without the DETAIL modifier INFO USER will provide a brief summary for each user displayed The following is an example of the output of INFO USER info user usl info user usl USER KEYS SYSTEM USER LAST MODIFIED LAST LOGON STATUS usl 2 ulrich 20Apr12 16 00 20Apr12 16 02 THAWED x If used with the DETAIL modifier INFO USER will provide some detailed information about each user displayed The following is an example of the output of INFO USER DETAIL o info user usl detail info user usl detail USER KEYS SYSTEM USER LAST MODIFIED LAST LOGON STATUS us1 2 ulrich 20Apr12 16 07 20Apr12 16 02 THAWED USER us1 COMMENT NONE ALLOWED AUTHENTICATIONS password publickey keyboard interactive OWNER NONE PUBLICKEY k1 COMMENT used for file transfer from node linux dev MD5 6b 88 75 78 7e 90 bb 7c eb 0d 94 64 79 07 1f bd BABBLE xegop hyvik fucud tubon nuvin pugeg kovac vipif vunym peset zyxyx CREATION DATE 20Apr12 15 05 LIVE DATE NONE EXPIRE DATE NONE LIFE CYCLE STATE LIVE LAST MODIFIED 20Apr12 16 07 LAST USAGE NONE PUBLICKEY testkey3 COMMENT MD5 9e 67 60 36 e0 a4 88 ac 19 f1 39 61 19 0eE 88 76 BABBLE xezaz fimuf gacoz rorid zutol cezuc pygyf fypes ponih lynol zaxix CREATION DATE 20Apr12 16 00 LIVE DATE NONE EXP
245. age issuers is reached LOGFILE Use this parameter to define whether SSH2 log messages are written and if so to which file Parameter Syntax LOGFILE file Arguments Means that no log messages are written to a file filenameprefix Specifies the prefix of the log file set The actual audit file names are constructed based on the prefix assigned and by a number generated based on the settings of the LOGFILERETENTION parameter Default By default no log messages are written to a file Considerations e The LOGLEVELFILE parameter controls what messages are produced by SSH2 e The LOGFORMATFILE parameter controls the log message format See also e LOGCONSOLE LOGLEVELFILE LOGFORMATFILE LOGMAXFILELENGTH LOGFILERETENTION e Log Messages in the chapter entitled Monitoring and Auditing LOGFILERETENTION Use this parameter to control how many log files SSH2 keeps when log file rollover occurs Parameter Syntax HP NonStop SSH Reference Manual Configuring and Running SSH2 e 93 LOGFILERETENTION n Arguments n Specifies the number of log files to keep Default By default 10 files are kept Considerations e Setting the parameter to a value 0 disables log file retention e If log file retention is enabled a minimum of 10 is enforced by this parameter e See section Logfile Auditfile Rollover in the Monitoring and Auditing chapter for details on file rollover e The file security set for the cu
246. ages Default no prefix string Set prefix used for prompt query messages Default no prefix ciphers Select encryption algorithms macs Specify MAC algorithms 220 e SSH and SFTP Client Reference HP NonStop SSH Reference Manual p port Connect to this port Server must be on the same port L listen port host port Forward local port to remote address R listen port host port Forward remote port to local address These cause ssh to listen for connections on a port and forward them to the other side by connecting to host port Enable compression Do not execute a shell or command Allow remote hosts to connect to forwarded ports option Process the option as if it was read from a configuration file Invoke command mandatory as SSH2 subsystem process connect using this SSH2 process STOPPED Z3PT CPU time 0 00 00 007 2 Process terminated with fatal errors or diagnostics Termination Info 1 US SSH89 5 gt General Runtime options I user Specify the user to log in as on the remote machine V Display version number only then terminate Z The banner normally printed by the ssh client is suppressed line SSH client version T9999H06_22Jan2014_comForte_SSH_0097 in the above example The suppression of the client banner can also be achieved by specifying a PARAM environment variable SUPPRESSCLIENTBANNER with possible values 0 for false and 1 for true the Z option takes precedence over the PARAM environment variable
247. al attributes have the following meaning and syntax lt system user name gt A valid GUARDIAN user who owns the key in the SSH key store If lt system user name gt is omitted either the user being set in a previously issued ASSUME USER command or the issuer of the ALTER KEY command will be used as the default If lt system user name gt is specified it MUST be followed by a to separate it from the key name lt key name gt 196 e SSHCOM Command Reference HP NonStop SSH Reference Manual The name of the key owned by the current user A as part of the key name will be interpreted as a wildcard character and information about all key names matching the wildcard character will be displayed OUTPUT format of INFO KEY command If used without the DETAIL modifier INFO KEY will provide a brief summary for each key displayed The following is an example of the output of INFO KEY info key info key KEY USER LIFE CYCLE LAST USE STATUS mytestkey mh PENDING NONE THAWED tst4 stus PENDING NONE THAWED newl super super LIVE 08Ju111 18 22 THAWED us2 super super EXPIRED NONE THAWED tstky PENDING NONE THAWED ky99 PENDING NONE THAWED 5 If used with the DETAIL modifier INFO KEY will provide some detailed information about each key displayed The following is an example of the output of INFO KEY DETAIL info key newl detail info key newl detail KEY TYPE USER LIFE CYCLE LAST USE STATUS newl RSA super super
248. al messages Added additional information displayed by the STNCOM VERSION command and an example showing the new startup banner and version info Added SSHCOM command EXPORT SSHCTL now supporting export to an OSS directory Added description of additional timestamp options in utility SHOWLOG Noted that macro SSH2INFO now prints warning messages if the objects SSH2 SFTPSERV and STN do not have a Safeguard DISKFILE entry with PRIV LOGON set to ON The warnings will also be logged at SSH2 startup Added description of new STNCOM commands to provide for unique session and window name generation Added description of the PROGRESS meter command option The section STNCOM Commands has been updated to be in synch with STN help New commands parameters and EMS events for session window naming have been added Setmode 212 and 214 have been added in the setmode table Changes in SSH2 release 93 that are incompatible with previous releases The STN AUTO_ADD_WIN configuration parameter is no longer supported All openers of STN must refer to an existing window name The SSHCOM STATUS SESSION brief output no longer contains the SESSION LOG ID field It also now uses abbreviated column headings Version 4 0 Describes changes in SSH2 release 92 Documentation for the following new features has been added Added section IPv6 and description of related parameter IPMODE Description for new SSH2 TCP IP related parameters PTCPIPFILTERTCPPO
249. ameter CUSTOMER is set in which case the value of CUSTOMER is used If a license file does not exist and an existing HOSTKEY or SSHCTL file is accessed the parameter CUSTOMER must be set to the original value for the customer name e The public key part of the host key can be exported using the SSHCOM daemon mode command EXPORT HOST KEY e If multiple SSH2 processes started from the same subvolume but used for different purposes then not only separate SSH database files configured via SSHCTL but separate host key files configured via HOSTKEY should be configured Example SSH for maintenance and public network Default If omitted SSH2 will use a file name of HOSTKEY Example HOSTKEY SSYSTEM SSH2 SSHKEY See also CUSTOMER HOSTKEYBITS HOSTKEYTYPE HOSTKEYBITS A local host key is generated whenever the SSH2 process detects at startup that no local host key file exists The size of local host key that gets generated can be configured using parameter HOSTKEYBITS Parameter Syntax HOSTKEYBITS keysize Arguments keysize Integer that specifies the size of the local host key in case one needs to be generated Valid values are o 1024 or 2048 if type of host key is RSA o 1024 if type of host key is DSA Default If omitted 1024 is the default value as before introduction of this parameter 82 e Configuring and Running SSH2 HP NonStop SSH Reference Manual Considerations e IfaHOSTKEY file exists then no new local host key is g
250. anged or even re compiled at all The following picture describes how applications transfer files with the FTP API Application When initiating an FTP session via the FTP APILIB the library will start an FTP client process to handle the actual file transfers for the application APILIB will then communicate via inter process messages with the FTP client process mapping the library calls to FTP commands to be processed by the FTP client The SFTP API solution works exactly the same way as the following picture illustrates HP NonStop SSH Reference Manual Controlling SSH and SFTP Clients on NonStop via an API e 239 Application For transferring files via SFTP rather than FTP the application still uses the same APILIB which is part of the HP NonStop TCP IP applications and utilities However APILIB is directed to start an SFTP rather than an FTP client The SFTP client will support the same inter process communication messages like FTP mapping the programmatic commands it to the appropriate SFTP operations SSHAPI with SSHLIB SSHLIB describes the external interface offered by the SSH application program interface API SSHLIB is used for launching an SSH object and controlling it automatically by an application via the SSH API SSHLIB can simplify the task of controlling status or resources on a remote host It is also helpful to automate setup scripts for duplicating software package installations on different servers There is no
251. anual Configuring and Running SSH2 e 113 o FALSE File attributes will be stripped by realpath function Default If omitted SSH2 will use value FALSE Example SFTPREALPATHFILEATTRIBUTEECHOED TRUE Considerations e One SFTP client that is known to call realpath before accessing the remote file is PUTTY Special processing has been implemented for PuTTY The SFTP server checks the client version string to detect a PuTTY client If a PuTTY client was detected the file attributes will be echoed independently of the setting of parameter SFTPREALPATHFILEATTRIBUTEECHOED e Parameter SFTPREALPATHFILEATTRIBUTEECHOED needs to be set to TRUE only for other SFTP clients that call realpath before accessing the remote file via put or get command SFTPSECONDARYEXTENTSIZE Use this parameter to specify the secondary extent size for files that are created on the NonStop system Parameter Syntax SFTPSECONDARYEXTENTSIZE extsize Arguments extsize Specifies the value to be used Considerations e The value can be overridden in put and get commands using the extended syntax described in Extended Syntax for Creation of New Guardian Files section of the SFTP Client Reference chapter Default If omitted SSH2 will use a value of 100 Example SFTPSECONDARYEXTENTSIZE 200 SFTPUPSHIFTGUARDIANFILENAMES Use this parameter to enforce uppercase characters for Guardian file names sent using the mput command from a NonStop server t
252. application for the requested dynamic service STN21 Dynamic Service Application Creation Error STN was not able to start the application for the requested dynamic service An additional message STN22 STN34 is displayed with error details from PROCESS_CREATE_ STN22 file error lt fe gt on PROGRAM file PROCESS_CREATE_ error 1 File system status lt fe gt on PROGRAM file STN23 file error lt fe gt on LIB file PROCESS_CREATE_ error 3 File system status lt fe gt on LIB file STN24 file error lt fe gt on SWAP file PROCESS_CREATE_ error 5 or 6 File system status lt fe gt on SWAP file STN25 file error lt fe gt on HOME TERM file PROCESS_CREATE_ error 8 or 9 File system status lt fe gt on HOME file STN26 CPU s configured for this service are down PROCESS_CREATE_ error 10 none of the CPUs for this service are running STN27 file error lt fe gt on process name PROCESS_CREATE_ error 11 File system status lt fe gt on HOME file HP NonStop SSH Reference Manual STN Reference e 299 STN28 PROGRAM file format error lt detail gt PROCESS_CREATE_ error 12 PROGRAM file error see detail STN29 LIB file format error lt detail gt PROCESS_CREATE_ error 13 LIB file error see detail STN30 no pcb available PROCESS_CREATE_ error 15 no pcbs available STN31 unlicensed privileged program PROCESS_CREATE_ error 17 STN32 library conflict PROCESS_CREATE_ error 18 STN33 PROG and LIB files the same PROCESS _ CREATE
253. applications such as vi or Emacs To Open an OSS Shell Using a Remote SSH Client Note This functionality requires OSS to be installed and running on your system After the STN and SSH2 processes have started successfully you can now connect using an SSH client on a remote system In the SSH command you have to specify the Guardian userid and the IP address or host name that SSH2 is listening on m horst np dev02 gt ssh comf mh 10 0 0 199 The authenticity of host 10 0 0 199 10 0 0 199 can t be established DSA key fingerprint is 26 b8 77 fb 2f 22 81 3b 6 44 4f 19 66 67 9a be Are you sure you want to continue connecting yes no yes Warning Permanently added 10 0 0 199 DSA to the list of known hosts comf mh 10 0 0 199 s password ls al000 emsacstm secret t10mio trace2 zrandlim HP NonStop SSH Reference Manual Installation amp Quick Start e 39 auditlog ftps sftpserv taclcstm tracecap zz1l0mio bashhist fupcstm shhistor test z1000000 zzimio bench osstest stna48 test101 zlmio zzsal894 osstzip t1000 testbin zilmio2 zzsa7884 randlmio t10000 testbin2 zlmio3 zzz10m rsl20157 t100000 testbin3 zimioftp zzzlmio cryptand scfcstm t1000000 testbin4 z50mio Please note that the Guardian userid is specified on the SSH command line Note The very first time you connect you will have to verify the authenticity of the host by adding the fingerprint of the host s public key to the trust list To Get a TACL Promp
254. ard an alias is just an alternate name for a user But the customers sometimes use different alias names that are all assigned to the same underlying Guardian user ID This presented a huge security hole if an alias was not used as an alternate name i e a human owns both alias and underlying Guardian user but as a unique user name with a different human being behind each alias Please refer to the Safeguard reference manual on the features of the Safeguard security management Client Mode Owner Policy LOGINNAME The default owner is the login name which can be a Guardian user identifier or an alias An alias user cannot add read manipulate entries for the Guardian user the alias is configured with vice versa a Guardian user also can not add read manipulate entries for associated aliases In other words a Guardian or alias user can add manipulate entries for that Guardian or alias user only The value LOGINNAME is recommended if different people are using the various aliases configured with the same Guardian user identifier Client Mode Owner Policy GUARDIANNAME The default owner is the Guardian user identifier independent if the logon name is an alias or a Guardian user Entries are read using the Guardian user ID only This means that a Guardian user can add read manipulate entries for associated alias users and vice versa The assumption is that the same person uses the aliases of a Guardian user identifier and the Guardian user identif
255. are MENU and TACL or OSH can be selected from the STN menu then a logon for TACL or OSS is required It is possible to specify the logon id e g 11 23 in double quotes The logon id will be converted to lt group gt lt user gt before the value for SYSTEM USER is set ALTER USER The ALTER USER command changes one or more attributes of an existing user and has the following syntax ALTER USER lt user name gt ALLOW CI yes no LLOW CI PROGRAM OVERRIDE yes no LOW GATEWAY PORTS yes no LOW MULTIPLE REMOTE HOSTS yes no LOW PTY yes no LOW SHELL yes no LLOW TCP FORWARDING yes no ALLOWED AUTHENTICATIONS lt method gt lt method gt lt method gt ALLOWED SUBSYSTEMS lt subsystem gt lt subsystem gt lt subsystem gt CI COMMAND lt command gt CI PROGRAM lt filename gt MENU MENU lt service gt FORCE COMMENT lt comment gt lt comment containing spaces gt CPU SET lt cpu gt lt cpu range gt lt cpu range list gt DELETE PRINCIPAL lt user gt lt REALM gt lt REALM gt DELETE PUBLICKEY lt key name gt OWNER lt system user name gt NONE PRINCIPAL lt user gt lt REALM gt lt REALM gt PRIORITY 1 lt priority gt PTY SERVER DEFAULT lt process name gt PUBLICKEY lt key name gt FINGERPRINT lt fingerprint value gt FILE lt filename gt F A A A A
256. are written to EMS Considerations e The LOGLEVELEMS parameter controls what messages are produced by SSH2 e The LOGFORMATEMS parameter controls the log message format e The parameter can be changed without having to restart SSH2 using the SSHCOM command interpreter e To send messages to the default collector 0 use LOGEMS 0 e If the EMS collector specified cannot be opened during startup SSH2 will write to the collector 0 e If the EMS collector cannot be opened after it has been changed through SSHCOM the original collector will stay active See also LOGLEVELEMS LOGFORMATEMS LOGEMSKEEPCOLLECTOROPENED This Boolean parameter controls if the configured EMS collector see LOGEMS will be opened and closed for every log message Parameter Syntax LOGEMSKEEPCOLLECTOROPENED TRUE FALSE 92 e Configuring and Running SSH2 HP NonStop SSH Reference Manual Arguments TRUE The EMS collector will be opened once and re opened after errors only FALSE The EMS collector will be opened and closed for each log message written to the EMS collector configured via parameter LOGEMS Default The default for this parameter is TRUE Example LOGEMSKEEPCOLLECTOROPENED TRUE Considerations e Keeping the EMS collector open instead of opening and closing it for every log message will reduce overhead e Closing the collector for every log message is only required if the collector s supported maximum number of event mess
257. arious SSH related tasks with a remote SSH system We will base this section on some assumptions e OpenSSH is installed on the remote system with sshd listening on port 22 e The IP address of the NonStop system is 10 0 0 199 e The IP address of the remote system is 10 0 0 201 e The SSH2 server will listen on port 22 Some of the steps illustrated here are only covered briefly however these steps are covered in detail in subsequent sections of this documentation HP NonStop SSH Reference Manual Installation amp Quick Start e 35 Quick Starting the SSH2 System This section illustrates how to quickly start the SSH2 system and provides an overview of the functionality available For production installation you will need to consider availability load balancing and security related issues Please refer to the Configuring and Running SSH2 chapter for details To start the STN Pseudo Terminal Server To enable remote SSH clients to allocate a pseudo terminal for full screen access you will need to start an STN process to act as a PTY server for SSH2 You may omit this step if full screen access is not required 1 Atthe TACL prompt issue the following commands CLEAR ALL PARAM PARAM BACKUPCPU ANY RUN STN NAME SPTY NOWAIT 2 Verify if the process started successfully by checking its status and EMS for any error messages Note For productive use of the STN component it is recommended that you install the EMS template file ZST
258. as the default user If lt old system user name gt is specified it MUST be followed by a to separate it from the key name lt new key name gt The new name of the key entry A key entry with this name owned by the specified GUARDIAN user must NOT already exist in the user database THAW KEY The THAW KEY command thaws a key The command has the following syntax THAW KEY lt system user name gt lt key name gt The individual attributes have the following meaning and syntax lt system user name gt A valid GUARDIAN user who owns the key entry in the user database If lt system user name gt is omitted either the user being set with a previously issued ASSUME USER command or the issuer of the THAW KEY command will be used as the default If lt system user name gt is specified it MUST be followed by a to separate it from the key name that follows Only the SUPER SUPER user unless explicitly denied in OBJECTTYPE USER record or those configured with full SSHCOM access can thaw a key entry for other users lt key name gt The name of the key to be thawed HP NonStop SSH Reference Manual SSHCOM Command Reference e 199 Client Mode Commands Operating on the PASSWORD Entity ADD PASSWORD The ADD PASSWORD command adds a new password to the database and has the following syntax ADD PASSWORD lt system user name gt lt remote user gt lt target host gt lt target port gt lt word gt lt
259. as the second runtime argument the output is written to the home terminal When using the byte offset parameter or the byte offset and length parameter the out file parameter must be specified as well e Starting with SPR T0801 ABE SHOWLOG reports errors regarding invalid timestamps It is now possible to just specify a time without a date If there is only a time for the lt start gt timestamp then the current day is used as default If there is no date part for the lt end gt timestamp then the day of the lt start gt timestamp is used as default for the lt end gt date It is now also possible to use a comma as delimiter between date and time part which allows dropping the double quotes that are necessary if space is used as delimiter SHOWLOG now accepts one digit hours and days as in 1Nov12 3 10 which is treated as 01Nov12 03 10 Viewing File Contents from OSS The log or audit files created by SSH2 are unstructured files and can be viewed from OSS with standard OSS tools such as more or tail Standard OSS filter tools such as grep awk or we can also be applied This allows users to make use of the powerful Unix syntax for doing text processing HP NonStop SSH Reference Manual Monitoring and Auditing e 325 326 e Monitoring and Auditing HP NonStop SSH Reference Manual Performance Considerations Introduction As the saying goes there is no such thing as a free lunch using SSH2 to encrypt traffic will consume some C
260. ase entity USER It determines the length of the interval a user public key stays in state PENDING after creation before it switches to state LIVE Parameter Syntax INTERVALPENDINGPUBLICUSERKEY number of days Arguments number of days The number of days a user public key will be in state PENDING after creation and before reaching state LIVE Default The default value for this parameter is 0 i e newly added user public keys will go into state LIVE immediately if this parameter is not set to a different value than 0 Example INTERVALPENDINGPUBLICUSERKEY 30 Considerations e The life cycle configuration of existing user public keys will not be modified due to this parameter If existing keys need to participate in life cycle control then they must be configured via ALTER USER PUBLICKEY command specifying the LIVE DATE and EXPIRE DATE command options e Parameter value is ignored if life cycle for user public keys is disabled i e if LIFECYCLEPOLICYPUBLICUSERKEY is set to DISABLED e Parameter value is ignored if USER PUBLICKEY attributes L VE DATE and EXPIRE DATE are specified in ALTER USER PUBLICKEY commands if a user is allowed to specify these attributes according to the key lifecycle policy See also LIFECYCLEPOLICYPUBLICUSERKEY INTERVALLIVEPUBLICUSERKEY IPMODE This parameter is used to set the IP mode the SSH2 process is running in Depending on this parameter the SSH2 process supports IPv
261. ase using SSHCOM from a TACL prompt SDATA1 SSH2 7 gt run sshcom ssh01 SSHCOM T0801H01_22JAN2014_ABK 2014 01 24 15 42 47 440 OPEN ssh01 mode client mode client OK switched to client mode generate key testl type rsa comment Thomas key generate key comf tb testl type rsa comment Thomas key OK key comf tb test1l successfully generated 5 Now the key has been generated and stored in the database The next step will export that key and configure it on the remote system To Export the Public Key and Configure it on the Remote System The following command within SSHCOM will export the public part of the key just generated and write it into a file SDATA1 SSH2 7 gt run sshcom ssh01 SSHCOM T0801H01_22JAN2014_ABK 2014 01 24 15 42 47 440 OPEN ssh01 export key comf tb testl file Sdatal tbtmp tbkey format openssh export key comf tb testl file Sdatal tbtmp tbkey format openssh HP NonStop SSH Reference Manual Installation amp Quick Start e 45 OK key comf tb testl exported 5 Note If you are executing SSHCOM as SUPER SUPER you will need to switch to CLIENT mode before exporting the key Please issue following command before the EXPORT KEY command MODE CLIENT The file data 1 tbtmp tbkey now needs to be transferred to the remote system in BINARY mode Note that the file contains only the public key and therefore contains no sensitive information The public key exported to the tbkey file can now
262. assed to CI PROGRAM Specify CI COMMAND without lt command gt to reset the attribute to its default empty startup string CI COMMAND is ignored if CI PROGRAM is set to MENU Cl PROGRAM Sets the command interpreter to be started on a 6530 pseudo TTY after the user is authenticated In this case filename is the name of the command interpreter s object file It must be a local file name If you omit any attribute value CI PROGRAM will be reset to its default TACL Startup parameters can be specified for the configured program which is especially of interest for the program value TELNET please refer to section Using TELSERV as Service Provider Please note Specifying startup parameters in addition to the program file name requires double quotes around the CI PROGRAM attribute value for example ALTER USER CI PROGRAM TELNET lt ip addr gt lt port gt If MENU is specified 6530 shell will be connected to the service menu provided by the STN PTYSERVER This resembles the functionality of TELSERV which provides dynamic services as well as services connecting to static windows The services offered by the STN PTYSERVER process can be configured using STNCOM HP NonStop SSH Reference Manual SSHCOM Command Reference e 177 ALLOW PTY must be set to YES for this attribute to be accepted for 6530 SSH clients such as MR Win6530 or J6530 If MENU is followed by a service or window name the corresponding service or
263. assword lt str1 gt Session Name lt str1 gt FTP logon o k reporting success to FTP client lt str1 gt Session Name lt str1 gt connected to SSH server at lt str2 gt lt str1 gt Session Name lt str2 gt Normalized target host address and port lt str1 gt SSH server version is lt str2 gt lt str1 gt Session Name lt str2 gt Server version lt strl gt Host key MDS is lt str2 gt lt str1 gt Session Name lt str2 gt Host key MD5 value lt str1 gt Host key bubble babble is lt str2 gt lt str1 gt Session Name lt str2 gt SSH server bubble babble lt str1 gt SSH authentication with method none failed sending SSH authentication request method password lt str1 gt Session Name lt str1 gt initiating SSH tunnel to FTP server at lt str2 gt lt str1 gt Session Name lt str2 gt Normalized FTP target host and address SSH2 FTP over SSH gateway listening on interface lt str1 gt port lt intl gt lt str1 gt TCP IP network interface lt int1 gt Port Warning channel data exception lt str1 gt lt str1 gt Exception text Warning unknown channel data exception Warning error lt str1 gt lt str1 gt Exception text 366 e Appendix HP NonStop SSH Reference Manual Copyright Statements As explained in the SSH Protocol Reference chapter SSH2 uses some open source code for some components This section of the appendix contains the various copyright notes All patent
264. ate remote directory progress on off min Toggle display of progress meter on off or set to minimum value min or display current setting put local path remote path Upload local file pwd Display remote working directory quit Quit sftp rename oldpath newpath Rename remote file rm path Delete remote file rmdir path Remove remote directory symlink oldpath newpath Symlink remote file touch path Touch file version Show SFTP version f Synonym for help sftp gt own e Picks the SSH2 process TBAO1 to communicate with e Connects to the remote system with the IP address 10 0 0 201 on port 2222 using the user name burgt e Uses the help command to show the commands supported by the SFTP client The following command home tb sftposs S Stba01 burgt 10 0 0 201 a1000 testget Connecting to 10 0 0 201 Fetching home burgt al000 to testget home burgt al000 100 990 0 0KB s 00 01 home tb e Picks the SSH2 process TBAO1 to communicate with e Connects to the remote system with the IP address 10 0 0 201 on port 2222 using the user name burgt e Downloads the file al000 and places it locally under the file testget Client Mode Owner Policy LOGINNAME The commands APPEND LAPPEND do not support structured files 230 e SSH and SFTP Client Reference HP NonStop SSH Reference Manual SFTP Commands Once you are connected to a remote system the SFTP client issues a prompt sftp gt and from then o
265. ation is normally done automatically ALLOC is intended for development use only Any window names reserved by a previous GWN FILE allocation but not yet used are discarded The next session will begin with the number just allocated HELP ALL command HELP provides online documentation to STNCOM users The HELP file named STNCHELP is located in the same volume and subvolume as the STNCOM program object file The file is in standard Guardian EDIT file format with lines of text formatted according to certain rules These rules are explained in comment lines within the STNCHELP file itself list this file with EDIT or FUP for more documentation e HELP HELP without any parameters displays a summary of the HELP file e HELP ALL Displays all HELP information e HELP command Displays all HELP file information for the specified command IDLE_WARNING lt n gt IDLE_WARNING controls the number of warning messages one per minute to be displayed before the session is terminated by INPUT_TIMEOUT or BANNER_TIMEOUT lt n gt can be in the range from 0 to 14400 A value of zero 0 means no STN35 warnings will be displayed until the session is terminated with an STN36 message The default is 2 2 minutes INFO ALL INFO ALL is a combination of INFO STN INFO SCRIPT INFO SERVICE and INFO WIN Only configured Windows are included not Dynamic or PTY SSH windows This command is useful when documenting STN configuration for support calls S
266. ation with password now provides the remote client IP address to system procedure USER_AUTHENTICATE_ if the OS release supports this H06 26 or later and JO6 15 or later e publickey Public key authentication using the PUBLIC KEYs configured for this user e keyboard interactive Authentication according to RFC 4256 mapped to the standard GUARDIAN user authentication dialog verifying the SYSTEM USER s password as well as taking care of exceptions such as password expiry Local authentication with password now provides the remote client IP address to system procedure USER_AUTHENTICATE_ if the OS release supports this H06 26 or later and JO6 15 or later e none Grants access without authentication This is useful for users connecting to an application requiring its own authentication e g if you configure a PATHWAY PROGRAM as CI PROGRAM CAUTION When specifying ALLOWED AUTHENTICATIONS none user access should be properly locked down to avoid security breaches that bypass any authentication e g by setting SYSTEM USER NONE ALLOWED SUBSYSTEMS This attribute is used to control access to specific subsystems lt subsystem gt is one of the following subsystems provided by SSH2 e SFTP The SFTP subsystem allows the user to transfer files with the SFTP transfer protocol e TACL The TACL subsystem provides direct TACL access without requiring OSS on the NonStop server CIl COMMAND This attribute specifies the startup string to be p
267. ault If omitted SSH2 will not use a configuration file Example CONFIG DATA1 SSH2 SSHCONF Considerations e This parameter can only be specified as PARAM or on the startup line It is not valid within a configuration file e Parameters specified in the configuration file can be overwritten by PARAM or startup line settings CONFIG2 Use this parameter to specify a second configuration file for an SSH2 process Parameter Syntax CONFIG2 cfgfile2 Arguments Means no CONFIG file is used cfgfile2 Specifies the name of the second configuration file Default If omitted SSH2 will not use a second configuration file Example CONFIG2 S DATA1 SSH2 SSHCONF2 HP NonStop SSH Reference Manual Configuring and Running SSH2 e 71 Considerations e The second configuration file has precedence over the first one e This parameter can only be specified as PARAM or on the startup line It is not valid within a configuration file e Parameters specified in the configuration file can be overwritten by PARAM or startup line settings CONSOLEBURSTSUPPRESSION Use this parameter to configure burst suppression for log message duplicates of log target console home terminal Parameter Syntax CONSOLEBURSTSUPPRESSION TRUE FALSE Arguments TRUE FALSE Specifies whether CONSOLEBURSTSUPPRESSION is enabled or not o TRUE Duplicate log messages will be suppressed o FALSE Duplicate log messages will not be suppressed Con
268. babble fingerprint of the remote host s public key Cause The client failed to open a suitable SSH2 server process Effect Depends on the configuration of the STRICTHOSTKEYCHECKING parameter of the SSH2 process serving this client If STRICTHOSTKEYCHECKING is FALSE the client will display the following prompt Continue and add the host to the knownhost store yes no If the user enters yes a KNOWNHOST object storing the remote host s public key is automatically added for the user to the SSHCTL database Otherwise the client process terminates If STRICTHOSTKEY CHECKING is FALSE the client will display the following messages For convenience the host identification has been added FROZEN Host name is lt hostname gt 340 e Troubleshooting HP NonStop SSH Reference Manual Please contact your system administrator In this case SSH2 has automatically added a KNOWNHOST object named lt hostname gt storing the remote host s public key However the KNOWNHOST attribute FROZEN is set to disallow any connections to that host until it is THAWED Recovery To allow access to the host which has been added FROZEN to the SSHCTL you can use the following SSHCOM command THAW KNOWNHOST lt hostname gt ERROR REMOTE HOST IDENTIFICATION IS FROZEN Frozen host is lt hostname gt lt hostname gt Is the name of the KNOWNHOST object holding the remote host s public key Cause The KNOWNHOST object holding the remote host
269. bes 107 S E O AOSI A EE E E E E ESE 108 SFTPDISPLAYGUARDIA N e eeren ar eraen ee erap ea r AEE eae Ee SE e TEE eyes 108 SFTPEDITLINEMOD E s a ee e e r causes E dt aE e E ARE Seira 109 SFTPEDITLINENUMBERDECIMALINCR 0 eeceecceeceeceeeeeeeceecesecaecaeesessaeeaeenaesaes 109 SFTPEDITLINESTARTDECIMALINCR 0 ccc eceecceeeeeeceeeceeeeeeeensecaeceeenseeeseeaeenaeenaesaes 110 SFTPENHANCEDERRORREPORTIING 00 ccc ecceecceeseeeeeeeceeeeeeeensecesececeseesecsaeeaeenaeeaee 111 SFTPEXCLUSIONMODEREAD iscscys aor eeen od suesehcoouesds oo eae EES n IRESE STRES Ep EESE EEEE Sn 111 SETPIDLETIMBOUT eE EEEE TE EEE EEEE EE 112 SFIPMA XPA T N S r e ar neea r E EE E ETE S dt EE A EE ee 112 SFTPPRIMARYEXTENTSIZE ruren eera vs E EEEE EET AEE i 113 SFTPREALPATHFILEATTRIBUTEECHOED ssseesseeeseersereseereresreresreerrsrerrsseeresreereserees 113 SFTPSECONDARYEXTENTSIZE esiet sesssessecsetusssovcossessessssssaqsesieassasveussaasseusssvssoyeeesesscassens 114 SFTPUPSHIFTGUARDIANFILENAME SG ecceecceeceescesecescesecnecesecaecsaecsecaeenaeenaesaes 114 SHELEEN VIRONMENT ccscsc scssucscesitesvesstts sescyessecteueossessenaeayhcapascassas sbeatoaas ss EREET EEEo ESEE EKS 115 SOCKETKEEPALIDVE sv ecisccssvesssssscscsssbsssssveessistestssceaioscsabsnssapaciasseusteassesvessnassassaeessseseesbeasieas 115 HP NonStop SSH Reference Manual Contents e v vi e Contents SOCKETRCV BU Biss vocseste cons stect ee e ete didete E E A E RE 116 SOCKETSNDBUE sscevssst acti Scien cota in
270. butes are identical as in the ADD KNOWNHOST command please see that section for details Only the SUPER SUPER user unless explicitly denied in OBJECTTYPE USER record or those configured with full SSHCOM access can alter a known host entry for other users DELETE KNOWNHOST The DELETE KNOWNHOST command deletes a known host from the database and has the following syntax DELETE KNOWHOST lt system user name gt lt knownhost name gt The individual attributes have the following meaning and syntax lt system user name gt A valid GUARDIAN user who owns the known host entry in the user database If lt system user name gt is omitted either the user being set with a previously issued ASSUME USER command or the issuer of the ADD KNOWNHOST command will be used as the default If lt system user name gt is specified it MUST be followed by a to separate it from the known host name that follows Only the SUPER SUPER user unless explicitly denied in OBJECTTYPE USER record or those configured with full SSHCOM access can delete a known host entry for other users lt knownhost name gt The name of the known host to be deleted FREEZE KNOWNHOST The FREEZE KNOWNHOST command freezes a known host A local SFTP client cannot connect to the remote host on the specified port until this known host entry is thawed using the THAW KNOWNHOST command The command has the following syntax FREEZE KNOWNHOST lt system user name gt lt kno
271. cate CPU and other resources using their own algorithms Processes created by STN for SERVICE TYPE DYNAMIC that do not have a userid from LOGON REQ or from SSH authentication are started with CAID 0 0 sometimes known as NULL NULL rather than 255 255 SUPER SUPER as was done before version B20 TYPE STATIC The PROG CPU PRI LIB SWAP PARAM USER HOME LIMIT RESILIENT DEBUGOPT and LOGON fields are not allowed with TYPE STATIC When a session requests a static service a search is made for a previously defined WINDOW that satisfies the following requirements e SERVICE field matches this service e TYPE is STATIC e Has an application running and waiting for a new session CONTROL 11 e Is not already in session If no such window is found an error message is displayed and the service menu is repeated PROG program file name Required when TYPE DYNAMIC is used not allowed otherwise PROG specifies the object file for the dynamic service to be started CPU cpunum cpunum cpunum ANY Default is 0 15 or as specified by DYN_CPU Only allowed with the TYPE DYNAMIC parameter Specifies the CPU number or range of CPU numbers in which STN will start the dynamic service application If a range is specified STN will round robin each new session to spread the workload over the specified CPUs ANY can be specified for any available cpu PRI priority Only allowed with the TYPE DYNAMIC parameter Specifies the process pri
272. ccess to all SSHCOM commands unless explicitly denied in OBJECTTYPE USER record Therefore it is not required to add super super to the list of FULLSSHCOMACCESSUSER parameters e The parameters must be set contiguously i e if one parameter FULLSSHCOMACCESSUSER lt k gt is not defined the checking of FULLSSHCOMACCESSUSER lt i gt parameters stops e This parameter set is disabled if a thawed OBJECTTYPE USER record exists in Safeguard i e any FULLSSHCOMACCESSUSER lt i gt parameter configuration is ignored in this case See also e FULLSSHCOMACCESSGROUP lt j gt e See table in SSHCOM Access Summary in section SSHCOM Command Reference GSSAUTH Use this parameter to enable GSSAPI authentication in accordance with the RFC 4462 Parameter Syntax GSSAUTH gssauth process name Arguments GSSAPI user authentication is disabled Gssauth process name The process name of the GSSAUTH interface process that provides the GSSAPI functionality for SSH2 Default By default GSSAPI authentication is disabled Example GSSAUTH GSS Considerations HP NonStop SSH Reference Manual Configuring and Running SSH2 e 79 e The GSSAUTH interface process is part of the Kerberos installation on your NonStop Server See also e GSSKEX GSSGEXKEX ALLOWEDAUTHENTICATIONS e Section Single Sign on with GSSAPI Authentication GSSGEXKEX Use this parameter to enable GSSAPI key exchange with group excha
273. ce Manual Event Event Name Id 8 SftpWriteFil Successful sessionId Youser remoteAddress sessionId SESSION LOG ID eEvent action Zobject Zoutcome Jouser SSH username Conditions Pattern Token Values remoteAddress remote IP address Joaction write object file name Zoutcome granted Failed error sessionld Yuser remoteAddress sessionId SESSION LOG ID detail available action Yobject Youtcome error user SSH username error remoteAddress remote IP address action write remote error or read local file local error object file name Youtcome denied or failed error error detail Failed error sessionId Yuser remoteAddress sessionId SESSION LOG ID detail not Jaction Yobject Youtcome user SSH username available remoteAddress remote IP address action write remote error or read local file local error object file name outcome denied or failed 9 ftpCloseFile Successful sessionId Puser remoteAddress sessionId SESSION LOG ID Event Faction object size Ysize bytes_read user SSH username bytes read bytes_written bytes written remoteAddress remote IP address action close object file name size file size bytes_read number of bytes read bytes_written number of bytes written Failed error sessionld Yuser remoteAddress sessionId SESSIO
274. ce not started to lt 2 gt size lt 3 gt allocatesegment error lt 4 gt lt 2 gt extended segment file name lt 3 gt size of the file lt 4 gt error code e CAUSE An error was encountered when allocating an extended segment file e EFFECT Tracing is not enabled e RECOVERY Correct any errors in the trace filename or select a disk with more available space then retry the TRACE command zstn evt takeover valueis 18 lt 1 gt Backup process takeover due to lt 2 gt lt 2 gt reason of the takeover such as primary cpu failure etc e CAUSE STN backup process takeover e EFFECT Backup process resumes STN operation Any sessions active in the previous primary process are lost New sessions will be accepted immediately Depending on backup CPU availability a new backup process is automatically started e RECOVERY If the reason for the backup takeover such as primary CPU failure is understood then no action is required Otherwise contact Support zstn evt trace error valueis 19 lt 1 gt Trace not started to lt 2 gt size lt 3 gt error lt 4 gt lt 5 gt lt 2 gt trace file name lt 3 gt trace file size lt 4 gt error code lt 5 gt detail error e CAUSE An unusual error was encountered while opening a trace file e EFFECT Tracing is not enabled e RECOVERY Contact Support Retry the TRACE command HP NonStop SSH Reference Manual STN Reference e 295 zstn evt trace size file valueis 20 lt l gt PARAM TRA
275. cify which instance to use e The S runtime option will explicitly choose a specific instance by its process name The following example starts an SFTP client picking the SSH2 instance with the process name SSH1 please note that under OSS the process name is embedded into single quotes to allow the special character to be used as part of a shell command gt sftposs S sshl burgt 10 0 0 201 Connecting to 10 0 0 201 sftp gt e By setting an environment variable named SSH2PREFIX in the client environment you can activate a heuristic to pick an SSH2 process depending on the CPU number it is running in Please refer to Load Balancing Outbound SSH Sessions in the chapter Configuring and Running SSH2 for details e By setting an environment variable SSH2_PROCESS_NAME in the OSS shell specifying the SSH2 process the client should use e By adding a define SSH2 PROCESS NAME CLASS MAP and the SSH2 process name set as FILE value Inquiring User Name If Not Supplied The SSH OSS and SFTP OSS clients accept argument user host as well as just host If no user is specified the current user i e the user who started the client is taken as default value This default can be changed via environment variable INQUIREUSERNAMEIFNOTSUPPLIED which must be defined in the environment TACL shell the clients are started from If PARAM environment variable INQUIREUSERNAMEIFNOTSUPPLIED is set to true and the username was not specifi
276. code 700 file get bigfile bigfile 0 500 500 950 will create a file with ext 500 500 and maxextents 950 get keyseq keyseq k 0 2 2 500 255 100 0 2048 will create a keysequenced file with ext 2 2 maxextents 500 recordlen 255 keylen 100 keyoff 0 blocklen 2048 get relative relative r will create a relative file get entryseq entryseq e will create an entry sequenced file get ascii editfile 101 will create a guardian edit file put txe txe 700 will create a code 700 file put bigfile bigfile 0 500 500 950 will create a file with ext 500 500 and maxextents 950 put keyseq keyseq k 0 2 2 500 255 100 0 2048 will create a keysequenced file with ext 2 2 maxextents 500 recordlen 255 keylen 100 keyoff 0 blocklen 2048 put relative relative r will create a relative file put entryseq entryseq e will create an entry sequenced file put ascii editfile 101 will create a guardian edit file put bigedit bigedit 101 200 300 978 will create an edit file with ext 200 300 and maxextents 978 Refer to the TCP IP Applications and Utilities User Guide chapter Communicating with the FTP Server section Transferring Structured Files for a detailed description of this extended syntax The extended syntax can also be used in SCP commands Transfer Modes for Structured Guardian Files The previous section described how to specify Guardian file attributes This section introduce transfer modes i e different ways
277. command freezes a password A local SFTP client cannot connect to a remote host using this password until this password entry is thawed using the THAW PASSWORD command The command has the following syntax FREEZE PASSWORD lt system user name gt lt remote user gt lt target host gt lt target port gt The individual attributes are identical as in the DELETE PASSWORD command please see that section for details Only the SUPER SUPER user unless explicitly denied in OBJECTTYPE USER record or those configured with full SSHCOM access can freeze a password entry for other users INFO PASSWORD This command provides information about a single password or a set of passwords in the SSH2 key store It has the following syntax INFO PASSWORD lt system user name gt lt remote user gt lt target host gt lt target port gt DETAIL The attributes used to specify the password have the same meaning as in the DELETE PASSWORD command please see that section for details A as part of the remote user name will be interpreted as a wildcard character and information about all password names matching the wildcard character will be displayed OUTPUT Format of INFO PASSWORD Command If used without the DETAIL modifier INFO PASSWORD will provide a brief summary for each password displayed The following is an example of the output of INFO PASSWORD Sinfo password PASSWORD USER STATUS comf us 10 0 0 194 55022 superulrich
278. compatible with pre B18 releases If set to N opens to STN ZSPI will be rejected with fenosuchdev 14 and if there is already a ZSPI open any future I O requests will be rejected with fenusuchdev 14 This command is intended for Development use and should only be used under direction of support staff SSH_DEFAULT_SVC lt service name gt NONE SSH_DEFAULT_SVC defines a default service to be used when the SSH userid is configured with CI PROGRAM MENU without anything following MENU If SSH_DEFAULT_SVC is set to NONE the default value then the STNO2 service menu is displayed and the user must type in the service name or SU window name If SSH_DEFAULT_SVC is set to any other value then it is used as a service name and an STN73 message notifies the user of this fact HP NonStop SSH Reference Manual STN Reference e 275 START SERVICE lt service name gt Activates a service previously STOPPED or ABORTED New session requests for the service will be accepted START is automatically performed by ADD SERVICE and is generally not used START WINDOW lt window names Activates a window previously STOPPED New session requests for the window will be accepted START is automatically performed by ADD WINDOW and is generally not used STATUS SERVICE lt service name gt Displays current status information for the specified service or for all services The output has the following format SERVICE lt name gt l
279. consists of The KNOWNHOST entity has the following properties e KEY the name of the public key pair generated for the Guardian user e KNOWNBY the name of the Guardian user who is allowed to connect to this host or who accepted the remote host key when SSH2 parameter STRICTHOSTKEY CHECKING is set to FALSE The special name all is supported indicating that the remote host key is configured for all users The KNOWNHOST entity has the following additional properties e COMMENT a free text field allowing you to enter a descriptive comment e ADDRESSES the IP addresses or DNS names of the hosts using this public key e PORT the port number of the SSH daemons running on the remote host e ALGORITHM the algorithm used for host authentication Valid algorithms are SSH RSA and SSH DSS e PUBLICKEY FINGERPRINT The MDS and bubble babble fingerprints of the public key e STATUS whether the knownhost is frozen or thawed The database also contains some additional information collected by SSH2 about each knownhost e LAST USE Record usage Last time the record was used e LAST MODIFIED Record maintenance Last time the record was modified HP NonStop SSH Reference Manual The SSH User Database e 151 Creating and Accessing the Database The database is contained in a single Enscribe file To create a new database SSH2 needs to be started with the SSHCTL parameter pointing to a non existing file In that case the SSHCTLAUDIT
280. ction Quick Start and Guided Tour without sub section Quick Starting the SSH2 System e section SSHCOM Command Reference mainly regarding client mode commands e section SSH and SFTP Client Reference Related Reading This documentation is intended as a reference for the configuration and use of SSH components Please also refer to additional documentation for the other products that come with the SSH2 package e For HP NonStop SSH T0801 SOFTDOC README or Support Notes as appropriate e For SecurFTP SecurFTP Quick Start Guide The following reading is seen as prerequisite documentation for administrators installing HP NonStop SSH or comForte SecurSH and SecurFTP SSH e HP NonStop documentation Guardian User s Guide e HP NonStop documentation Open System Services Shell and Utilities Reference Manual if using OSS e HP NonStop documentation Guardian Procedure Errors and Messages Manual e HP NonStop documentation Safeguard User s Manual e HP NonStop documentation Safeguard Administrator s Manual e HP NonStop documentation SCF Reference Manual for the Kernel Subsystem e HP NonStop documentation TCP IP Configuration and Management Manual e HP NonStop documentation HP NonStop TCP IPv6 Configuration and Management Manual e HP NonStop documentation HP NonStop Cluster I O Protocols CIP Configuration and Management Manual e HP NonStop documentation EM
281. ction SSHCOM Command Reference The SSHCOM command ROLLOVER LOGFILE can be used to force the log file rollover allowing to keep the log file small HP NonStop SSH Reference Manual Monitoring and Auditing e 309 For details about the parameters controlling the log behavior please refer to the LOG parameters in the chapter titled Configuring and Running SSH2 See the section on Log File Audit File Rollover on how to look at the content of a log file Customizing the Log Format SSH2 allows users to customize certain aspects of the appearance of log messages Using the LOGFORMAT parameter you can add the current date to the log message header Please refer to the LOGFORMAT parameter description in the SSH2 Parameter Reference chapter Configuring and Running SSH2 for details Audit Messages Content of Audit Messages Audit messages are generated for various kinds of events e Authentication for a remote user e Starting of a SSH subsystem such as SFTP e Opening of a file e Closing of a file Each audit message has a result there can be a failure or they can be granted or denied An individual audit message looks as follows SSH49122Dec10 15 20 47110 0 0 78 1218 comf us 10 0 0 78 authentication granted method password password ok System user COMF US with the individual components as follows from left to right e process name SSH49 e timestamp 22Dec10 15 20 47 e session identifier in SESSION
282. ction Zobject Youtcome listen on interface port sessionld Zuser remoteAddress action object sessionid Yuser remoteAddress action Yobject error info errInfo YoprocessType process YoprocessName stopping Joutcome granted denied or failed forcedCommand forced command sessionId SESSION LOG ID Puser SSH username remoteAddress remote IP address action forward object direct tcpip outcome granted or denied or failed fromAdd from address fromPort from port toAdd to address toPort to port sessionId SESSION LOG ID Puser SSH username remoteAddress remote IP address action forward object forward tcpip Joutcome granted or denied or failed fromAdd from address fromPort from port toAdd to address otoPort to port sessionId SESSION LOG ID Puser SSH username remoteAddress remote IP address action forward object tepip forward outcome granted or denied or failed interface local bind address port local port sessionId SESSION LOG ID remoteAddress remote IP address action idle timeout object module experiencing timeout currently always SFTPSERV sessionId SESSION LOG ID Puser SSH username remoteAddress remote IP address 320 e Monitoring and Auditing HP NonStop SSH Refe
283. ctivity 262 e STN Reference HP NonStop SSH Reference Manual BREAK_ON_DISCON Y N If this parameter is set to Y when a dynamic window session is disconnected and there are no active I O operations e g WRITEREAD a BREAK is simulated No BREAK is sent if there is an active I O Default is N BUFFER_SIZE BUFFER_SIZE displays the size of internal STN buffers which is useful in configuring STN memory via PARAM POOLASIZE The BUFFER_SIZE command has no parameter C12 ALWAYS Y N C12_ALWAYS was introduced in STN version B22 TO801 ABG to modify control 12 terminate session application requests Y means control 12 requests always terminate the session regardless of the number of applications that currently have the terminal window open Y is the default and is compatible with STN B21 and earlier releases N means control 12 requests are ignored unless there is only one remaining application open to the terminal window Control 12 requests will only terminate the session when there is only one application open for the terminal window C12_ALWAYS should be set to N when one application starts another which may in turn start yet another etc and control 12 requests from the secondary etc applications are to be ignored CHOICE_PROMPT Y N This command controls display of Enter Choice gt prompt after the service name list This is independent of BANNER YIN Note CHOICE_PROMPT N may interfere with 6530 emulators config
284. ctivity protocols is especially popular in UNIX environments SSH2 supports version 2 of the Secure Shell protocol This version also includes specifications for a file transfer protocol Although the name implies otherwise this standard bears no relationship to the popular file transfer protocol known as FTP 26 e Introduction HP NonStop SSH Reference Manual Components of the SSH2 Software Package The SSH2 software package consists of the following components The SSH2 component is the central component of the implementation Depending on the mode it is started in it can serve different purposes o Itimplements a server process for the SSH2 protocol It listens for incoming connections on a specific TCP IP port typically port 22 authenticates the user and the service and then spawns other processes it communicates with o Itis opened by the SSHCOM component to maintain the SSH configuration database o Itis opened by the SFTP or SSH client components to initiate Shell or SFTP based file transfers to other platforms running an SSH daemon The SSH2 component accesses a user database that contains the following entries for incoming SFTP connections remote user names o the mapping of remote user names to Guardian system users o _user s public keys o _user s credentials on the system o selected status information such as the last time a user accessed the system The SSHOSS component implements a Secure Shell client ru
285. ctly establish a socket connection to the target TELSERV process which will provide the 6530 terminal device for the session Granting Access without SSH Authentication Under certain circumstances it is desirable to grant access to specific services without forcing the remote SSH user to authenticate For example some services being delivered via SSH may perform their own user authentication To avoid making users have to enter their credentials twice the authentication usually performed over the SSH protocol can be turned off Even without SSH authentication the connection is still encrypted protecting any passwords and data transmitted during the service s execution CAUTION When granting unauthenticated SSH access to a resource that performs its own authentication the user s privileges should be properly locked to prevent unauthorized access to any other resources For access without authentication the SSH2 SERVER can be configured so the authentication method none is an ALLOWED AUTHENTICATION for a user The following SSHCOM commands show how to set up a logical user who only authenticates through the SAFEGUARD LOGON program gt RUN SSHCOM SSH01 SSHCOM T0801H01_22JAN2014_ABK 2014 01 24 14 42 45 368 OPEN ssh01 ADD USER safeguarduser ALLOWED AUTHENTICATION none amp SYSTEM USER none CI PROGRAM SSYSTEM SYSTEM LOGON amp ALLOW SHELL NO ALLOWED SUBSYSTEMS ALLOW TCP FORWARDING NO OK user safeguarduser a
286. d 110 23 It is also possible to have an unconventional SSH logon name different from the system user name for instance ADD USER super super test system user super super when double quotes are used ALLOW CI 168 e SSHCOM Command Reference HP NonStop SSH Reference Manual This attribute controls whether a TACL or a specific command interpreter given by CI PROGRAM should be started upon a shell request of a client that allocated a 6530 pseudo TTY such as 6530 SSH clients MR Win6530 and J6530 ALLOW CI PROGRAM OVERRIDE This attribute controls if a user is allowed to override the configured CI PROGRAM via tacl p or ci p command If the CI PROGRAM is set to DEFAULT i e command interpreter TACL gets started and ALLOWED SUBS YSTEMS contains tacl then this attribute is ignored because a user can start TACL and execute any command interpreter in that way In this case it is useless to try preventing tacl p commands The parameter is especially useful in cases where the user does not have tacl aa ALLOWED SUBSYSTEM but needs to be allowed to execute some specific command interpreter or TACL macro If CI PROGRAM is configured with a specific command interpreter or macro and ALLOW CI PROGRAM OVERRIDE is set to NO then a user is restricted to execute the configured CI PROGRAM and will not get a TACL prompt Should the ALLOW CI PROGRAM OVERRIDE be YES then the user can execute a tacl p lt program gt or a ci p lt program gt co
287. d at the terminal the SSHCOM was started With LOG ONLY flag set the output will be written to the log file if logging to a file is enabled SELECT The SELECT option allows defining a specific set of attributes that will be displayed instead of the default attribute set there are two default sets one for detailed output and one for non detailed output An attribute name specified for lt attr gt must be one of the names displayed in the detailed status output STATUS SESSION Status information about the currently existing ssh sessions in the SSH2 process will be displayed The command has the following syntax STATUS SESSION lt session id gt DETAIL WIDTH lt width gt RECURSIVE LOG ONLY PSHELECT lt attr gt fz lt abtr gt sac WHERE lt attr filter gt lt attr filter gt FILTER STATISTICS ONLY J lt session id gt The internally assigned identifier positive integer of a session Alternatively the wild card character can be specified instead of a session id The individual options have the following meaning and syntax DETAIL If the DETAIL flag is set detailed information is displayed WIDTH The number lt width gt is the maximum number of characters per output line If WIDTH is not specified the default value 80 is assumed In order to avoid a new line when the terminal is configured with line wrapping on the line will only be filled with one character le
288. d authorized during gssapi with mic authentication will also be displayed in the audit log and thus can be used to correlate the Kerberos principal name with the NonStop user name To delete a PRINCIPAL from the access control list use the DELETE PRINCIPAL attribute PRIORITY All user processes except SFTPSERV processes started directly by SSH2 will have the configured priority assigned Following are the values allowed in this parameter and their meanings Value Meaning 1 199 Use the given priority value 1 Use the same priority as the SSH2 process starting the process Note SFTPSERV processes will be prioritized as specified via the SFTP PRIORITY attribute PTY SERVER The value of a specific STN PTY server Guardian process name which the user will use If a value of DEFAULT is specified the user will use the STN PTY server that is configured via SSH2 parameter PTYSERVER PUBLICKEY HP NonStop SSH Reference Manual SSHCOM Command Reference e 179 This attribute is used to add or alter a public key with the provided lt key name gt For details on the syntax of that attribute please see the ADD USER command To delete a specific public key for a user use the DELETE PUBLICKEY lt key name gt attribute syntax To delete all public keys for a user use the DELETE PUBLICKEY attribute syntax Both the PUBLICKEY and the DELETE PUBLICKEY attributes can be repeated multiple times within
289. d by a name prefix to select all entries where the system user name starts with the given prefix The DETAIL attribute can be specified if detailed information is needed The individual attributes have the following meaning lt system user name gt A valid GUARDIAN user If lt system user name gt is omitted then either the user being set with a previously issued ASSUME USER command or the issuer of the INFO SYSTEM USER command will be used as the default lt partial system user name gt A prefix that is used to match system users owning knownhost password and key entries in the SSHCTL database HP NonStop SSH Reference Manual SSHCOM Command Reference e 191 Client Mode Commands Operating on the KEY Entity ALTER KEY The ALTER KEY command changes one or more attributes of an existing user private key and has the following syntax ALTER KEY lt system user name gt lt key name gt COMMENT lt comment gt LIVE DATE lt date time gt EXPIRE DATE lt date time gt The individual attributes have the following meaning and syntax lt system user name gt This refers to a valid GUARDIAN user who owns the key in the SSH key store If lt system user name gt is omitted either the user being set in a previously issued ASSUME USER command or the issuer of the ALTER KEY command will be used as the default If lt system user name gt is specified it MUST be followed by a to separate it from the key name lt
290. d displayed in the STATUS SESSION command INFO STN displays the current WSINFO setting The various values of WSINFO work as follows NONE Nothing is sent to the workstation this is default behavior QUERY ESC 9e is sent to WS after the first response to the Service prompt or at the equivalent time for TYPE DEDICATED windows STN will wait five seconds for a response The response is included in a new AUDIT event and is shown by STATUS SESS The session always continues regardless of the response of even if no response is received REQUIRED Like above but a response is required If none is received the session is terminated with the following message displayed on the Workstation for 10 seconds STN57 This 6530 emulator does not support required WSINFO MATCH Like above but in addition the IPADDRESS in the response must match the network IP address from accept_nw or the session is terminated with the following message displayed on the Workstation for 10 seconds STN58 WSINFO address does not match network address WINSCRIPT_FIRST Y N Since release A74 all SSH windows are automatically configured with a SCRIPT PTY SSHS If this script was defined by ADD SCRIPT then the specified setmodes were performed otherwise no setmodes were done However this did not allow any script specified for a SERVICE to apply to SSH sessions WIN_SCRIPT_FIRST now allows SSH sessions to use the script defined for the selected service Y T
291. d does not include a SYSTEM USER attribute then the new user name is used as SYSTEM USER as well unless the SSH2 parameter USETEMPLATES YSTEMUSER is true in that case the new user record will get the value for the SYSTEM USER attribute from the lt existing user name gt user record LIVE DATE This optional attribute of an ssh user s PUBLICKEY entry is used to set the LIVE DATE not valid before date for the public key This attribute can only be set if the life cycle policy for User Public Keys is enabled determined by SSH2 parameter LIFECYCLEPOLICYPUBLICUSERKEY If SSH2 parameter LIFECYCLEPOLICYPUBLICUSERKEY is set to FIXED then field LI VE DATE can be modified by the SUPER SUPER user only unless explicitly denied in OBJECTTYPE USER record or those configured with full SSHCOM access In case the SSH2 parameter LIFECYCLEPOLICYPUBLICUSERKEY is set to VARIABLE then every user with partial SSHCOM access can change field LIVE DATE OWNER Allow an existing local user to modify all USER records that are configured with that local user as value for USER attribute OWNER The allowed actions will be the same as defined by PARTIALSSHCOMACCESSUSER GROUP parameters The OWNER field for existing USER records will be assumed to be NONE which means the user that is currently logged in New USER records will also be set to OWNER NONE by default unless attribute OWNER is explicitly set to a different value The owner could be identical to the SYSTE
292. d for the service Additionally if the specified IPRANGE is not defined a warning is displayed IPRANGE lt name gt Warning IPRANGE is not defined info service Info service SERVICE TACL DYNAMIC SSYSTEM SYSTEM TACL INFO STN Equivalent to INFO PROCESS INFO WIN DOW lt window names Displays configuration information for the specified window or for all configured windows Only fields which are not set to default ADD WINDOW values are displayed If the window is connected to an SSH client the command shows the following information info win info win ZWNOOO1 PTX SCRIPT ZWN0002 PTA SCRIPT PTY SSHS PTY SSHS info win zwn0001 info win zwn0001 ZWNOOOL1 TYPE PTY pty command vproc term_env_var term_rows term_columns term_width term_height encoded terminal modes client IP address client IP port client channel external user name system user 268 e STN Reference SCRIPT pty req T9999H06_22Nov2010_comForte_SSH2_0089 xterm 24 80 0 0 PTY SSHS 03 00 00 00 7 80 00 00 96 00 81 00 00 96 00 00 192 168 1106 3839 256 SUPER SUPER SUPER SUPER HP NonStop SSH Reference Manual auth method keyboard interactive cipher aes256 cbe mac hmac shal compression none executed program bin sh kerberos principal nam local IP address 192 168 1 145 local IP port 22 TCP IP process SZTCP5 The attributes have the following meaning e TYPE The window type PTY is d
293. d in Safeguard info alias super m NAME USER ID OWNER STATUS super m 255 20 254 255 THAWED info user super mario GROUP USER USER ID OWNER LAST MODIFIED LAST LOGON STATUS SUPER MARIO 255 20 254 255 12FEB11 22 36 16FEB13 13 50 THAWED An alias entry is present in the SSH database but not an entry for the associated Guardian ID e g info key info key TYPE USER LIFE CYCLE LAST USE STATUS RSA super m LIVE NONE THAWED Assuming the user is logged on as the alias super m With client mode owner policy set to LOGINNAME privileges to read alter the entry kl would be granted for GUARDIANNAME they would not be granted because a matching entry is not found and for BOTH they would be granted If the Guardian entry is present but no entry for the alias e g info key info key TYPE USER LIFE CYCLE LAST USE STATUS RSA SUPER MARIO LIVE NONE THAWED and the user is logged on as the alias super m then access to entry k2 would not be denied with client mode owner policy set to LOGINNAME but would be allowed with client mode owner policy set to GUARDIANNAME or BOTH Note The default value for CLIENTMODEOWNERPOLICY is BOTH Please be aware that the default client mode policy changed from GUARDIANNAME to BOTH with release 89 This change of the policy should not cause problems with existing records as records had been read in previous releases only if stored under the Guardian user identifier entries store
294. d in double quotes Example INTERFACEOUT 10 0 0 197 See also DNSMODE INTERFACE IPMODE SUBNET INTERVALLIVEPRIVATEUSERKEY This parameter is related to a user private key s life cycle configuration of database entity KEY It determines the length of the interval a user private key stays in state LIVE Parameter Syntax INTERVALLIVEPRIVATEUSERKEY number of days Arguments number of days The number of days a newly generated user private key will be in state LIVE after leaving state PENDING and before reaching state EXPIRED Default The default value for this parameter is 730 i e 2 years Example INTERVALLIVEPRIVATEUSERKEY 1460 Considerations e The life cycle configuration of existing user private keys will not be modified due to this parameter If existing keys need to participate in life cycle control then they must be configured via ALTER KEY command specifying the LIVE DATE and EXPIRE DATE command options e Parameter value is ignored if life cycle for user private keys is disabled i e if LIFECYCLEPOLICYPRIVATEUSERKEY is set to DISABLED e Parameter value is ignored if KEY attributes LIVE DATE and EXPIRE DATE are specified in GENERATE KEY and IMPORT KEY commands if a user is allowed to specify these attributes according to the key life cycle policy See also LIFECYCLEPOLICYPRIVATEUSERKEY INTERVALPENDINGPRIVATEUSERKEY HP NonStop SSH Reference Manual Configuring and Running S
295. d is spread by using multiple SSH2 processes and starting these SSH2 processes in different CPUs 170 e SSHCOM Command Reference HP NonStop SSH Reference Manual If no value is specified the value will be reset to the default The default is to use the value of SSH2 parameter CPUSET to determine a CPU or if that is not set the CPU the SSH2 process is running in is used EXPIRE DATE This optional attribute of an ssh user s PUBLICKEY entry is used to set the EXPIRE DATE not valid after date for the public key This attribute can only be set if the life cycle policy for User Public Keys is enabled determined by SSH2 parameter LIFECYCLEPOLICYPUBLICUSERKEY If SSH2 parameter LIFECYCLEPOLICYPUBLICUSERKEY is set to FIXED then field EXPIRE DATE can be modified by the SUPER SUPER user only unless explicitly denied in OBJECTTYPE USER record or those configured with full SSHCOM access In case the SSH2 parameter LIFECYCLEPOLICYPUBLICUSERKEY is set to VARIABLE then every user with partial SSHCOM access can change field EXPIRE DATE FROZEN If the FROZEN attribute is set the user is added in the frozen state If omitted the user will be added in the thawed state LIKE When specified the new user record is first initialized with the values taken from the lt existing user name gt user record Then the new user name and any other attributes specified in the ADD USER command are applied before the new user record is added If the ADD USER comman
296. d multiple public keys within a single command the PUBLICKEY attribute can be repeated within a single ADD USER command There is no limitation to the number of public keys that can be assigned to a user Public keys can be added by either specifying a file containing the public key or by specifying the fingerprint of the public key To specify a file holding the public key the key word FILE must be used The lt filename gt needs to point to a file holding the public key to be added For details about the format of the public key file refer to the chapter entitled SSH Protocol Reference Instead of providing a public key file it is possible to only provide the fingerprint of the user s public key In this case the key word FINGERPRINT must be used followed by the fingerprint of the user s public key which should be specified either in MDS or bubble babble form and enclosed in double quotes Note Only one of the two key words FILE or FINGERPRINT can be used in a single PUBLICKEY attribute specification RESTRICTION PROFILE 172 e SSHCOM Command Reference HP NonStop SSH Reference Manual Specifies the name of a RESTRICTION PROFILE entity If configured for a user then the restrictions defined in the RESTRICTION PROFILE record will be applied for all of a user s incoming and outgoing connections SFTP CPU SET Defines a set of CPUs used when SFTPSERV processes are invoked directly by SSH2 for non SFTPSERV processes the attribute
297. d under an alias had been ignored The following will change when using the new default value BOTH or value LOGINNAME If a user is logged on as an alias and new CLIENT MODE records are added PASSWORD KNOWNHOST PUBLICKEY then the new records will be stored under the alias name An alias user is not allowed to add records for the underlying Guardian user when CLIENTMODEOWNERPOLICY is set to LOGINNAME HP NonStop SSH Reference Manual SSHCOM Command Reference e 159 Client Mode Owner Policy and Processing of SSHCOM Commands The processing of the CLIENT mode SSHCOM commands has been enhanced in release 89 to support the new CLIENTMODEOWNERPOLICY values LOGINNAME and BOTH If the value is set to either LOGINNAME or BOTH the following applies e Entries can be added with alias user names A user logged on using an alias can only display add and manipulate entries for that alias e A guardian user can display add and manipulate entries for the Guardian user e Depending on the rules explained in the section about OBJECTTYPE USER records a group manager can add change or delete client mode records stored under an alias or Guardian name e A user with full access can add manipulate all entries unless an OBJECTTYPE USER record says otherwise If parameter CLIENTMODEOWNERPOLICY is set to value GUARDIANNAME then the following applies e Any attempt to add entries under an alias name will be rejected Entries will be added under
298. dded 2 In the example above safeguarduser does not require an individual SSH authentication In this case the user name serves as a logical service that provides system access via the SAFEGUARD logon program This service can be shared by multiple individual users After the session is established the SAFEGUARD logon program performs user authentication Please note that additional attributes limit the access rights of the user to the SAFEGUARD logon program only The following SSHCOM commands show how to set up a logical user who is only authenticated with the services started by the STN PTY server HP NonStop SSH Reference Manual Configuring and Running SSH2 e 129 gt RUN SSHCOM SSH01 SSHCOM T0801H01_22JAN2014_ABK 2014 01 24 14 42 45 368 OPEN ssh01 ADD USER serviceuser ALLOWED AUTHENTICATION none amp SYSTEM USER NONE CI PROGRAM MENU amp ALLOW SHELL NO ALLOWED SUBSYTEMS ALLOW TCP FORWARDING NO OK user serviceuser added f In the above example serviceuser does not require an individual SSH authentication Hence this user represents a logical service that accesses the system via the STN service menu This service can be shared by multiple individual users In this scenario actual user authentication should be performed by STN services Again additional attributes limit the access rights of the user to the STN service menu only Single Sign on with GSSAPI Authentication Ove
299. de e In daemon mode the SSH2 process allows remote SFTP clients to connect to the NonStop system The database therefore contains remote user credentials as well as public keys of remote systems See the next section for a detailed description of the database content in daemon mode e In client mode the SSH2 process will connect to remote systems and authenticate NonStop users on the remote system To do so the SSH2 process will map NonStop user ID s to private key files stored in the database It also keeps public keys of known hosts in the database in order to authenticate the remote system See the section entitled Database for Client Mode for details about the database content in client mode In order to separate the two different sections of the database the SSHCOM command interpreter which is used to maintain the database implements a MODE command that is used to switch between maintaining the data base content for daemon and client modes To maintain the daemon database content issue the following command within SSHCOM MODE DAEMON or because SERVER is supported as alternative for DAEMON MODE SERVER To maintain the client database content issue the following command MODE CLIENT HP NonStop SSH Reference Manual The SSH User Database e 147 Database for Daemon Mode Format and Content of the Database In daemon mode the SSH2 database contains USER and RESTRICTION PROFILE entities controlling the way incom
300. denied or failed Forced command sessionId user remoteAddress sessionId SESSION LOG ID action Yobject Youtcome forced user SSH username command forcedcommand remoteAddress remote IP address action shell object shell program outcome granted denied or failed forcedCommand forced command 18 ExecEvent No forced sessionld Yuser remoteAddress sessionId SESSION LOG ID command action Zobject ZYoutcome Jouser SSH username remoteAddress remote IP address Joaction exec object shell program outcome granted denied or failed Forced command sessionId sessionId sessionId SESSION LOG ID Jouser remoteAddress action object user SSH username outcome forced command forcedcommand remoteAddress remote IP address action exec object shell program HP NonStop SSH Reference Manual Monitoring and Auditing e 319 Event Event Name Id Conditions Pattern Token Values 19 ForwardEven Direct t Not Direct 19 ListenEvent 20 TimeoutEven t 21 SftpServerFa talErrorEvent sessionId Yuser remoteAddress action Yobject Youtcome fromAddr fromPort gt toAddr toPort sessionId Yuser remoteAddress action Yobject Youtcome fromAddr fromPort gt remote accepted on toAddr toPort sessionld Puser remoteAddress Fa
301. derations for an example e If parameter is set via PARAM and a comma separated list is defined then the list must be enclosed in double quotes See also DNSMODE INTERFACEOUT IPMODE SUBNET INTERFACEOUT Use this parameter to specify the local IP address SSH2 should bind to for outgoing SSH connections Parameter Syntax INTERFACEOUT ip address ip address Arguments ip address Local IP address or local host name SSH2 binds the TCP IP socket to before connecting to a remote system Default If omitted SSH2 will bind to the IP address configured via parameter INTERFACE If neither parameter INTERFACEOUT nor INTERFACE is set or configured with value 0 0 0 0 0 0 any local IP addresses of the configured TCPIP process SUBNET will be used selected by the TCPIP process 84 e Configuring and Running SSH2 HP NonStop SSH Reference Manual Considerations e The value must be set consistent with the value of parameter IPMODE e Ifa host name is resolved to multiple IP addresses then only those IP addresses are used that occur in the subnet configuration of the configured TCP IP processes parameter SUBNET e Ifthe any address 0 0 0 0 or 0 0 is listed in INTERFACEOUT then the ANY address is used as bind address only for those IP processes that aren t configured with any of the other listed non ANY addresses e If parameter is set via PARAM and a comma separated list is defined then the list must be enclose
302. dian break or OSS SIGINT is generated again generally resulting in a new prompt e Block Mode 6530 Terminal is placed into block mode Error 191 is returned to the application This forces most block mode applications to refresh the display EDIT XVS will allow for session recovery TEDIT refreshes the screen Most Pathway applications refresh the screen If there are no existing windows STN will create a new window and start a new application process like any TYPE DYNAMIC service The following message is displayed to clarify that a new session was created as opposed to a reconnect to a previous session STN70 No existing window available for resilient service 256 e STN Reference HP NonStop SSH Reference Manual window ZWNnnnn added When a RESILIENT session disconnects there are certain differences from non resilient dynamic sessions e No error code 140 60 etc is returned to the application and no BREAK or SIGHUP sent Any active application I O request is left outstanding indefinitely The application never notices that the session has disconnected e KILL_ DYNAMIC does not apply e The window is not automatically deleted STN s implementation of RESILIENT differs from Telserv in the following ways e SERVICE TYPE DYNAMIC e No ADD WINDOW command Windows are dynamically created as needed STN does not restrict a RESILIENT service to a single window simplifying configuration e 6530 Block mode applications EDIT XVS TED
303. dresses or DNS names enclosed in parentheses which identify the target host which the publickey associated with this knownhost entry is accepted from PORT The target port number of the remote host associated with this known host entry PUBLICKEY Either the MDS fingerprint of the known host s public key or the name of a file that contains the remote host s public key The fingerprint can either be specified in MD5 or bubble babble format ALGORITHM Specifies the key exchange algorithm to be used Valid values are SSH DSS and SSH RSA COMMENT An optional comment associated with the known host entry The comment must be enclosed in double quotes if it contains spaces FROZEN If the FROZEN attribute is set the known host entry is added but frozen A local SFTP client cannot connect to the remote host on the specified port until this known host entry is thawed using the THAW KNOWNHOST command 204 e SSHCOM Command Reference HP NonStop SSH Reference Manual ALTER KNOWNHOST The ALTER KNOWNHOST command changes one or more attributes of an existing known host and has the following syntax ALTER KNOWNHOST lt system user name gt lt knownhost name gt ADDRESSES lt ip_or_dns gt lt ip_or_dns gt PORT lt portnr gt PUBLICKEY FINGERPRINT lt fingerprint gt FILE lt file name gt ALGORITHM SSH DSS SSH RSA COMMENT lt word gt lt word gt lt word gt The individual attri
304. e Match of string supplied as parameter to FC and HISTORY command All commands but help history fe and Only the last of duplicate commands stays in list Command numbers change whenever an old duplicate command is moved to the top A string matches anywhere in a command line myn All commands but fe and 10 Duplicate commands are added Command number assigned to a command stays the same until the command drops out of the history list A string must match the beginning of a command Fix Command The FC command fix command allows retrieving one of the history commands either by number or by string matching If a number is specified then the corresponding command is retrieved and can be modified using standard fix command modifications via R D and I see Guardian Procedure Calls Reference Manual section FIXSTRING for details sftp gt fe 2 get file678 d i5 get fle5678 N r4 9 get f1456789 Couldn t stat remote file No such file or directory File G datal reports f1456789 not found sftp gt If the FC command is followed by a negative number then the corresponding command relative to the end of the history list is selected 1 equates to last command 2 equates to next to last command etc sftp gt history 1 gt cd Sdatal reports 2 gt dir 3 gt get 4 gt get 5 gt get file3 6 gt get filed sftp gt fe 3 get file2 eer sftp gt filel file2 If a str
305. e lt str1 gt Session Name lt str2 gt Normalized target host address and port lt str3 gt Login name 20 lt str1 gt client access to unknown host at lt str2 gt denied Local system user lt str3 gt lt str1 gt Session Name lt str2 gt Normalized target host address and port 348 e Appendix HP NonStop SSH Reference Manual LOG LEVEL EVENT TEXT Description Variable Parts 20 20 20 20 20 20 20 20 20 20 20 20 20 lt str3 gt Login name lt str1 gt exception during host verification local system user lt str2 gt lt str3 gt lt str1 gt Session Name lt str2 gt Login name lt str3 gt Exception text lt str1 gt Authentication of lt str2 gt succeeded lt str1 gt Session Name lt str2 gt User name lt str1 gt Authentication failed lt str1 gt Session Name lt str1 gt gssapi authentication failed lt str2 gt lt str1 gt Session Name lt str2 gt Error messageError message lt str1 gt request rejected Forwarding error USER lt str2 gt is not permitted to open port lt int1 gt on host lt str3 gt lt str1 gt Session Name lt str2 gt Name of USER record lt intl gt Forwarding destination port lt str3 gt Normalized forwarding destination host address lt str1 gt request rejected Forwarding error USER lt str2 gt is not permitted to listen on port lt int1 gt on host lt str3 gt lt str
306. e lt str2 gt TCP IP mode lt str3 gt Value configured for parameter lt str4 gt Normalized interface address value Expected IPv4 address for parameter lt str1 gt because IP mode is lt str2 gt but found IPv6 address lt str3 gt Using value lt str4 gt instead lt str1 gt Parameter name lt str2 gt TCP IP mode lt str3 gt Value configured for parameter lt str4 gt Normalized interface address value Expected IPv4 address for parameter lt str1 gt because IP mode is lt str2 gt but found IPv4 compatible IPv6 address lt str3 gt Using value lt str4 gt instead lt str1 gt Parameter name lt str2 gt TCP IP mode lt str3 gt Value configured for parameter lt str4 gt Normalized interface address value Expected IPv4 address for parameter lt str1 gt because IP mode is lt str2 gt but found IPv4 mapped IPv6 address lt str3 gt Using value lt str4 gt instead lt str1 gt Parameter name lt str2 gt TCP IP mode lt str3 gt Value configured for parameter lt str4 gt Normalized interface address value Parameter lt str1 gt value lt str2 gt is not a valid CPU list lt str3 gt Using default value lt str4 gt instead lt str1 gt Parameter name lt str2 gt Configured value lt str3 gt Reason for CPU set being invalid lt str4 gt Default value Setting file security on lt str1 gt from lt oct1 gt to lt oct2 gt failed error lt int1 gt lt str1 gt SSH database file nam
307. e lt oct1 gt Current file security lt oct2 gt Expected file security lt intl gt Error Disabling incorrectly configured DNS resolving Please correct DNS resolver configuration if needed and restart SSH2 Invalid file name lt str1 gt lt str1 gt String File name could not be resolved lt str1 gt lt str1 gt String Callback function on abend could not be initialized Expected version string was not received or version info line too long lt str1 gt failed to create active data connection tunnel from lt str2 gt to lt str3 gt lt str4 gt 356 e Appendix HP NonStop SSH Reference Manual LOG LEVEL EVENT TEXT Description Variable Parts lt str1 gt Session Name lt str2 gt Normalized originator host address and port lt str3 gt Normalized target host address and port lt str4 gt Description 20 lt str1 gt SSH FTP Error lt str2 gt lt str1 gt Session Name lt str2 gt Exception text 20 lt str1 gt socket error lt str2 gt aborting session lt str1 gt Session Name lt str2 gt Exception text 20 lt str1 gt unexpected error lt str2 gt aborting session lt str1 gt Session Name lt str2 gt Exception text 20 lt str1 gt unknown error aborting session lt str1 gt Session Name 20 lt str1 gt could not find target SSH and FTP address in lt str2 gt lt str1 gt Session Name lt str2 gt Received command 20 lt str1 gt received command lt str2 gt
308. e greater length of IPv6 addresses Version 3 9 Describes changes in SSH2 release 91 Documentation for the following new features has been added e Added description for new parameters CPUSET and SFTPCPUSET e Added description for parameters AUDITEMS AUDITFORMATCONSOLE AUDITFORMATEMS AUDITFORMATFILE e Enhanced description of SET command in section Miscellaneous commands in SSHCOM e Added description for new SFTP SFTPOSS commands FC and HISTORY e Added new sections Checking SSH2 Installation SSH2 License and Version Information and Installation of SFTPAPI e Added description of SSHCOM command ABORT SESSION in new section Other Session Related Commands e Added description of SSHCOM command PROMPT in section Miscellaneous commands in SSHCOM Documentation for the following already existing STN pseudo TTY features has been added e Uses of STN runtime options IN OUT e STNCOM multiple line command continuation e Example display of INFO STN update e STNCOM commands CONN_CLR_SSH DEV_SUBTYPE FRAGSIZE INFO ALL NBOT OPENER_WAIT PROMPT SAVE_CFG STNCOM_PROMPT Documentation for the following new STNCOM commands has been added e DYN_CPU global cpu cpu range specification for dynamic service processes e NBOT_TIMEOUT Version 3 8a Describes changes in SSH2 release 90a Documentation modified for the following enhancement HP NonStop SSH Reference Manual Preface e 17 Alphabetically s
309. e value will be shown as NONE meaning not set The field can be modified using the ALTER KEY command depending on the value of SSH2 parameter LIFECYCLEPOLICYPRIVATEUSERKEY EXPIRE DATE This optional attribute contains the date the key has gone or will go into state LIFE The key is not valid after that date and will no longer be used for authentication if the expiration date is reached If a key was generated or imported before the introduction of the EXPIRE DATE attribute or if an attribute value was not specified in a GENERATE KEY or IMPORT KEY command then the value will be shown as NONE meaning not set The field can be modified using the ALTER KEY command depending on the value set of SSH2 parameter LIFECYCLEPOLICYPRIVATEUSERKEY LIFE CYCLE STATE The value of field LIFE CYCLE STATE the shortcut LIFE CYCLE is used in the brief output of the INFO KEY command is not actually held in the KEY database record but is determined from CREATION DATE LIVE DATE and EXPIRE DATE The state LIFE is assumed for keys generated or imported before the introduction of the user private key life cycle LAST USE The timestamp of the last usage of the key LAST MODIFIED The timestamp of the last modification of the key STATUS Whether the key is FROZEN or THAWED RENAME KEY The RENAME KEY command is used to rename a key entry in the SSH database A key entry can only be renamed by the SUPER SUPER user unless explicitl
310. e Added description for new parameter DAEMONMODEOWNERPOLICY controlling access to Daemon mode commands e Added description for new USER attribute OWNER allowing actions the same as defined by PARTIALSSHCOMACCESSUSER GROUP parameters e Added additional information for parameter CLIENTMODEOWNERPOLICY e Added description for new parameters SFTPENHANCEDERRORREPORTING PAUTHSUPPRESSIPADDRESS HOSTKEYTYPE HOSTKEYBITS and DNSMODE e Modified description for existing parameters SUBNET INTERFACE and INTERFACEOUT e Added section Multiple IP Process Multiple IP Address Considerations and section TACL Subsystem and Command Interpreter Configuration Changes in SSH2 release 97 that are incompatible with previous releases e Processing of ssh EXEC tacl requests changed in case ALLOWED SUBSYSTEMS does not include tacl It is now possible to execute TACL commands or macros even if tacl is not configured in ALLOWED SUBSYSTEMS A TACL subsystem is provided when a user gets a TACL prompt but not when just one TACL command is executed In this way it is possible to differentiate between subsystem tacl and use of CI PROGRAM Previously the execution of CI PROGRAM via TACL command on the SSH client command line was rejected if tacl was not an allowed subsystem The user configuration allows restricting access to TACL commands via attributes ALLOW CI CI PROGRAM CI COMMAND and ALLOW CI PROGRAM OVERRIDE to an extent that the incompatible change
311. e COMPRESSION TRUEIFALSE Specify weather data compression should be enabled on the SSH session This option has the same effect as the C command line option e CIPHERS ciphers Specify a comma separated list of ciphers for encrypting the session This option has the same effect as the c command line option e MACS macs Specify a comma separated list of MAC algorithms This option has the same effect as the m command line option e USER user Specify the user to log in as on the remote machine This option has the same effect as the 1 command line option or the user runtime parameter e AllowedAuthentications methods 222 e SSH and SFTP Client Reference HP NonStop SSH Reference Manual Specify the authentication methods that are allowed for user authentication The value is a comma separated list of method names without any spaces See SSH2 parameter CLIENTALLOWEDAUTHENTICATIONS for the possibility to restrict the ssh clients authentication methods S process Connect using a specific SSH2 process See section Configuring the SSH2 Process to Use for further details Runtime options relevant only when creating a shell t Force pseudo tty allocation This can be used to execute arbitrary screen based programs on a remote machine T Do not allocate a tty S Use this option to request invocation of a subsystem on the remote system Subsystems are a feature of the SSH2 protocol which facilitate the use of
312. e SSH2 Hosts eceesecsseseseeceseeeeeeceeeeeceeeecesnaeeeeeas 132 Restricting Local Ports used for Port Forwarding seeceescsssseeeeceseeecesecseeeeceeeseeeeneeseeens 133 Restricting Remote Hosts Ports for Port Forwarding cc sccessssssesseceeseceeeeeceeeeecaeeeeeeens 133 Restricting access to forwarding tunnels cee eesesecsseeeeseceeeecseeeecsaececeecsaeceeesecaeeseenaeseeeas 133 Load Balan Cri 8 bo cad acess ecee ches ocak eaaa od apes se sauds ec sepia veyed absent n eE apd ees a Nat 134 Load Balancing Outbound SSH Sessions cesesssesssecesecseeeeceeeeeceaeeeceecsaeceeesecaeeseenaeseeeas 134 Load Balancing Inbound SSH Sessions eccessesssecsseeessecseeeeneeeeceaeeeseeceaecaeeseeaeeseenaeeeees 134 Fault Toler ns ieri areae sees saescs aE e pouseusepdes sss EEO EE ENRE E E EO Ep EEEE EES ES 135 Configuring SSH2 as a NonStop Process Pait eseseeeeeseeeeesseeeeressseserrerrsrssrserrersersesesreerers 135 Configuring SSH2 as a Generic Process eeecesesssssecseeseesecseeeceeeecsaeceseecsaeceeesecaeeeeenaeeeees 135 Choosing a Persistence Mechanism cscesssccsssssssecsseeecesecseesecseeeeseeneseecsaecasesecaeeseenesneeats 136 Processing of DEFINES scsi ds pavectbopessteatess sipesste aN seth EA OEE EE EEEE E eter SESTER aero 136 Seting of PARAMS siset ee nonea died eeose aeaa e eea a e eea aa Meee sore e e ea Apes 137 Setting of Environment Variables s sccsssseeescesesoses
313. e alias and the user is logged on as the alias LOGINNAME access would not be allowed GUARDIANNAME would be allowed and BOTH would also be allowed Considerations Default The value list of authentication methods is only relevant for outgoing ssh connections For incoming connections the list of authentication methods is configured for each user attribute ALLOWED AUTHENTICATIONS The authentication methods actually allowed at the client side consist of those methods that are specified in the client side option AllowedAuthentications as well as in the value of SSH2 parameter CLIENTALLOWEDAUTHENTICATIONS The default value is BOTH Examples CLIENTMODEOWNERPOLICY LOGINNAME See also Section on Ownership and Management of Client Mode Entities COMPRESSION Use this parameter to specify whether compressed SSH sessions will be supported Parameter Syntax COMPRESSION TRUE FALSE Arguments TRUE FALSE 70 e Configuring and Running SSH2 HP NonStop SSH Reference Manual The following arguments can be used to specify whether compression of the SSH session will be supported o TRUE allows compressed sessions o FALSE denies compressed sessions Default If omitted SSH2 will allow compressed sessions Example COMPRESSION FALSE CONFIG Use this parameter to specify a configuration file for an SSH2 process Parameter Syntax CONFIG file Arguments file Specifies the name of the configuration file Def
314. e average transfer rate and CPU consumption has been measured while a file with 50 MB of data has been transferred via SFTP The following table shows the result of the measurement Partner Direction of Cipher Time CPU time Through put CPU ms MB CPU usage system transfer Suite MAC elapsed s used s KB s transfer algorithm Linux NonStop to AES 66 5 27 1 734 568 41 OpenSSH Partner 128 MD5 system Linux Partner AES 242 26 6 202 557 11 OpenSSH system to 128 MD5 NonStop Please bear in mind that the measured transfer rate does not only depend on the performance of the SSH2 SFTPSERV components but also on the network throughput and the performance of the remote SFTP client or server The most significant column of the table probably is the value CPU ms MB transfer which should give a good estimate for the CPU milliseconds needed to transfer one Megabyte of data using SFTP SFTPSERV Performance of Is Command with Wildcards The output from command Is list can be delayed when wildcards are used and the file information returned by SFTPSERV is not processed effectively Unlike the ftp protocol the sftp protocol does not define two commands for listing the names of files in a directory ftp NLST and listing of all file attributes of files in a directory ftp LIST There is only one command in the sftp protocol READDIR that always retrieves all attributes of the files in a directory In case o
315. e baud rate detection from remote client using rfc 1079 Default P1 0 disables P1 gt 0 enables P2 presently unused The baud rate detected can be retrieved by setmode 204 as a 32 bit integer or by setmode 22 which maps selected baud rates 75 19200 to values 1 15 using the traditional ATP coding for setmode 22 and other baud rates to 0 203 Only used with special terminals P1 0 default compatible with previous releases P1 1 discard any data after an application read is satisfied due to maximum read count up to and including the next line end ascii CR P2 presently unused 204 Only used with special terminals Retrieves the speed detected by setmode 202 P1 is the high order word P2 is the low order word Setting this value affects only the value returned in future setmode 204 calls 304 e STN Reference HP NonStop SSH Reference Manual 205 Only used with special terminals p1 1 disables echo of ascii EOT hex 04 p1 0 default is compatible with previous releases and handles EOT like other characters for echo purposes 206 Only used with special terminals P1 1 disables interrupt character handling for ascii BS CTRL H hex 06 ascii CAN CTRL X hex 18 and EM CTRL Y hex 19 and also the 6530 control character ascii ENQ hex 05 p1 0 default is compatible with previous releases 207 P1 and P2 are ignored ascii ST and NO are returned as last parameters This can be used by applications to
316. e comForte SecurSH functionality Fully Compliant with the SSH Protocol Specification SSH2 is fully compliant with version 2 of the SSH Secure Shell protocol standard as described in various Internet draft documents see www ietf org It can be integrated with any SSH solution on UNIX Windows or other platforms Strong Authentication and Multiple Cipher Suites SSH2 supports public key authentication with key sizes of up to 2048 bits Various ciphers including AES and 3DES and MACing algorithms can be selected Support of Full Screen Terminal Access SSH2 supports pseudo terminals on the NonStop platform allowing SSH clients to execute full screen applications such as Emacs or vi within Secure Shell Built in User Base A built in user base allows administrators to flexibly control who can access a system Remote users can logon with virtual user names instead of a Guardian userid eliminating the potential exposure of system credentials to file transfer clients Access can be limited to a part of the file system and to a specific set of operations e g only download HP NonStop SSH Reference Manual Introduction e 25 Central Key Store Instead of storing keys in the file system SSH2 includes a key and password store with central access control providing maximum security for user credentials This enables the easy and secure implementation of batch processes without requiring the use of passwords in batch files Secure SFTP
317. e expected to reside in subvolume SYSTEM ZSSH after the standard HP installation process The retrieved vprocs are then used to execute a consistency check A warning will be issued if an object exists in both locations SYSTEM ZSSH and SYSTEM SYSnn and the vproc information differs Updating to a new version of the SSH2 file set The following describes how to upgrade to a new version of SSH2 and its related object files It assumes that an older version of the product is already running successfully and configured correctly Download of the object file set 1 Download from the comForte web site As first step please download the PAK archive containing the new files from the comForte web site This will be a single file with an extension 100 for S Series and extension 800 for H Series 2 Transfer file to NonStop system and unPAK in scratch subvolume Transfer the file to the NonStop system in binary and FUP ALTER it to the file code 100 800 as indicated by the extension RUN the file and the new object files will be placed on the scratch subvolume Installation of the new version 1 Backup your existing object files 2 Stop all SSH2 instances It is assumed that you have a standard way to STOP all running SSH2 instances FUP DUP the new object files from the scratch subvolume to your production subvolume 4 Restart the SSH2 instances with the new version It is assumed that you have a standard way to restart the SSH2 processes
318. e generated key LIVE DATE This optional attribute is used to set the LIVE DATE not valid before date for the key This attribute can only be set if the life cycle policy for User Private Keys is enabled determined by SSH2 parameter LIFECYCLEPOLICYPRIVATEUSERKEY If SSH2 parameter LIFECYCLEPOLICYPRIVATEUSERKEY is set to FIXED then field LIVE DATE can be modified by the SUPER SUPER user only unless explicitly denied in OBJECTTYPE USER record or those configured with full SSHCOM access In case the SSH2 parameter LIFECY CLEPOLICYPRIVATEUSERKEY is set to VARIABLE then every user can change field LIVE DATE for those keys the user owns EXPIRE DATE This optional attribute is used to set the EXPIRE DATE not valid after date for the key This attribute can only be set if the life cycle policy for User Private Keys is enabled determined by SSH2 parameter LIFECY CLEPOLICYPRIVATEUSERKEY If SSH2 parameter LIFECYCLEPOLICYPRIVATEUSERKEY is set to FIXED then field EXPIRE DATE can be modified by the SUPER SUPER user only unless explicitly denied in OBJECTTYPE USER record or those configured with full SSHCOM access In case the SSH2 parameter LIFECYCLEPOLICYPRIVATEUSERKEY is set to VARIABLE then every user can change field EXPIRE DATE for those keys the user owns IMPORT KEY This command imports a private public key pair from a file into the SSH2 key store It has the following syntax IMPORT KEY lt system user name gt lt key name gt
319. e gt The application has closed the window and AUTODEL_WAIT seconds have elapsed This is normal termination for some applications for instance TACL exit See AUTODEL_WAIT for details After session termination 6530 terminals will always be left in conversational ITI mode and the terminal display is erased STN41 The requested dynamic service application was started but did not connect to this window within 60 seconds The application and this session are being stopped This generally indicates a programming error in the application for the dynamic service Contact the system administrator STN42 open for startup message error on process lt p gt fe lt fe gt For dynamic windows STN tried to open the newly created application process lt p gt to pass the startup message but the open was rejected with file system error lt fe gt Contact the system administrator STN43 write for startup message error on process lt p gt fe lt fe gt For dynamic windows STN opened the newly created application process lt p gt to pass the startup message but the write was rejected with file system error lt fe gt Contact the system administrator STN44 Application lt name gt has connected to this window STN has detected an open from the application program The next message will be from the application e g TACL prompt lt name gt is the application process name STN46 Secure SSH session lt SSH info gt This is an inf
320. e loopback IP address 127 0 0 1 localhost but on all subnets defined for the TCP IP process Such a port is called a gateway port as the host can be used as a gateway to a third host A port forwarding request will be denied if the value of the user attribute ALLOW GATEWAY PORTS is set to FALSE The user can still open non gateway ports listening on 127 0 0 1 Restricting External Access to SSH2 Process The restriction profile attribute CONNECT FROM can be used in environments in which some remote hosts should not be allowed to connect to a specific SSH2 instance running on a NonStop server The value is a list of host names and IP addresses or patterns that are allowed to connect to the port SSH2 is listening to for SSH requests default 22 The SSH user specified in the incoming SSH request is checked against the corresponding user record in SSHCTL The user attribute RESTRICTION PROFILE is used to access the RESTRICTION PROFILE object which contains the setting for CONNECT FROM If a RESTRICTION PROFILE object and a CONNECT FROM value is configured the host IP address of the incoming SSH connection request will be checked against the list of hosts IP addresses defined in CONNECT FROM The incoming SSH2 request is accepted only if a match is found otherwise it is rejected Restricting Internal Access to Remote SSH2 Hosts If a user should not be allowed to connect to all available remote SSH instances the SSH2 user configuration can be used t
321. e properly locked down to avoid security breaches in which per user authorization is bypassed e g by setting SYSTEM USER NONE The Kerberos principal name authenticated and authorized during gssapi with mic authentication will also be displayed in the audit log and thus can be used to correlate the Kerberos principal name with the NonStop user name To delete a PRINCIPAL from the access control list use the DELETE PRINCIPAL attribute PRIORITY All user processes except SFTPSERV processes started directly by SSH2 will have the configured priority assigned Following are the values allowed in this parameter and their meanings Value Meaning 1 199 Use the given priority value 1 Use the same priority as the SSH2 process starting the process Note SFTPSERV processes will be given priority as specified via the SFTP PRIORITY attribute PTY SERVER The value of a specific STN PTY server Guardian process name which the user will use If a value of DEFAULT is specified the user will use the STN PTY server that is configured via SSH2 parameter PTYSERVER PUBLICKEY This attribute is used to assign one or more public key s to a user Each public key must be given a lt key name gt which is unique among all public keys assigned to the current user The key name will also be displayed in the audit log and thus can be used to determine which public key has been used for logon at a given time To ad
322. e range 0 7 is used to set the low order three bits lt 13 15 gt of the debug option parameter Setting DEBUGOPT 0 will avoid a problem with PATHCOM leaving ZZSA files when a session is terminated at the remote workstation Refer to ADD SERVICE parameter HOME for more information HP NonStop SSH Reference Manual STN Reference e 255 RESILIENT YES NO RESILIENT is an option for TYPE DYNAMIC services that allows the application to remain active after the terminal session is disconnected The STN implementation of RESILIENT is similar in general functionality to that of HP Telserv but with some key differences RESILIENT NO the default setting defines a traditional dynamic service Upon session disconnect file system errors are returned to the application and most applications like TACL will detect this and stop If KILL_DYNAMIC is set STN will stop the application on session disconnect When RESILIENT is set to YES LOGON is automatically set to REQ A typical use for RESILIENT is to define several TACL windows which run at high priority By logging on to these TACLs once and disconnecting they are primed and ready for quick reconnects This avoids the overhead of process creation and logging on which can be critical when a system administrator needs immediate access When a session requests a RESILIENT service STN first checks for any existing windows left over from previous sessions for the service If any such window is found the
323. e remote NonStop host The ftp string after the L tells the SSH client to use additional FTP forwarding logic Connecting to the port forwarding client with a FTP client The following command sequence will direct local FTP traffic to the port forwarding daemon and in effect create an encrypted FTP session between the two systems STB TBSSH79 2 gt ftp 127 0 0 1 2121 FTP Client T9552J01 30MAR2012 COPYRIGHT TANDEM COMPUTERS INCORPORATED 2012 Connecting to 127 0 0 1 Established 220 NPS762A FTP SERVER T9552G07 Version 3 x TANDEM 30NOV2005 ready Name 127 0 0 1l user comf tb 331 Password required for COMF TB Password 230 User COMF TB logged in OSS API enabled ftp gt dir 200 command successful 150 Opening data connection for bin ls 127 0 0 1 4519d 0 bytes total 9662 drwxrwxrwx L COMF TB COMF 4096 Jun 25 13 08 drwxrwxr xX L SUPER SUPER SUPER 4096 Jul 03 20 43 L COMF TB COMF 5430 May 08 16 40 bash_history rw rw rw COMF TB COMF 1714 Sep 16 2004 bashrc rw rw rw COMF TB COMF 3480 Aug 29 2007 exrc r rWXrwWXrwX L COMF TB COMF 141 Jan 06 2008 profile L COMF TB COMF 569 Jan 03 2007 profile_fh L COMF TB COMF 1100 May 08 16 40 sh_history L COMF TB COMF 4096 Nov 02 2004 ssh L COMF TB COMF 3116 Jan 08 2008 viminfo rw rw rw COMF TB SUPER 15 Oct 20 2004 vimre rwxXrwxrwx L COMF TB COMF 15000 Oct 24 2007 a out rw rw rw SUPER SUPER SUPER 2722667 Aug 29 2007 abc drwxrwxrwx l SUPER
324. e shell i e gt G system comfssh sftposs e Create a symbolic link to the OSS program file in a directory which is included in the default search path under OSS e g gt In s G system comfssh sshoss usr bin ssh gt ln s G system comfssh sftposs usr bin sftp e Copy the program file to a directory which is included in the default search path under OSS e Copy the program file to a location of your choice and add that location to the default search path In the subsequent sections of this chapter we will assume the client program files are part of your current search path under the OSS shell If you start the program without any parameters it will display a brief syntax summary and terminate gt sshoss Usage sshoss options host command Options Log in using this user name Tty allocate a tty even if command is given Do not allocate a tty Display version number only Suppress ssh client banner 216 e SSH and SFTP Client Reference HP NonStop SSH Reference Manual S Quiet don t display any warning messages H string Set prefix used for error messages Default no prefix J string Set prefix used for info warning messages Default no prefix K string Set prefix used for prompt query messages Default no prefix c cipher Select encryption algorithm m macs Specify MAC algorithms for protocol version 2 p port Connect to this port Server must be on the same port L listen port host port Forward local port
325. e transfer is made to a Guardian edit file on the NonStop server Parameter Syntax SFTPEDITLINEMODE none cut wrap Arguments none No special handling is done A long line is treated as an error cut The long line will be cut to ensure a maximum line length of 239 characters wrap The long line will be wrapped i e the first part of the line will be written in 239 character chunks until less than 240 characters are left which will be written last Default The default value is none Considerations e The setting of this parameter is only relevant if parameter SFTPEDITLINESTARTDECIMALINCR is set to a number between 0 and 99999999 e This parameter is only considered when a Guardian edit file is written i e either if a remote sftp client issues a put command to the SSH2 server on NonStop specifying a Guardian destination file with code 101 or if a sftp client on a NonStop server issues a get command specifying a local Guardian destination file with file code 101 e Ifa get command is executed by a sftp client on the NonStop server then the parameter must be set in the environment of the sftp client as PARAM for SFTP running in the Guardian environment or as environment variable for SFTPOSS running in the OSS environment e The parameter SFTPEDITLINEMODE defines the default behavior when Guardian edit files are created The handling of lines that are too long can be altered by issuing the command ASLINEMODE at the NonStop
326. ecseeeecneeeeceseeeesseeeeeees Secure Shell Access to the NonStop Server ee eeeeseeeeeeeeeees Secure Shell Access from NonStop to Remote Systems Encrypted File Transfer niee rea Te Eae TEE e REEERE SS Using Public Keys to Authenticate Remote Users Using Public Keys to Logon to Remote Systems sseseeeeeseeeeeeeeeeeeee Configuring and Running SSH2 HP NonStop SSH Reference Manual Contents e iii iv e Contents Configuration OVervie Wis eeiecit ete ee ese es heehee Bike see ob aeraaecahiee antares bel eed 47 The Configuration Pile soinn rrera aa a e e desk AES R E 48 PARAM Commands a a n a eao ae S a EE r i 48 Startup Line Parameters eocenie e a aeaa a a a AA a R AaS 49 Starting SSD eoe irra K EN aT E aen A a A A i N an 49 SSH2 Parameter Reference sssccccccssssscssccocscvessnsscccecscossneseccececvessnsueccvcecosanececescesvsssnsueceesossnsneceeeese 50 Parameter Overview scssssscccocecensnececcecsssensnececcecesvssusceccecesenseccsccecvseseuecessesvonsnsueceesecensnense 50 ALLOWEDAUTHENTICATIONS ccccccccscscecssccceessececesssececsssseeenseeecessseeeenssseceesseeeeeaeees 54 ALEOWEDSUBSYSTEMS oran tene E E E E E E AE E EEEE EEA 54 ALLOWFROZENS YSTEMUSER ccccccessssecsssceceensececesssececnseeceesseeeceesseeecnssseceenseecneaeees 55 ATLLOWINFOSSH2 3s nica ssesinisinites it ouniaristiaes avis unmet dae noe aan 56 ALLOWPASS WORDSTORE ccccccesssscessscecec
327. ecsesstvesetessevessnsueecesenesonsssesesoesssnotpsneuersnseoes 137 TCPAP VG Configurations iset erea ae ve aoras Rasse Resp eae eet en aed 139 IPv6 Address Formats s 5 scscssiescsagisschasssssaysctisscestesssesseavnssssesspsosseseesseasensasoscsuscepesvsesevebeneseds 139 Usage Of IPVG Addresses arnei enore Eae a EEEo E EEA Se ESE EERENS EEEE EES 139 P Mode a r aa a e e a aaa KE E EEE SENi 140 TGOGP IPv6 Considerations str iaaa aea aaa a EE Ea E a E E EKSE ESSEEN 140 Using Link Local Addresses for Loopback s esesesseeesseeisrsesrerrsresssesesrerstsrereerersessesesreerens 140 HP NonStop SSH Reference Manual TCPAPV6 Migration and Back outs 006 21ie rae evtee Athlon Girth enti erent 141 Start Using TOPP VO e ties pindt downs Saul ras e a a a a ren A A SSS 141 Reverting Back to Pre IPv6 SSH2 Release ee ee eseeceseceseceseceseceeecaecaecseecaeeeaeeeaeeeeeees 141 Multiple IP Process Multiple IP Address Considerations ccsccesssccssesseeecesececesecneeeeceaesesrenaeeeeeas 142 Multiple IP Process Configuration enine anei eara a a a 142 Multiple Allowed Listen IP Address Configuration ssesseseeseeeesseesseseeresrererstsrrrrrreesesreerers 142 Multiple Allowed Bind IP Address Configuration scsscssesesseceeeeeesecseeseeeeeeesseeneeseeees 143 Multiple Target IP Address Selection eseseeeseeseeseseeeeeesesssesestereeressssrtersssestsrtrrerserseseseeesees 143 TACL Subsystem and Command Interpreter Configura
328. ect with a remote SSH client You will not be prompted for the remote user s password Instead SSH2 will use the key pair configured for your NonStop user ID 46 e Installation amp Quick Start HP NonStop SSH Reference Manual Configuring and Running SSH2 Configuration Overview Administrators can specify configuration parameters of SSH2 processes through each of the following means e A configuration file e PARAM commands e Startup command line parameters These different options enable system administrators to easily manage installations with multiple SSH2 processes including those running on multiple TCP IP processes and ports as well as in different modes For example several SSH2 processes that have identical SSH configurations can share the same configuration file which streamlines administration On the other hand process unique parameters such as the port to listen on can be specified on the command line On startup SSH2 parses the sources of configuration parameter A single parameter may be specified in multiple sources e g in the configuration file and on the startup command line In this case SSH2 will process parameters with the following precedence highest to lowest 1 PARAM parameter 2 Parameter from configuration file 2 CONFIG2 3 Parameter from configuration file 1 CONFIG 4 Startup line parameter This means that a parameter given in the configuration file will override the value given for the same param
329. ed a command can be specified on the SSH client side e g ssh usr host ci c fileinfo This is allowed as the user does not get a TACL prompt The command could be a TACL macro e g a file with the following content HP NonStop SSH Reference Manual Configuring and Running SSH2 e 145 TACL MACRO OUTPUT Macro 0 started with parameters gt lt That macro could be started for example using the command below ssh usr host ci c STEMP TEMP MYMACRO The TACL process that gets started will display something like the following STEMP TEMP MYMACRO abc def 123 Macro STEMP TEMP MYMACRO started with parameters gt abc def 123 lt It is also possible to set CI COMMAND to TEMP TEMP MYMACRO abc def 123 to avoid the requirement to specify the macro name on the client side In this case the client command for executing the macro with fixed parameters abc def 123 would just be as shown below ssh usr host ci In cases where a TACL macro should be started but some input from the client side is needed then it is possible to access the command specified on the client side If CI COMMAND is configured then the specified client side command will not be executed but the command in CI COMMAND The command specified on the client side is put into PARAM SSH ORIGINAL COMMAND and can be accessed by the TACL macro Example content of a macro making use of that PARAM TACL MACRO OUTPUT Macro 0 started with parameters gt lt
330. ed LOGON not allowed PARAM not allowed PRI not allowed PROG not allowed RESILIENT not allowed SWAP not allowed USER not allowed IPRANGE optional LOGAUDIT optional MENU optional MODE optional SCRIPT optional TERM_TYPE optional optional service name Service names are to 8 characters long beginning with a letter followed by letters and numbers No special characters are allowed Service names are always interpreted as upper case The service name must not duplicate any existing services including the default TACL service if present The newly added service will be in a STARTed state and available for immediate use TYPE DYNAMIC With TYPE DYNAMIC the PROG field is required while the CPU PRI LIB SWAP USER PARAM HOME LIMIT RESILIENT DEBUGOPT and LOGON fields are optional When a session requests a dynamic service a new window with a unique name is automatically created A new application process is also automatically created When the session terminates the window is automatically deleted Dynamic services have various advantages and disadvantages 252 e STN Reference HP NonStop SSH Reference Manual e No WINDOW pre configuration required e No application pre configuration required e Workstations can have identical configurations e Unique window names are difficult to track and manage e Application process creation slows window startup e Can be awkward for Pathway and other applications that allo
331. ed the SFTP OSS and SSH OSS clients now prompt the user for the username gt ssh 10 0 0 196 comForte SSH client version T9999G06_22Jan2014 SSH_0097 User name 10 0 0 196 test You have no private keys in the key store Trying password authentication Enter test 10 0 0 196 s password If the user just hits return the default user name applies If the PARAM environment variable INQUIREUSERNAMEIFNOTSUPPLIED is not defined or is set to value FALSE the default user name is assumed as well i e the behavior is then identical before introduction of INQUIREUSERNAMEIFNOTSUPPLIED 218 e SSH and SFTP Client Reference HP NonStop SSH Reference Manual Suppressing the Banner printed by Clients When SSH OSS and SFTP OSS clients print a banner containing the version and name of the ssh client e g like comForte SSH client version T9999G06_22Jan2014 SSH_0097 This banner can be suppressed by setting Boolean parameter SUPPRESSCLIENTBANNER in the client environment i e via PARAM in a TACL environment PARAM SUPPRESSCLIENTBANNER TRUE and via environment variable in OSH environment export SUPPRESSCLIENTBANNER TRUE Automating the SFTP SSH clients SSH OSS and SFTP OSS clients are normally used directly by humans but sometimes it is required to automate the control of these clients e g by setting IN and OUT of a client to a controlling program or script In this case it is helpful to differentiate between messages printed by the client d
332. ed Syntax for Creation of New Guardian Files Default If omitted SSH2 will use a value of 900 Example SFTPMAXEXTENTS 950 SFTPPRIMARYEXTENTSIZE Use this parameter to specify the primary extent size for files that are created on the NonStop system Parameter Syntax SFTPPRIMARYEXTENTSIZE extsize Arguments extsize Specifies the value to be used Considerations e The value can be overridden in put and get commands using the extended syntax described in the SFTP client reference chapter in the section entitled Extended Syntax for Creation of New Guardian Files Default If omitted SSH2 will use a value of 2 Example SFTPPRIMARYEXTENTSIZE 10 SFTPREALPATHFILEATTRIBUTEECHOED Enables or disables the echoing of file attributes added to file names Some remote SFTP clients call realpath against the SFTP server for every remote file mentioned in a get or put command By default any file attributes added to a file get stripped by this call The remote SFTP clients in question then use the value returned by realpath for the actual remote file access i e without the file attributes a remote user had specified Parameter Syntax SFTPREALPATHFILEATTRIBUTEECHOED TRUE FALSE Arguments TRUE FALSE Specifies whether the file attributes attached to a file name get echoed by the SFTP server i e returned to the SFTP client o TRUE File attributes will be echoed by realpath function HP NonStop SSH Reference M
333. ed with the STARTUPMESSAGE parameter If running SSH2 as a generic process we recommend that users send the SSH2 log output to a log file instead of writing it to the home terminal which is the default approach In the example above console logging is turned off while log messages are written to the SSHLOG file on the default volume If you want to configure multiple SSH2 servers listening on the same port with parallel library TCP IP or TCP IPV6 round robin filtering you may specify the filter key with the PTCPIPFILTERKEY configuration parameter or add define PTCPIP FILTER KEY for the generic process defines can be added to generic processes since G06 28 H06 06 HP NonStop SSH Reference Manual Configuring and Running SSH2 e 135 Likewise you can use the TCPIPHOSTFILE TCPIPNODEFILE and TCPIPRESOLVERNAME parameters to configure TCPIP settings or the corresponding DEFINEs Please refer to the SCF Reference Manual for the Kernel Subsystem in the HP NonStop documentation set for further details Choosing a Persistence Mechanism Determining whether it is more effective to configure SSH2 as a NonStop process pair or as a generic process depends on your system environment and the expected SSH transfer volume For an environment with low volumes of SSH traffic it may be sufficient to run a single SSH2 process pair However if you expect a higher traffic volume you may want to distribute the CPU load across the available CPUs o
334. ee also SAVE_CFG INFO IPRANGE lt iprange names Displays configuration information for a specific IPRANGE or for all IPRANGEs 266 e STN Reference HP NonStop SSH Reference Manual INFO PROCESS INFO PROCESS displays the setting of global parameters The following example shows a typical result Config BWNS02 SZPTYK 075536 T0801H01_22JAN2014_ABK LG 18DEC2013_223018 AUDITCOLL OFF AUDITING OPTIONAL AUTODEL_WAIT 3 BANNER Y BANNER_TIMEOUT 0 REAK_ON_DISCON N C12_ALWAYS nh HOICE_PROMPT p CHOICE_ROW 0 CLR_SSH N CONN_CLR_TELNET Y EV_SUBTYPE BO5COMP DYNAMIC_PRI 149 N_CPU Oe 15 DYN_WIN_MAX 100000 3270_CONN OFF FESESSDOWN 140 DLE_WARNING 2 INPUT_TIMEOUT 0 EEPALIVE ILL_DYNAMIC N UNAME_ECHO MAX_OPENERS 32 MAX_OUTQO NBOT Y BOT_TIMEOU NEGOT_TIMEOUT 20 ODE E OPENER_WAIT 30 TPUT ESET RECV_SIZE 1000 PLY ELAY_MAX RFC860TM 0 SCMG EPTH SEM2_SEGID_FIRST 900 D_LAST SEM2_SEG_SIZE 130048 END_MAX SEM2_TIMEOUT 600 IMIT SEND_Q MAX 20 __ TIMEOUT SPI x H_ DEFAULT_SVC SSL_OBJECT STNSSL RMID_RFID N 3270_IN_SIZE 2000 70_MORE_TO 5 3270_SKIP_NEGOT N 70_TM_BLOCK 10 3270_TM_TO 2 LCOME_SEQ BEFORE UAIPADDR N WIN_AVAIL_C11 Y WIN_AVAIL_ALWAYS N WIN_SCRIPT_FIRST Y WSINFO NONE CHOICE_TEXT nEnter Choice gt STNCOM_PROMPT wy TERMID_FILE OFF WELCOME OFF HP Build of STN no license needed Allows umlimited PTY SSH sessions SAFECOM INFO DISKFILE STN PRIV LOGON ON GWN disabled using ZWNnnnn for session window names GWN FILE GWN BLOCKSIZE 25
335. eetudens se atime reset ese Weck ood 331 Information Needed By Support asn ererken eE raae e E ap e Ee peis Ea eeii 331 General SSH2 Error Messa gesan cise r rne eei ee ei eE E rei EEn eR ea say EEEE Sep EEEa tee 332 Session Related SSH2 FiTO Sae eta aeaea e n eaa sop R Matted etd AREE PESEK Eas IE 333 Session Related Error Messages of SSH2 Daemon essseesseeesesesrsrererrsrsrsrrrrerersesesreessrseseee 333 Session Related Messages of SSH2 in Client Mode ou eeeesssesseseceeceeeeceeeeeceseeeseeeaeenes 337 Client Error Messages sre ianea ieee a a aee a apie hese ape apes 340 Appendix 343 Event Summarys esmen E E E E E variates E E E R 343 Event Category ERROR oeni A E E A E 343 Eyent Category WARNING mrien r E e E E e TE RER 347 Event Category INFO rraren E R e a seen E a EREE 358 Copyright Statement sear gonone e E ti AE RE de E A a ERER 367 OpenSSL Copyrisht Statement ersan enar e a N A A a EET S 367 OpenSSH Copyright Statement ssspssissstisess ess ienero sssr e baiara Ee K E E i iS 368 xii e Contents HP NonStop SSH Reference Manual Preface Who Should Read This Guide This document is for system administrators who are responsible for installing configuring and maintaining SSH2 components including those delivered with the HP NonStop SSH product T0801 and those that come with comForte s SecurSH or SecurFTP SSH product This document also contains sections useful for users of ssh sftp clients on NonStop systems namely e se
336. ell script Arguments shell script a shell script with full path information that will be executed for non login shells to preare the shell environment Considerations e The configured value is only used if the USER record does not have a value configured for attribute SHELL ENVIRONMENT Default If omitted SHELLENVIRONMENT is empty Example AUTOADDAUTHPRINCIPAL etc nonloginProfile See also Section To Connect a Remote SCP Client to the NonStop Server SOCKETKEEPALIVE Use this parameter to specify whether keep alive messages should be sent to the TCP IP sockets of established links Parameter Syntax SOCKETKEEPALIVE mode Arguments HP NonStop SSH Reference Manual Configuring and Running SSH2 e 115 mode e on for sending keep alive messages e 0 off no messages are sent Default By default keep alive messages are sent 1 SOCKETRCVBUF Use this parameter to control the size of the TCP IP receive buffer When setting this parameter to a non zero value the specified parameter is used on a socket level Parameter Syntax SOCKETRCVBUF bytes Arguments bytes A number representing the size of the TCP IP receive buffer in bytes A value of 0 means the receive buffer size configured in the TCP IP process is used Considerations e Setting this parameter to a higher value can increase throughput when transferring files Normally the value configured in the TCP IP process is sufficiently high De
337. en an ampersand amp appears as the last character on a line the command is continued with the first column of the next line There is no limit on the number of lines over which a command may be continued but commands are limited to 10240 characters Prior to STN version B24 the limit was 1024 characters If STNCOM is prompting at a terminal for input the prompt for continuation lines will be the current prompt prefixed by ampersand ampersand space amp amp Continuations are allowed from terminals IN files and OBEY files Starting with version B08 responses to incorrect STNCOM commands will be preceded and followed by lines containing Error To start STNCOM use the standard TACL RUN command as shown in the following examples 1 gt RUN stncom stn 2 gt stncom S stnl info stn e 3 gt stncom IN stnin4 OUT s 4 gt stncom S stnl TRACE Ssystem stn trace3 1M e Th following illustrates a sample session STNCOM T0801H01_23JAN2012_ABA OPEN STN info service info service SERVICE TACL TYPE PROG version version 248 e STN Reference DYNAMIC SSYSTEM SYSTEM TACL HP NonStop SSH Reference Manual GOO7I T SSTN 1 835 GOOOI STN B15 15NOV2011 GOO1I Copyright 1984 2011 Gemini Communications Inc All rights reserved exit Exit Starting with SPR TO801 ABE the following banner and version info is displayed STNCOM TO0801H01_24JAN2013_ABE OPEN SSTN TO801HO1_24JAN2013_ABE 1
338. ence Manual SSHCOM Command Reference e 211 WHERE The WHERE option can be used to filter openers Only those openers that fulfill all listed filter conditions lt attr filter gt will be displayed Each attribute filter must have the following format the space characters surrounding the lt operator gt field are mandatory lt attr gt lt operator gt lt value gt For information about lt attr gt please see under option SELECT The following operators are supported for lt operator gt lt gt for not equal lt lt gt and gt The value in lt value gt can be either a string quoted string or number FILTER STATISTICS If it is of interest to determine the number of openers matching the filter conditions the option FILTER STATISTICS can be specified If the optional ONLY is added then the status data is not displayed but just the total number of openers and the number of matching openers Statistics Related Commands Sometimes it is of interest to investigate the activity of ssh sessions in more detail e g to view progress of file transfers The progress feature can be enabled for each individual sftp session at the sftp prompt With the introduction of the STATISTICS SESSION command the activity of all sessions handled by an SSH2 process can be displayed The commands ENABLE STATISTICS and DISABLE STATISTICS allow switching on and off the gathering of statistics data Other commands are STATUS STATISTICS and RES
339. enerated In this case the value of parameter HOSTKEYBITS is not relevant e During startup the key length of the local host key is now logged e Incase a local host key is generated at startup of the SSH2 process then the supported key size depends on the host key type For type RSA key sizes 1024 and 2048 are supported for type DSA only 1024 is supported e Key sizes 1024 2048 for RSA and 1024 for DSA have always been supported as remote host key sizes The parameter HOSTKEYBITS is only relevant for local host keys Example HOSTKEYBITS 2048 See also HOSTKEY HOSTKEYTYPE HOSTKEYTYPE A local host key is generated whenever the SSH2 process detects at startup that no local host key file exists The type of the local host key that gets generated can be configured using parameter HOSTKEYTYPE Parameter Syntax HOSTKEYTYPE RSA DSA Arguments RSA DSA Specifies the type of the local host key in case one needs to be generated Valid values are o RSA The local host key will be of type RSA if newly generated at startup o DSA The local host key will be of type DSA if newly generated at startup Default If omitted value DSA is the default value as before introduction of this parameter Considerations e Ifa HOSTKEY file exists then no new local host key is generated In this case the value of parameter HOSTKEYTYPE is not relevant e Incase a local host key is generated at startup of the SSH2 process then the supported key si
340. er general settings TCP IP process the server runs on SUBNET ZTC1 port where SSH2 listens for incoming SSH connections we use the well known SSH port PORT 22 file name of host key file HOSTKEY hostkey file name of user database file SSHCTL SSHCT log configuration set the level LOGLEVEL 50 enable console logging to 0 LOGCONSOLE 0 additionally log to file LOGFILE datal ssh2 ssh2log PARAM Commands The following PARAM command can be used to set SSH2 configuration parameters PARAM lt parameter name gt lt parameter value gt If the parameter value contains one or more commas it must be included in double quotes see PARAM command in the NonStop TACL Reference Manual for use of comma as separator PARAM lt parameter name gt lt parameter value gt All available SSH2 parameters can be specified using PARAM commands But please be aware of the limitations described in the TACL Reference Manual TACL reserves 1024 bytes of internal storage for parameters and their values The number and length of parameters in effect are limited by this storage area The following example demonstrates how to use a PARAM command to start an SSH2 server listening on ZTCO3 port 22 gt PARAM PORT 22 gt PARAM SUBNET ZTCO3 gt RUN SSH2 NAME SSH02 SERVER 48 e Configuring and Running SSH2 HP NonStop SSH Reference Manual Startup Line Parameters SSH2 configuration parameters can be
341. er attribute ALLOWED AUTHENTICATIONS e The authentication methods actually allowed at the client side consist of those methods that are specified in the client side option AllowedAuthentications as well as in the value of SSH2 parameter CLIENTALLOWEDAUTHENTICATIONS Default The default value is to allow all methods that are supported Examples CLIENTALLOWEDAUTHENTICATIONS password keyboard interactive CLIENTALLOWEDAUTHENTICATIONS publickey See also e Ssh clients option AllowedAuthentications see section SSH and SFTP Client Reference General Runtime options e User attribute ALLOWED AUTHENTICATIONS CLIENTMODEOWNERPOLICY Defines security granularity for client mode SSH2 database Parameter Syntax CLIENTMODEOWNERPOLICY LOGINNAME GUARDIANNAME BOTH Arguments LOGINNAME The default owner is the login name which can be a Guardian user identifier or an alias An alias user cannot add read manipulate entries for the Guardian user the alias is configured with vice versa a Guardian user also HP NonStop SSH Reference Manual Configuring and Running SSH2 e 69 can not add read manipulate entries for associated aliases In other words a Guardian or alias user can add manipulate entries for that Guardian or alias user only The value LOGINNAME is recommended if different people are using the various aliases configured with the same Guardian user identifier GUARDIANNAME The default owner is the Guardian user ide
342. er IP processes This can be achieved by specifying the ANY address in INTERFACE in addition to the specific IP addresses Example A listen is required on IP address 1 2 3 4 which is configured in process ZTC1 Additionally a listen needs to be issued for the ANY address against ZTCO Then the parameter INTERFACE would be set to 1 2 3 4 0 0 0 0 and SUBNET value would be ZTCO ZTC1 Multiple Allowed Bind IP Address Configuration A specific bind address could be specified from a local SSH OSS SFTP OSS client via runtime option oBindAddress lt bind address gt when INTERFACEOUT was not set configured with the ANY address If such option did not exist on the client command line in this case the actual bind address was determined by the TCP IP process An administrator could only select one specific local IP address as local bind address by configuring INTERFACEOUT to that specific IP address With such a configuration any oBindAddress options specified on the client command line is ignored and the bind address configured via INTERFACEOUT is used With the support of multiple IP addresses for INTERFACEOUT it is possible to allow a set of IP addresses as bind addresses If the oBindAddress option of a client selects one of the IP addresses configured in INTERFACEOUT then the address supplied from the client will be used as local bind address for the connection If the client does not specify a bind address then the SSH2 process selects
343. erations e One TCP IP operation like listen or connect can only be done using exactly one IP address which could be the ANY address in case of listen See section Multiple IP Process Multiple IP Address Considerations for more details e If DNS name resolving results in a list of IP addresses then IPv4 and IPv6 IP addresses may appear in the list e The parameter setting is not only relevant for target host names specified by local SSH OSS and SSFTP OSS clients but also for names configured in parameter INTERFACE and INTERFACEOUT in that now multiple listens will be issued even if only one host name is configured for INTERFACE in case the DNS name resolving results in multiple IP addresses e Similarly with DNSMODE ALL local IP addresses used for outgoing connections are selected from a list of IP addresses in case multiple addresses are configured for a host name configured via INTERFACEOUT Example DNSMODE ALL See also INTERFACE INTERFACEOUT IPMODE EMSBURSTSUPPRESSION Use this parameter to configure burst suppression for log message duplicates of log target of EMS Parameter Syntax EMSBURSTSUPPRESSION TRUE FALSE Arguments TRUE FALSE Specifies whether EMSBURSTSUPPRESSION is enabled or not o TRUE Duplicate log messages will be suppressed o FALSE Duplicate log messages will not be suppressed Considerations The value of parameter EMSBURSTSUPPRESSION is ignored if BURSTSUPPRESSION is set to TRUE Bu
344. erence Manual Specify how many requests may be outstanding at any one time Increasing this may slightly improve file transfer speed but will increase memory usage The default is 16 outstanding requests The number of outstanding requests can also be set by specifying a PARAM environment variable SFTPNUMREQUESTS S lt SSH2 process name gt This option is used to set the SSH2 process to communicate with Please refer to the section Configuring the SSH2 Process to Use earlier in this chapter Z The banner normally printed by the ssh client is suppressed line SFTPOSS client version T9999H06_23Dec2010_comForte_SFTPOSS_0089 in the above example The suppression of the client banner can also be achieved by specifying a PARAM environment variable SUPPRESSCLIENTBANNER with possible values 0 for false and 1 for true the Z option takes precedence over the PARAM environment variable Runtime options relevant only when automating SFTP client H string Set specific string used as prefix for error messages displayed by the SFTP client during the connection phase Double quotes can be used to define strings containing a space or special characters The prefix for errors can also be specified via PARAM environment variable SSHERRORPREFIX the H option takes precedence over the PARAM environment variable There is no specific error prefix defined as default J string Set specific string used as prefix for informational or warning m
345. erminal type lt ttype gt is not supported The TN6530 client terminal emulator sent a terminal type identifier unknown to STN Verify that the terminal emulator is properly set for TN6530 emulation STNO4 Connected to Dedicated Window lt window gt This message indicates that the session has been automatically connected to a dedicated window named lt window gt whose IP address matches the remote workstation STNO5 Dedicated Window s are configured for this workstation IP address but are already in use or otherwise unavailable Session terminated Self explanatory STNO6 Reserved for future use HP NonStop SSH Reference Manual STN Reference e 297 STNO7 SU Window not found User entered WINDOW name in response to the menu but the specified window is not configured STNO8 Window is not Type SU User entered WINDOW name in response to the menu but the specified window is not configured as type SU STNO9 Window is stopped by system operator User entered WINDOW name in response to the menu but the specified window was stopped by STNCOM STOP ABORT WINDOW command STN10 Connected to SU Window User entered WINDOW name in response to the menu and the session was successfully connected to the requested window STN11 Service not found User entered a service name in response to the menu but the specified service is not configured STN12 Service is stopped by system operator User entered a service name in respo
346. ernal log cache Determines which messages will be written to the console Determines which messages will be written to EMS Determines which messages will be written to the log file Controls the maximum size of the log file Allows regular logging of SSH2 s memory usage to the log output Allows message authentication codes Allows granting limited administrative SSHCOM command privileges to groups rather than just super super Allows granting limited administrative SSHCOM command privileges to users other than super super Can be used to suppress the IP address in USER_AUTHENTICATE_ calls The port the SSH2 server listens on for incoming connections Controls whether SSH2 propagates defines in the SSH2 process context to newly started processes Sets the filter key to enable round robin filtering Same effect as DEFINE PTCPIP FILTER TCP PORTS Specifies the name of an STN process that functions as a pseudo terminal PTY server Allows configuring the end of record marker used in binary file transfers into a structured NonStop file Allows all connection restriction checks to fail if a record for the Guardian user could not be found Should be enabled if Safeguard is configured with PASSWORD REQURED ON Controls whether SFTPSERV allows a Guardian style CD command Specifies the default value for USER attribute SFTP CPU SET Controls output format Guardian or OSS style for SFTP informational messages 52
347. error 19 STN34 process _create_ error lt status gt substatus lt substatus gt PROCESS_CREATE_ error lt status gt with detail lt substatus gt STN35 WARNING Terminal will be disconnected if it stays idle When BANNER_TIMEOUT or INPUT_TIMEOUT is in effect and there has been no input and no output if OUTPUT_RESET Y STN35 is displayed every minute when the inactive time period is within IDLE_WARNING minutes of the timeout STN36 Terminal was idle too long Disconnecting When BANNER_TIMEOUT or INPUT_TIMEOUT is in effect and there has been no input and no output if OUTPUT_RESET Y STN36 is displayed and 10 seconds later the session is terminated STN37 BLAST lt text gt STNCOM command BLAST was used to force lt text gt to be sent to all sessions STN38 No application program active on this terminal for lt n gt seconds Session terminated At the beginning of a session OPENER_WAIT seconds have elapsed and no application has opened the window See OPENER_WAIT for details 300 e STN Reference HP NonStop SSH Reference Manual STN39 Session terminated application request control 12 lt time gt The application has disconnected the session via control 12 This is normal termination for some applications like TACL logoff After session termination 6530 terminals will always be left in conversational ITI mode and the terminal display is erased STN39 Session terminated application closed terminal lt tim
348. ers Host port combinations can be specified via the RESTRICTION PROFILE attribute PERMIT OPEN which corresponds to the OpenSSH permitopen option For remote clients the user specified in the incoming SSH request is checked against SSHCTL This forwarding restriction is applied if the attribute RESTRICTION PROFILE is set in the user record and the PERMIT OPEN attribute is configured in the corresponding restriction profile Restricting access to forwarding tunnels In scenarios in which a user is allowed to create a forwarding tunnel administrators can require the definition of which hosts have access to the tunnel Using the RESTRICTION PROFILE attribute FORWARD FROM a list of hosts IP addresses patterns can be defined that identify those hosts that are allowed to use a tunnel created by a specific user In this case the list of allowed hosts is determined by the user who opened the tunnel if configured accordingly For remote clients the user specified in the incoming SSH request is checked against SSHCTL This forwarding from restriction is applied if the RESTRICTION PROFILE attribute of the user record is set and the FORWARD FROM attribute of the corresponding restriction profile record is configured HP NonStop SSH Reference Manual Configuring and Running SSH2 e 133 Load Balancing With SSH2 it is possible to distribute the CPU load generated by the encryption of SSH sessions across multiple processors of a NonStop system This
349. ersion 3 3 Describes changes in SSH2 release 0086 Documentation for the following new features has been added Support of GSSAPI Kerberos based user authentication and key exchange in accordance with the RFC 4462 standard including capabilities such as gssapi with mic gssapi keyex user authentication gss group1 shal and gss gex shal key exchange employing Kerberos The new feature is addressed in new and updated documentation of the following parameters o new SSH2 parameter GSSAUTH o new SSH2 parameter GSSKEX o new SSH2 parameter GSSGEXKEX o extended SSH2 parameter ALLOWEDAUTHENTICATIONS o extended USER attribute ALLOWEDAUTHENTICATIONS o new USER attribute PRINCIPAL The section Single Sign on with GSSAPI Authentication has been added to the chapter Configuring and Running SSH2 Version 3 2 Describes changes in SSH2 release 0085 Documentation for the following new features has been added New SSH2 parameter RECORDDELIMITER 20 e Preface HP NonStop SSH Reference Manual Version 3 1 Describes changes in SSH2 release 0084 Documentation for the following new features has been added e New environment variable INQUIREUSERNAMEIFNOTSUPPLIED checked by ssh sftp clients e New ADD USER option LIKE e New SSH2 parameter DISCONNECTIFUSERUNKNOWN Version 3 0 Describes changes in SSH2 release 0083 Documentation for the following new features has been added e New database object RESTRICTION PROFILE e New SSHCOM commands for
350. escsseeecesecseesecseesecnecaeesecsaeseceasecesaecaseecsaecateneeneeees 160 MODE elia aeaa dbeenied onal kite ea elena again ape Ate ly 160 SEV pssst demic belie Aves ease A arate te 161 INFO SS BO Ano Sreesanth apes pas EE eT end Sh ed eee 161 CLEAR LOGCACHE silos ssesestdisispoitetithannd asses ba lisa AE aeiGate E a 164 FLUSH LOGCACHE serra EERE ie nn dee henna 164 INFO DEFINE e ae ties gas eee daa E ep end See 164 OUT lt filename gt STOP rarer earings eee ie ee ea 164 PROMPT text gt aa r hie ee SpA dao eines EE e Aparato 164 RESOLVE HOST NAME cereias iiia veteri ii Tear ENE ERE E 165 ROLLOVER AUDITFILE reirnos inisi vi ieira a iie r n eai o RESE aves 165 ROLLOVER LOGFILE 3 3 ccdue adhesin ciao beled ieee as 165 EXPORT SSHET Ly yc nested hie iain sig ie eats E e Diese ada 166 INFO HOS TEKE Y nane tia a er sees a ae e a eae aan ees 166 EXPORT HOST KEY aeea raa tienen E EERE E E N E TARE EE Ea 167 Daemon Mode Commands OvervieW sesesesseessereerereereseterssrsrrsrstestrresesteeteseretssenrtssesteserrrsresrenreset 167 Daemon Mode Commands Operating on the USER Entity ssesesesseeeeseseseseeseestsesrerreresrsrsesreersesrereerees 168 ADP USER r Sich een eet S IEEE EE ee i pei EEE s NEEE E 168 ALTER USER ereere oae enke aside Eee OEE ES OTa E SANKE A E TENES P eE EE dub eeeisinnebors ae sbeueed 175 DELETE USER e A a Bb ih EEL ees 182 FREEZE USER aoe n a eer A e a a a e hackle EE E E T EE EE 182 INFO DRI D e A EE E E E ee he Ree dees 18
351. essages displayed by the SFTP client during the connection phase Double quotes can be used to define strings containing a space or special characters The prefix for infos warnings can also be specified via PARAM environment variable SSHINFOPREFIX the J option takes precedence over the PARAM environment variable There is no specific info warning prefix defined as default K string Set specific string used as prefix for prompt query messages displayed by the SFTP client during the connection phase Double quotes can be used to define strings containing a space or special characters The prefix for infos warnings can also be specified via PARAM environment variable SSHQUERYPREFIX the K option takes precedence over the PARAM environment variable There is no specific query prefix defined as default Runtime Parameters The following runtime parameters are supported User The user name used to log on to the remote system Host The IP address or DNS name of the host system to connect to This parameter is mandatory File file The remote file to download to the local system optionally followed by the local filename of the downloaded file Examples for usage of runtime parameters The following set of commands gt sftposs S STBAO1 oPort 2222 burgt 10 0 0 201 SFTPOSS client version T9999H06_22Jan2014_comForte_SFTPOSS_0097 Connecting to 10 0 0 201 via SSH2 process TBA01 HP NonStop SSH Reference Manual SSH and SFTP Clie
352. esseeecnssseceenteeeeeenaees 81 THOSE BY EEE EA E E ENAS EES ee RIN Cas neni AN og NU Cas Sere aN cer RNC Ux 81 THOS TREY BITS ses AE E EE AA E EE TAE E cha SEE saa begekd cee E E 82 HOSTKEYTYPE DEEE EE AE E EEEE AE EE A A EEEE EA 83 HP NonStop SSH Reference Manual INTERFACE a a eed led cedtepantuhey sessettosabigek r E a E weeds S E 84 INTERFACEOU Phin n e E A E R a a ARER 84 INTERVALLIVEPRIVATEUSERKE Y yeaa e a A E Se a SESS 85 INTERVALLIVEPUBLICUSERKE Y ihre aa a a E S RRS 86 INTERVALPENDINGPRIVATEUSERKEY sseeseeeseeesseerrsrsrerrrserrrsresresrerteereresresrerrrseeeresee 86 INTERVALPENDINGPUBLICUSERKEY rrine rse ia iiep e ap ss 87 PMODE ctae a eea e E E EE O E a EE E SS 87 LICENSE foe aoa ae eee E E EE EE E R E E E a 88 LIFECYCLEPOLICYPRIVATEUSERKEY riesenie a apai an e e a is 89 LIFECYCLEPOLICYPUBLICUSERKEY cirerers aaae e a a iS 89 LOGCACHEDUMPONABOR T rpne rapea ee a a eoa TE E E E EERE Eaa 90 LOGCACHESIZE sent eais ee eraen e A E EEE E E Ea EEE E E a E E Eae aeS 91 LOGCONSOEE Bi sssesses5 anoion e ra r ea E EAEE ES E E EA EE EE ES 91 LOGEMS eaan ara E o bite E e EEE EE EE E E es 92 LOGEMSKEEPCOLLECTOROPENED seipie pees a a apa E eE E Ee EEEE aa 92 LOGFILE e yess r eea one a EE aE E e Ei E E E E E EE EEE EaR 93 LOGFILERETENTION donoe eee ei a A E R E AR EARE REES 93 LOGFORMA T A E EE E AE E Gis E ETET RAS 94 LOGFORMATCONSOEER reo aera E alate Gone nah AE a E RAELE RARS 95 LOGFORMATEMS i n A E R E eh ae et 95 LOGFORMIATEBIEE i o a R R E
353. eter on the startup line Likewise a parameter value given as a PARAM command will override any value specified in the configuration file All SSH2 parameters can be specified in any of the configuration parameter sources except in the following instances e The run mode of an SSH2 process is specified explicitly on the command line as the first startup line parameter This parameter defines the general functionality the SSH2 process will provide See the Starting SSH2 section for details e The configuration file to be used as a parameter source can only be specified as a PARAM or startup line parameter not in a configuration file It is important to note that parameter names are case insensitive regardless of the manner in which way they are specified HP NonStop SSH Reference Manual Configuring and Running SSH2 e 47 The Configuration File Configuration files can be modified with a standard NonStop editor such as TEDIT The name of the file that a SSH2 process should use as the configuration source is passed to the program during startup See the Starting SSH2 section for details The file contains entries in the following form parameter name parameter value Like in the standard TCP IP configuration files any lines starting with a character are interpreted as comments Following is a sample configuration file for running SSH2 as a server that provides SFTP functionality sample configuration file for a SSH2 serv
354. evel of 10 unexpected exception lt error detail gt SSH2 terminating lt error detail gt Describes the error condition Cause The SSH2 process encountered a fatal error condition Effect The SSH2 process terminates Recovery Any corrective action depends on lt error detail gt Invalid runmode SSH2 terminating Valid runmodes are CLIENT DAEMON SERVER same as DAEMON ADMIN NOADMIN or ALL Cause The SSH2 process was started with an invalid run mode Effect The SSH2 process terminates Recovery Use a valid run mode lt operation gt Is either create or write lt key file name gt Is the name of the private host key file as given by the HOSTKEY parameter Cause SSH2 could not create or write the private host key file Effect The SSH2 process continues processing with the generated private key As the key could not be stored the host key will change after restart of SSH2 SSH2 will generate a new key Recovery Check the HOSTKEY parameter if it refers to a valid file name You may also need to check your SAFEGUARD settings to ensure SSH2 is authorized to create or write the HOSTKEY file Error loading private host key lt error detail gt Cause SSH2 could not load the private host key from the HOSTKEY file Effect The SSH2 process terminates Recovery Validate that the file referred to by the HOSTKEY parameter contains a private key previously generated by SSH2 Info ProtectionRecord Processing OBJ
355. evel of security access required for sensitive STNCOM commands Sensitive commands are defined as commands that alter the STN environment Non sensitive commands are those that only report status information without changing anything in the STN environment The default is O Allowed values are from the set NAGCOU and are based on the standard Guardian file security interpretation PARAM TRACE FILE trace file Starts a trace file immediately The size is determined by PARAM TRACE SIZE This file is created if it does not already exist The trace file must refer to a local disk file PARAM TRACE FILE should follow PARAM TRACEASIZE Tracing is normally started using STNCOM commands so this parameter is rarely used PARAM TRACEASIZE number Specifies the byte size of the trace file when PARAM TRACE FILE is used A decimal number can be used to specify the parameter Users may also append the letter K kilowords to the number which multiplies by 1 024 or they can add 246 e STN Reference HP NonStop SSH Reference Manual the letter M megawords which multiplies by 1 048 576 The default is 100K PARAM TRACE SIZE should precede PARAM TRACE FILE Tracing is normally started using STNCOM commands so this parameter is rarely used 5 run sin STN does not use the OUT parameter example run stn name stn out zhome lt not allowed e If OUT is not defaulted to the home terminal the following EMS event zstn ems evt misc 9 is
356. f ABORT SERVICE Same as STOP SERVICE ABORT SESSION Same as STOP SESSION ABORT WINDOW Same as STOP WINDOW ADD IPRANGE Defines an IPRANGE for use with ADD SERVICE Each IPRANGE defines 1 to 6 IP addresses or ranges of IP addresses ADD IPRANGE lt iprange name gt lt range gt lt range gt lt iprange name gt 1 to 8 characters first alpha remainder alpha or numeric case insensitive This name is used in the IPRANGE parameter of ADD SERVICE commands lt range gt has three allowable formats e ab c d This form specifies a single IP address Example 192 17 38 241 250 e STN Reference HP NonStop SSH Reference Manual e alee a b a b c This form specifies the first 1 2 or 3 bytes of an IP address which must match with the remaining 3 2 or 1 byte s respectively allowed to have any value 1925 matches only 192 0 0 0 through 192 255 255 255 1927 5 matches only 192 7 0 0 through 192 7 255 255 161 114 87 matches only 161 114 87 0 through 161 114 87 255 e a b c d e f g h This form defines two specific IP addresses the first must be numerically less than or equal to the second 192 1 2 3 192 1 2 6 192 1 0 0 192 21 255 255 ADD IPRANGE command may be done before or after ADD SERVICE commands referring to the IPRANGE ADD SCRIPT ADD SCRIPT lt script name gt function pl p2 function pl p2 A script is a series of setmode commands which is automatically performed at the beginning
357. f a Safeguard ALIAS Hence SSH2 can only impersonate an ALIAS if a password is provided If this parameter is set to TRUE SSH2 will always request that users mapped to an ALIAS perform password authentication even after a successful public key authentication e Do not set this parameter for H06 11 RVU or later Default If omitted the default will be FALSE Example SAFEGUARD PASSWORD REQUIRED TRUE SFTPALLOWGUARDIANCD Use this parameter to enable the usage of a Guardian style CD command with SFTPSERV Parameter Syntax SFTPALLOWGUARDIANCD TRUE FALSE Arguments TRUE SFTP clients can use Guardian style CD commands such as CD data05 mysvol FALSE SFTP clients can only use Unix style CD commands Considerations e The mechanism for resolving Guardian style sub volume names may cause problems with some SFTP clients such as FileZilla e The CD command with Guardian volume and sub volume only works in the Guardian name space path starts with G Switching from OSS name space to Guardian name space requires either to put G in front of the sub volume e g cd G us temp or to issue a separate cd G command This is required only once When in Guardian name space a simple cd lt sub volume gt e g cd us temp is sufficient Default If omitted the default will be FALSE HP NonStop SSH Reference Manual Configuring and Running SSH2 e 107 Example SFTPALLOWGUARDIANCD TRUE SFTPCPUSET This parameter allows con
358. f a wildcard e g Is test the SFTP client will do the pattern matching after all file attributes have been retrieved from the SFTP server After the pattern matching the SFTP client could display the file listing but there are 328 e Performance Considerations HP NonStop SSH Reference Manual SFTP clients that retrieve the file attributes for each file matching the specified pattern again from the SFTP server This is causing unnecessary overhead If the delay is of unacceptable length the following workarounds may help e Reduce the number of files in one directory subvolume on NonStop e Set USER attribute SFTP GUARDIAN FILESET if information of files in a Guardian subvolume is listed In this way the pattern matching is done on the server and the data being sent to the client can be greatly reduced Different patterns can be defined by using different ssh user records with the same SYSTEM USER Performance When Running as SSH Client The above measurements have been repeated with the SFTP client now running on the NonStop system The following table shows the result of the measurement Partner Direction of Cipher Time CPU time Through put CPU ms MB CPU usage system transfer Suite MAC elapsed s used s KB s transfer algorithm Linux NonStop to AES 54 26 2 904 549 48 OpenSSH Partner 128 MD5 system Linux Partner AES 238 28 0 205 586 12 OpenSSH system to 128 MD5 NonStop Summary There
359. f either parameter BURSTSUPPRESSION or parameter FILEBURSTSUPPRESSION is set to TRUE HP NonStop SSH Reference Manual Configuring and Running SSH2 e 77 Default If omitted FILEBURSTSUPPRESSION is set to FALSE Example FILEBURSTSUPPRESSION TRUE See also BURSTSUPPRESSION BURSTSUPPRESSIONEXPIRATIONTIME BURSTSUPPRESSIONMA XLOGLEVEL FULLSSHCOMACCESSGROUP lt j gt This parameter set allows granting administrative SSHCOM command privileges to groups rather than just than super super Admin groups are defined via the parameter set FULLSSHCOMACCESSGROUP lt j gt where lt j gt is a number between and 99 Parameter Syntax FULLSSHCOMACCESSGROUP lt j gt lt group gt Arguments lt group gt A Guardian group name All members of the group will have full SSHCOM access Default By default none of the parameters are set i e only users configured in the Safeguard OBJECTTYPE USER record if such exists and super super unless explicitly denied in OBJECTTYPE USER can access privileged commands Example FULLSSHCOMACCESSGROUPI1 admin FULLSSHCOMACCESSGROUP2 super Considerations e Some of the privileged commands in SSHCOM are critical to the security of the system Therefore granting access to other user accounts than super super must be carefully considered e The parameters must be set contiguously i e if one parameter FULLSSHCOMACCESSGROUP lt ks gt is not defined the checking of FULLSSHCOMACCESSGROUP lt i gt parameters
360. f subsystem outcome denied or failed sessionId SESSION LOG ID user SSH username remoteAddress remote IP address Joaction open object file name Zoutcome granted mode file open mode read or write sessionId SESSION LOG ID Puser SSH username remoteAddress remote IP address action open object file name mode file open mode read or write outcome denied or failed error error detail sessionId SESSION LOG ID user SSH username remoteAddress remote IP address Joaction open object file name outcome denied or failed mode file open mode read or write sessionId SESSION LOG ID Puser SSH username remoteAddress remote IP address action touch object file name Zoutcome granted HP NonStop SSH Reference Manual Monitoring and Auditing 313 Event Event Name Conditions Id Pattern Token Values Failed error detail available Failed error detail not available 7 SftpReadFile Event Successful Failed error detail available Failed error detail not available sessionId Yuser remoteAddress action object mode mode outcome error error sessionld Zuser remoteAddress action Yobject Zoutcome mode mode sessionId Yuser remoteAddress action object outcome ses
361. f the user Example HOME home test SSH_ORIGINAL_COMMAND The command that was specified in an exec request This can be different to the actually executed command in case a forced command is defined USER attribute SHELL COMMAND Example SSH_ORIGINAL_COMMAND 1s 1l ENV Value taken from USER attribute SHELL ENVIRONMENT Examples ENV HOME setenvvars ENV etc nonloginshellenvs ENV testenv 138 e Configuring and Running SSH2 HP NonStop SSH Reference Manual TCP IPv6 Configuration The IPv6 standard differs from the IPv4 standard in many ways The TCP IP configuration for IPv4 and IPv6 on NonStop servers is different in several aspects as well see documents and links listed in section Related Reading But from NonStop SSH and comForte SecurSH SecurFTP product s standpoint the differences are mainly related to the new address formats of IPv6 new defines and different modes the NonStop TCP IP processes with IPv6 support can run in IPv6 Address Formats IPv4 uses 32 bits for an Internet Protocol address and can therefore support 23 4 294 967 296 addresses IPv6 uses 128 bit addresses i e the new address space supports 2 8 3 4x 10 8 addresses Although IPv4 addresses may be presented in various hexadecimal octal or binary representations they are canonically represented in dotted decimal notation which consists of four decimal numbers each ranging from 0 to 255 separated by dots e g 172 1
362. fault The default is 0 SOCKETSNDBUF Use this parameter to control the size of the TCP IP send buffer When setting this parameter to a non zero value the specified parameter is used on a socket level Parameter Syntax SOCKETRCVBUF bytes Arguments bytes A number representing the size of the TCP IP send buffer in bytes A value of 0 means the send buffer size configured in the TCP IP process is used Considerations e Setting this parameter to a higher value can increase throughput when transferring files Normally the value configured in the TCP IP process is sufficiently high Default The default is 0 116 e Configuring and Running SSH2 HP NonStop SSH Reference Manual SOCKTCPMINRXMT Use this parameter to control the minimum time for TCP retransmission timeout When setting this parameter to a non zero value the specified parameter is used on socket level Parameter Syntax SOCKTCPMINRXMT time Arguments time A number representing the minimum time for TCP retransmission timeout A value of 0 means the minimum time for TCP retransmission timeout configured in the TCP IP monitor process is used Considerations e Normally the value configured on TCP IP monitor process level TCP MIN REXMIT TIMEOUT should be sufficient i e the default value should be used for parameter SOCKTCPMINRXMT See document HP NonStop TCP IPv6 Configuration and Management Manual for details e The Cluster I O Protocols CIP subsystem does
363. ference e 215 A typical command to establish an SFTP session with a remote SSH daemon will look as follows SDATA1 MHSSH 20 gt run sftp m horst 10 0 0 201 SSH client version T9999H06_22Jan2014_comForte_SSH_0097 Connecting to 10 0 0 201 You have no private keys in the key store Trying password authentication Enter m horst 10 0 0 201 s password Add password for m horst 10 0 0 201 to the password store yes no no sftp gt Example using IPv6 address gt run sftp comf us fe80 a00 8eff fe00 dl4e SFTP client version T9999H06_22Jan2014_comForte_SFTP_0097 Connecting to fe80 a00 8eff fe00 dl4e via SSH2 process SSH00 GSSAPI authentication disabled You have no private keys in the key store Trying password authentication Enter comf us fe80 a00 8eff fe00 d1l4e s password Add password for comf us fe80 a00 8eff fe00 d1l4e 54022 to the password store yes no no sftp gt The tilde characters are required if INFORMAT is set to TACL otherwise the square brackets must be used without tilde Starting the OSS Client Programs The OSS object files of the SSH and SFTP client programs are delivered together with the other SSH implementation files Therefore the object files will initially be placed on the SSH2 installation subvolume The clients for OSS have the following filenames e SSHOSS e SFTPOSS To start a client under OSS there are a few choices e Start the program by specifying the full path on th
364. fied the new restriction profile record is first initialized with the values taken from the lt existing restriction profile name gt restriction profile record Then the new restriction profile name and any other attributes specified in the ADD RESTRICTION PROFILE command are applied before the new restriction profile record is added PERMIT LISTEN The PERMIT LISTEN attribute restricts a user s ability to do port forwarding Only the configured ports are allowed for listening on the host opening the forwarding tunnel The configuration requires the specification of a host and a port range but for PERMIT LISTEN the host must either be 0 0 0 0 indicating gateway ports to follow after the or 127 0 0 1 indicating non gateway ports to follow PERMIT OPEN The PERMIT OPEN attribute restricts a user s ability to do port forwarding 186 e SSHCOM Command Reference HP NonStop SSH Reference Manual Only the configured host port combinations are allowed for lt targethost gt and lt targetport gt when port forwarding is specified such as in the following example ssh L lt localport gt lt targethost gt lt targetport gt lt user gt lt host gt ssh R lt remoteport gt lt targethost gt lt targetport gt lt user gt lt host gt The PERMIT OPEN attribute corresponds to the OpenSSH parameter permitopen If localhost or 127 0 0 1 is specified as lt targethost gt then the specified lt host gt is used for restriction checking
365. figured with C access in the OBJECTTYPE USER record as well as mentioned in the parameter set PARTIALSSHCOMACCESSUSER lt k gt then the user has full SSHCOM access e Ifa user is included in parameter sets PARTIALSSHCOMACCESSGROUP lt n gt as well as sets FULLSSHCOMACCESSUSER lt i gt or FULLSSHCOMACCESSGROUP lt j gt then the user has full SSHCOM access See also e PARTIALSSHCOMACCESSGROUP lt n gt FULLSSHCOMACCESSUSER lt i gt FULLSSHCOMACCESSGROUP lt j gt LIFECYCLEPOLICYPUBLICUSERKEY e See table in SSHCOM Access Summary in section SSHCOM Command Reference PAUTHSUPPRESSIPADDRESS Local authentication with password provides the remote client IP address to system procedure USER_AUTHENTICATE_ if the OS release supports this H06 26 or later and JO6 15 or later If the IP address needs to be suppressed in USER_AUTHENTICATE_ calls then parameter PAUTHSUPPRESSIPADDRESS must be set to TRUE Parameter Syntax PAUTHSUPPRESSIPADDRESS TRUE FALSE 102 e Configuring and Running SSH2 HP NonStop SSH Reference Manual Arguments TRUE FALSE Specifies whether the IP address must be suppressed in USER_AUTHENTICATE_ calls or not Valid values are o TRUE The IP address gets suppressed o FALSE The IP address is supplied Default If omitted value FALSE is the default value Example PAUTHSUPPRESSIPADDRESS TRUE PORT Use this parameter to specify the port number a SSH2 server should listen on for inco
366. figuring the default set of CPUs the SSH2 process starts SFTPSERV user processes in Parameter Syntax SFTPCPUSET cpu set Arguments cpu set A comma separated list of CPU numbers or CPU number ranges defining allowed CPUs Default If omitted SSH2 will start all SFTPSERV processes in the CPU the SSH2 process is running in unless the USER record specifies a different CPU set for a specific user via attribute SFTP CPU SET Example SFTPCPUSET 2 4 7 10 13 15 Considerations e A value configured in USER attribute SFTP CPU SET has higher priority than the value defined in the SSH2 parameter SFTPCPUSET See also CPUSET SFTPDISPLAYGUARDIAN Use this parameter to control file name format Guardian or OSS in SFTP informational messages like Uploading and Fetching Alternately define SFTP DISPLA Y GUARDIAN can be set define overrides PARAM Parameter Syntax SFTPDISPLAYGUARDIAN TRUE FALSE Arguments TRUE Guardian file name format is used FALSE File names are displayed in standard ssh format Unix style with OSS prefix G or E Default The default value is FALSE Considerations e Note that the default Unix style was introduced in SPR T0801 AAS to better conform to the SFTP standard before that the Guardian style was the default 108 e Configuring and Running SSH2 HP NonStop SSH Reference Manual SFTPEDITLINEMODE Use this parameter to control the handling of Guardian edit lines that are too long when a fil
367. for SSH2 parameter PROPAGATEDEFINES Setting of PARAMs SSH2 may create the following PARAMs when starting a TACL SSH ORIGINAL COMMAND The command that was specified in an exec request This can be different to the actually executed command in case a forced command is defined USER attribute CI COMMAND Setting of Environment Variables SSH2 creates the following environment variables when starting a shell SSH_CONNECTION This environment variable contains host and port information each separated by a space character lt remote address gt lt remote port gt lt local address gt lt local port gt Example SSH_CONNECTION 10 0 0 12 40719 10 0 0 196 22 SSH_CLIENT This environment variable contains remote host port and local port information each separated by a space character lt remote address gt lt remote port gt lt local port gt Example SSH_CLIENT 10 0 0 12 40719 22 TERM This environment variable holds the terminal type Example TERM xterm LOGNAME The user name as received from a remote client the name of a user defined in SSHCTL Example HP NonStop SSH Reference Manual Configuring and Running SSH2 e 137 LOGNAME test us LOGNAME mike SSH_TTY The pseudo terminal allocated for the session Example SSH_TTY G pty35 zwn0001 SSH2_PROCESS_NAME The SSH2 process that started the shell process Example SSH2_PROCESS_NAME SSH35 HOME The shell home directory o
368. formance behavior you can expect on your system Note All measurements referred to in this chapter have been performed on a 2 processor S7600 HP provides performance metrics that allow you to extrapolate those results to other systems These metrics can be provided upon request HP NonStop SSH Reference Manual Performance Considerations e 327 Performance Analysis of SSH Session Establishment Performance Running as SSH Daemon The performance impact of the initial SSH session setup should be viewed separately As explained before establishing an SSH session involves several CPU intensive public key operations The amount of CPU cycles consumed depends upon the key sizes used The following table shows the CPU consumption of an SSH session setup without any data transfer taking place for a DSA host key with 1024 bit length and for RSA client keys with the sizes as stated in the table Client Key size bits Approximate CPU consumption milliseconds 512 234 1024 236 2048 242 It is very hard to predict future developments both in cryptography and computer technology which makes it next to impossible to tell in advance what key size will be sufficient in the years to come We recommend using a key size of 1024 bits for the time being Performance Analysis of SFTP Traffic To get an indication of the performance of the SSH2 component and the subordinate SFTPSERV processes when acting as SFTP daemon th
369. g AUDITFORMATEMS Use this parameter to control the format of the audit messages that are written to EMS Parameter Syntax AUDITFORMATEMS format Arguments format A number is used to represent a bit mask that controls the format Following are the values and their corresponding format Bit 1 decimal 1 Date Bit 2 decimal 2 Header log messages a pre fixed with log Bit 3 decimal 4 Time Bit 4 decimal 8 Milliseconds Bit 5 decimal 16 Process ID name or PIN Bit 7 decimal 64 Log level of message Default The default audit format for EMS is 0 none of the header fields See also e AUDITEMS AUDITFORMATCONSOLE AUDITFORMATFILE e Audit Messages in the chapter entitled Monitoring and Auditing AUDITFORMATFILE Use this parameter to control the format of the audit messages that are written to the log file Parameter Syntax AUDITFORMATFILE format Arguments format A number is used to represent a bit mask that controls the format Following are the values and their corresponding format Bit 1 decimal 1 Date Bit 2 decimal 2 Header log messages a pre fixed with log Bit 3 decimal 4 Time Bit 4 decimal 8 Milliseconds Bit 5 decimal 16 Process ID name or PIN Bit 7 decimal 64 Log level of message HP NonStop SSH Reference Manual Configuring and Running SSH2 e 61 Default The default log format is 2
370. ge Enables or disables GSSAPI key exchange Specifies an additional separator character for Guardian file attributes Specifies the file name of host key file Can be used to configure the size of of a newly generated local host key Can be used to select the type of a newly generated local host key Specifies one or more local IP addresses or host names SSH2 should listen on for incoming SSH connections Specifies one or more local IP addresses or host names SSH2 should use for outgoing SSH connections Determines the period a newly generated user private key is in state LIVE before getting EXPIRED This parameter is related to a user public key s life cycle configuration of database entity USER It determines the length of the interval a user public key stays in state LIVE Determines the period a newly generated user private key is in state PENDING before getting LIVE This parameter is related to a user public key s life cycle configuration of database entity USER It determines the length of the interval a user public key stays in state PENDING after creation before it switches to state LIVE Specifies IP mode of the SSH2 process Specifies the location for the license file of SSH2 HP NonStop SSH Reference Manual Configuring and Running SSH2 e 51 Parameter Meaning LIFECYCLEPOLICYPRIVATEUSERKEY LIFECYCLEPOLICYPUBLICUSERKEY LOGCACHEDUMPONABORT
371. generated key is added to the SSH2 key store The command has the following syntax GENERATE KEY lt system user name gt lt key name gt TYPE RSA DSA BITS lt number gt COMMENT lt comment gt LIVE DATE lt date time gt EXPIRE DATE lt date time gt The individual attributes have the following meaning and syntax lt system user name gt A valid GUARDIAN user who owns the key in the SSH key store If lt system user name gt is omitted either the user being set in a previously issued ASSUME USER command or the issuer of the ALTER KEY command will be used as the default If lt system user name gt is specified it MUST be followed by a to separate it from the key name lt key name gt The name of the key owned by the current user lt date time gt Date or date and time in either of the following formats e DD Mon YYYY hh mm e DDMonYY hh mm 194 e SSHCOM Command Reference HP NonStop SSH Reference Manual e DD Mon YYYY e DDMonYY The second format requires surrounding quotes because it contains a comma commas are separators in SSHCOM TYPE Specifies the type of the key to be generated Users can choose from RSA and DSA BITS Optional attribute to set the key length If this attribute is omitted the generated key will have a default length of 1024 bits Allowed values are 1024 and 2048 bits only COMMENT This optional attribute is used to associate additional textual information with th
372. gon LAST PUBLICKEY Name of last public key configured in USER record for incoming connections used in last public key authentication LAST IP ADDRESS IP address the last incoming connection was initiated from LAST MODIFIED Record maintenance Last time the record was modified Each PUBLICKEY entry of a USER entity contains the following attributes PUBLICKEY NAME a free text field allowing you to enter a descriptive comment COMMENT a free text field allowing you to enter a descriptive comment MDS The MDS fingerprint of the public key BABBLE The bubble babble fingerprint of the public key CREATION DATE the time the key was added to the USER record A key is in state PENDING if LIVE DATE has not been reached yet LIVE DATE the time the key changes or has changed to state LIVE If the attribute LIVE DATE is not set then a key is automatically in state LIVE A key stays in this state until EXPIRE DATE is reached EXPIRE DATE the time the key changes or has changed to state EXPIRED LIFE CYCLE STATE the life cycle state the user public key is in Possible values are PENDING LIVE and EXPIRED This is actually not an explicit database field but its value will be determined by the three database fields CREATION DATE LIFE DATE and EXPIRE DATE The database also contains some additional information collected by SSH2 about each public key LAST USE Key usage Last time the public key
373. gt forwarding lt str2 gt connection from lt str3 gt to lt str4 gt failed lt str5 gt lt str1 gt Session Name lt str2 gt Protocol lt str3 gt Normalized originator host address and port lt str4 gt Normalized target host address and port lt str5 gt Description 20 lt str1 gt forwarding lt str2 gt connection from lt str3 gt accepted on lt str4 gt to remote failed lt str5 gt lt str1 gt Session Name lt str2 gt Protocol lt str3 gt Normalized originator host address and port lt str4 gt Normalized target host address and port lt str5 gt Description 20 lt str1 gt request from user lt str2 gt rejected lt str3 gt lt str1 gt Session Name lt str2 gt Guardian user name lt str3 gt TCP IP ModeText 20 lt str1 gt request rejected lt str2 gt lt str1 gt Session Name lt str2 gt Text 20 lt str1 gt session rejected NonStop SSH not licensed for general usage HP NonStop SSH Reference Manual Appendix e 347 LOG LEVEL EVENT TEXT Description Variable Parts lt str1 gt Session Name 20 lt str1 gt SSH client access denied SSH2 not licensed for general usage lt str1 gt Session Name 20 lt str1 gt could not add KNOWNHOST lt str2 gt to database for local system user lt str3 gt lt str4 gt lt str1 gt Session Name lt str2 gt Known host lt str3 gt Owner of new knownhost record lt str4 gt Exception text 20 lt str1 gt update
374. guring and Running SSH2 e 125 Enabling Full TTY Access SSH2 allows remote SSH clients to establish fully functional OSS shell sessions This includes the allocation of pseudo terminals PTYs which allow remote users to execute full screen applications such as vi or Emacs PTYs are not natively supported by OSS on the NonStop server To overcome this limitation SSH2 comes bundled with a component named STN The STN component is also used in another comForte product SecurTN For each PTY allocation request received over SSH STN will create a dynamic window subdevice STN can also display a service menu to 6530 clients connecting over SSH allowing users to connect to a service mapped to pre configured static windows or to a service program started on the dynamic window This feature allows a complete migration of an existing Telnet access configuration to SSH Please refer to Enabling 6530 Terminal Access in this chapter and to chapter STN Reference for further details To Start the STN Pseudo Terminal Server Included with SSH2 Note For cases in which SSH2 was delivered with HP NonStop SSH as part of the RVU or as an independent product for G Series prior to G06 32 an STN PTY server will be pre installed as a generic process SSH ZPTY ZPTY 1 At the TACL prompt issue the following commands CLEAR ALL PARAM PARAM BACKUPCPU ANY RUN STN NAME PTY NOWAIT 2 Verify if the process started successfully by checking its sta
375. h FH FH Fh Fh FH Fh FH e Hh FH Fh Fh URSTSUPPRESSIONEXPIRATIONTIME lt 300 gt URSTSUPPRESSIONMAXLOGLEVEL lt 40 gt CACHEBURSTSUPPRESSION lt FALSE gt CIPCOMPATERROR lt gt CIPHERS DWWWWPPprrrrrrrrrrer CLIENTALLOWEDAUTHENTICATIONS lt none gssapi with publickey password keyboard interactive gt CLIENTMODEOWNERPOLICY lt GUARDIANNAME gt COMPRESSION lt TRUE gt CONFIG lt SQAHPSSH TO801ABK ztclcfg gt CONF IG2 lt gt CONSOLEBURSTSUPPRESSION lt FALSE gt CPUSET lt gt CUSTOMER lt gt DAEMONMODEOWNERPOLICY lt LOGINNAME gt DNSMODE lt FIRST gt EMSBURSTSUPPRESSION lt FALSE gt ENABLESTATISTICSATSTARTUP lt FALSE gt FILEBURSTSUPPRESSION lt FALSE gt FULLSSHCOMACCESSGROUP1 lt gt FULLSSHCOMACCESSUSERI1 lt gt GSSAUTH lt gt GSSGEXKEX lt FALSE gt GSSKEX lt TRUE gt GUARD IANATTRIBUTESEPARATOR HOSTKEY lt HOST HOSTKEYBITS lt 1024 gt lt gt EY gt lt aes256 cbc twofish256 cbc twofish cbc aes128 twofish128 cbc blowfish chbc 3des cbc arcfour cast128 cbc gt HOSTKEYTYPE INTERFACE INTERFACEOUT lt DSA gt lt 0 0 0 0 gt lt 0 0 0 0 gt INTERVALLIVEPRIVATEUSERKEY lt 730 gt INTERVALLIVEPUBLICUSERKEY lt 730 gt INTERVALPENDINGPRIVATEUSERKEY lt 0 gt INTERVALPENDINGPUBLICUSERKEY lt 0 gt IPMODE LICENSE LOGCACHEDUMPONABORT LOGCACHESIZE LOGCONSOLE LOGEMS Hh FH FH Fh Fh FH FH FH FH ESO OF FH FH FH FH Fh Fh FH Fh FH FH FH FH Fh LOGFIL
376. hatsoever must retain the following acknowledgment This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit http www openssl org THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT AS IS AND ANY EXPRESSED OR IMPLIED WARRANTIES INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED IN NO EVENT SHALL THE OpenSSL PROJECT OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT INDIRECT INCIDENTAL SPECIAL EXEMPLARY OR CONSEQUENTIAL DAMAGES INCLUDING BUT NOT LIMITED TO PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES LOSS OF USE DATA OR PROFITS OR BUSINESS INTERRUPTION HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY WHETHER IN CONTRACT STRICT LIABILITY OR TORT INCLUDING NEGLIGENCE OR OTHERWISE ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE This product includes cryptographic software written by Eric Young eay cryptsoft com This product includes software written by Tim Hudson tjh cryptsoft com SSLeay license Copyright C 1995 1998 Eric Young eay cryptsoft com All rights reserved This package is an SSL implementation written by Eric Young eay cryptsoft com The implementation was written so as to conform with Netscapes SSL This library is free for commercial and non commercial use as long as the following conditions are aheared to The following conditions apply t
377. he NonStop user s password you may still be prompted for the private key passphrase though For additional information on public key authentication please refer to the Public Key Authentication section in the SSH Protocol Reference chapter To Generate a Key Pair on an OpenSSH System On the remote system use the following command of OpenSSH for details of key generation please refer to the OpenSSH documentation gt ssh keygen t dsa C comf mh 10 0 0 199 Generating public private dsa key pair Enter file in which to save the key home m horst ssh id_dsa Enter passphrase empty for no passphrase Enter same passphrase again Your identification has been saved in home m horst ssh id_dsa Your public key has been saved in home m horst ssh id_dsa pub The key fingerprint is 87 34 41 65 e5 df e3 30 6 46 22 02 19 24 le f2 comf mh 10 0 0 199 gt Now the SFTP client will use this key whenever it connects to 10 0 0 199 44 e Installation amp Quick Start HP NonStop SSH Reference Manual To Add the Public Key to the NonStop SSH2 User Database Before a user can connect using public key authentication the public key needs to be added to the user database Using the SSHCOM component on the NonStop server add the public key to the user as shown in the following example note that the fingerprint was copied from the output of the previous step SDATA1 SSH2 12 gt sshcom ssh01 SSHCOM T0801H01_22JAN2014_AB
378. he PRINCIPAL should be automatically added Controls whether remote users can log on via SSH using a Guardian user ID or alias without configuring them explicitly via SSHCOM in the SSHCTL Allows definition of a default user configuration when users are automatically added to SSHCTL Specifies a backup CPU for running SSH2 as a NonStop process pair Configures an authentication banner message to be displayed to SSH clients connecting to the SSH2 daemon Controls log message duplicates suppression for all log targets Configures the time interval duplicate log messages are suppressed before they get logged again Sets the maximum log level of messages that get suppressed if burst suppression enabled Controls log message duplicates suppression for log target memory cache Allows creation of DEFINE CIP COMPAT ERROR Details the list of cipher suites that will be accepted 50 e Configuring and Running SSH2 HP NonStop SSH Reference Manual Parameter Meaning CLIENTALLOWEDAUTHENTICATIONS CLIENTMODEOWNERPOLICY COMPRESSION CONFIG CONFIG2 CONSOLEBURSTSUPPRESSION CPUSET CUSTOMER DAEMONMODEOWNERPOLICY DISCONNECTIFUSERUNKNOWN DNSMODE EMSBURSTSUPPRESSION ENABLESTATISTICSATSTARTUP FILEBURSTSUPPRESSION FULLSSHCOMACCESSGROUP lt j gt FULLSSHCOMACCESSUSER lt i gt GSSAUTH GSSGEXKEX GSSKEX GUARDIANATTRIBUTESEPARATOR HOSTKEY HOSTKEYBITS HOSTKEYTYPE
379. he SSH client has more than ten public keys that did not match any public key stored for the user in the SSHCTL Effect The public key authentication is aborted The user cannot be authenticated 334 e Troubleshooting HP NonStop SSH Reference Manual Recovery Reduce the number of identities private keys for the user presented by the SSH client Usually this involves adding fewer keys to an SSH agent lt session id gt public key authentication failed invalid signature Cause The signature presented by the SSH client does not match the public key Effect The authentication is rejected Recovery Check the SSH client that presented the invalid signature lt authentication method gt Is the authentication method requested by the SSH client lt user name gt Is the name of the remote user Cause The SSH client requested an authentication method that is not supported by SSH2 or has been disallowed for this user Effect The authentication is rejected Recovery Use a supported authentication method with the SSH client Check the settings for this user in the SSH2 user base Cause SFTP is administratively disallowed for this user Effect The channel request for the SFTP subsystem is rejected Recovery Have the SSH client not use SFTP or grant SFTP access by setting the SFTP SECURITY attribute for the user to a value other than NONE lt session id gt SFTPSERV process initialisation failed could not chdir or chroo
380. he default for compatibility with B19 and earlier releases SSH sessions either use script PTY SSH if configured or if PTY SSH is not configured then no script Any script defined with the service used for the session is ignored N SSH sessions use the script if any defined for the service If none is defined then the script defined for the window if any is used otherwise no script This allows SSH sessions to access STN services which specify their own scripts 282 e STN Reference HP NonStop SSH Reference Manual The current setting is shown by INFO STN Session and Window Naming Session and dynamic window names always began at 0000 when STN was started This resulted in the same session name being used for different STN processes or for restarts of an STN process The session names should be unique Starting with SPR TO801 ABE a new optional naming scheme was introduced for sessions and dynamic windows The default still uses names like ZWNOOO1 A related new feature provides for the pooling of window names over multiple STN processes and over restarts of STN processes PARAM GWN TEMPLATE AAAnnn GWN TEMPLATE allows the format of session names to be configured Window names have the syntax AAAnnn must appear as the first char AAA alphabetic prefix 1 to 4 letters nnn numeric suffix 2 to 5 decimal digits Total must be 4 to 8 characters including Examples TERMO00 increments to TERM999 then back to
381. he terminal type will start a TACL If the user was successfully authenticated via a different ssh authentication method than none i e the USER attribute ALLOWED AUTHENTICATIONS was not set to none the TACL starts already logged on as user usr because the service was added with LOGON REQ 128 e Configuring and Running SSH2 HP NonStop SSH Reference Manual Using TELSERV as Service Provider 6530 shell channels can also be forwarded to a TELSERV process This enables a fast and easy migration of an existing complex TELSERV environment to SSH such as an environment with static windows To forward 6530 shell requests to TELSERV specify the CI PROGRAM as follows gt SSHCOM lt ssh2 process name gt SALTER USER telnetuser CI PROGRAM telnet This assumes that TELSERV is listening on port 23 for the same TCPIP process as SSH2 To forward shell requests to a TELSERV listening on a different port or address specify CI PROGRAM as follows Similarly the SHELL PROGRAM attribute can be prepared as follows an example using an IPv6 address ALTER USER test SHELL PROGRAM telnet fe80 a00 8eff fe02 69d9 5023 6530 shell users e g when connecting a 6530 session over the MR Win6530 SSH interface will see the standard TELSERV service menu after the connection is established Note Although TELNET is specified as CI PROGRAM SSH2 will not invoke the TELNET program on a STN 6530 pseudo terminal To provide optimal performance SSH2 will dire
382. hentication Not setting PRIV LOGON may also cause delays leading to interruption of service Unlocking the Product with a License File If you did not purchase NonStop SSH with the NonStop Operating System Kernel for H Series and J Series NonStop platforms you will need a license file to use SSH components The license file is tied to your system number The license file should be called LICENSE which is the default name if not otherwise specified using the license parameter and should reside on the same subvolume as the SSH2 component If you need to put the license file in a different location you must use the PARAMETER LICENSE to specify the location If there is a problem with the license file the SSH2 component will issue a message on startup and terminate If the license file is valid you will see the expiration date in a log message during startup Note For HP NonStop SSH on S Series or if you did not purchase NonStop SSH with the NonStop Operating System Kernel for H Series and J Series the default SSH installation restricts the use of the product to the MR Win6530 terminal emulator client running on a NonStop System Console and also restricts the use of the product to certain HP tools such as HP Systems Insight Manager These tools use a special key to invoke the SSH client To unlock functionality for general use you will need to request a license file from HP Send an email to license manager hp com and include customer name
383. his optional attribute is used to set the LIVE DATE not valid before date for the key This attribute can only be set if the life cycle policy for User Private Keys is enabled determined by SSH2 parameter LIFECYCLEPOLICYPRIVATEUSERKEY If SSH2 parameter LIFECYCLEPOLICYPRIVATEUSERKEY is set to FIXED then field LI VE DATE can be modified by the SUPER SUPER user only unless explicitly denied in OBJECTTYPE USER record or those configured with full SSHCOM access In case the SSH2 parameter LIFECYCLEPOLICYPRIVATEUSERKEY is set to VARIABLE then every user can change field LI VE DATE for those keys the user owns EXPIRE DATE This optional attribute is used to set the EXPIRE DATE not valid after date for the key This attribute can only be set if the life cycle policy for User Private Keys is enabled determined by SSH2 parameter LIFECYCLEPOLICYPRIVATEUSERKEY If SSH2 parameter LIFECYCLEPOLICYPRIVATEUSERKEY is set to FIXED then field EXPIRE DATE can be modified by the SUPER SUPER user only unless explicitly denied in OBJECTTYPE USER record or those configured with full SSHCOM access In case the SSH2 parameter LIFECYCLEPOLICYPRIVATEUSERKEY is set to VARIABLE then every user can change field EXPIRE DATE for those keys the user owns INFO KEY This command provides information about a single key or a set of keys in the SSH2 key store It has the following syntax INFO KEY lt system user name gt lt key name gt DETAIL The individu
384. hmac md5 hmac shal 96 hmac md5 96 gt IACCESSGROUP1 lt gt IACCESSUSERI1 lt gt lt 54022 gt lt SSH48 gt lt SPTY54 gt lt LF gt HECKFAILEDDEFAULT lt FALSE gt lt TRUE gt lt gt GTH KEY Monitoring and Auditing 323 SFTPEDITLINEMODE lt cut gt SFTPEDITLINENUMBERDECIMALINCR lt 1000 gt SFTPEDITLINESTARTDECIMALINCR lt 1 gt SFTPEXCLUSIONMODEREAD lt EXCLUSIVE gt SFTPIDLETIMEOUT SFTPMAXEXTENTS lt 1 gt lt 900 gt SFTPPRIMARYEXTENTSIZE lt 2 gt SFTPREALPATHFILEATTRIBUTEECHOED lt FALSE gt SFTPSECONDARYEXTENTSIZE lt 100 gt SFTPUPSHIFTGUARDIANFILENAMES lt FALSE gt SHELLENVIRONMENT SOCKETKEEPALIVE SOCKETRCVBUF SOCKETSNDBUF SOCKTCPMAXRXMT SOCKTCPMINRXMT SOCKTCPRXMTCNT SOCKTCPTOTRXMTVAL SSHAUTOKEXBYTES SSHAUTOKEXTIME SSHCTL SSHCTLAUDIT SSHKEEPALIVETIME STOREDPASSWORDSONLY lt gt lt T gt lt 122880 gt lt 122880 gt lt 0 gt lt 0 gt lt 0 gt lt 0 gt lt 1073741824 gt lt 60 gt lt SSHCTL gt lt TRUE gt lt 60 gt lt FALSE gt STRICTHOSTKEYCHECKING lt false gt SUBNET lt SZSAM1 gt SUPPRESSCOMMENTINSSHVERSION lt FALSE gt TCPIPHOSTFILE TCPIPNODEFILE lt gt lt gt TCP IPRESOLVERNAME lt gt L8Apri2 17 07 31 17 10 CRYPTOPP version 06_12Apr2012_comForte_CRYPTOPP_0023 L8Apri2 17 07 31 21 10 SSH config database SSHCTL opened L8Apr12 17 07 31 23 20 parameter SUBNET was evaluated L8Apri2 17 07 31 24 20
385. ically as required can reduce the number of disk operations needed for logging e The size of the log cache can be configured e The content of the log cache can be written to the configured LOGFILE e The format of log message written to the log cache is determined by the setting of LOGFORMATFILE See also LOGLEVELSIZE LOGLEVELFILE LOGLEVELCONSOLE Use this parameter to control what messages are written to the log console Parameter Syntax LOGLEVELCONSOLE detail Arguments detail A number specifying the detail level Default For downward compatibility the default log level is taken from the parameter LOGLEVEL if present If no LOGLEVEL parameter is present a default of 50 is used Considerations e Using the LOGLEVELCONSOLE parameter allows users to set a different log level for the output written to LOGCONSOLE than for the output written to LOGFILE See also LOGCONSOLE LOGLEVELFILE LOGFORMATCONSOLE LOGLEVELEMS Use this parameter to control which messages are written to EMS Parameter Syntax LOGLEVELEMS detail Arguments detail A number specifying the detail level Default The default value for this parameter is 20 Considerations e Different log levels can be used for the outputs to LOGCONSOLE LOGEMS and LOGFILE 98 e Configuring and Running SSH2 HP NonStop SSH Reference Manual e Using the SSHCOM command interpreter you can change parameters without having to restart SSH2 See also
386. ication request for user lt str3 gt lt uint1 gt decode errors lt str1 gt Session Name lt str2 gt Authentication method name lt str3 gt User name HP NonStop SSH Reference Manual Appendix e 345 LOG LEVEL EVENT TEXT Description Variable Parts lt uintl gt Decode error number 10 lt str1 gt could not add HPSIM key lt str2 gt lt str1 gt Session Name lt str2 gt Exception text 10 Invalid runmode SSH2 terminating 10 Valid runmodes are CLIENT DAEMON SERVER same as DAEMON ADMIN NOADMIN CLIENT_ADMIN SERVER_ADMIN DAEMON_ADMIN or ALL 10 Failed to create private host key file lt str1 gt lt str1 gt Private key file name 10 Failed to write private host key to file lt str1 gt lt str1 gt Private key file name 10 Error loading private host key lt str1 gt Possible mismatch of CUSTOMER setting between file creation and file access lt str1 gt Exception text 10 Connection timed out 10 Unexpected exception during initialization lt str1 gt lt str1 gt Exception text 10 Unexpected exception in main wait loop lt str1 gt lt str1 gt Exception text 10 lt str1 gt could not impersonate user lt str2 gt error lt int1 gt lt str1 gt Session name lt str2 gt System user name lt int1 gt Error 10 lt str1 gt user is mapped to a SAFEGUARD ALIAS lt str1 gt Session name 10 lt str1 gt If SAFEGUARD is configured with PASSWORD REQUIRE
387. ied to include the SESSION LOG ID to be able to relate AUDIT messages to LOG messages and STATUS SESSION output A different behavior has been implemented if an OBJECTTYPE USER record exists in Safeguard parameter sets FULLSSHCOMACCESSGROUP lt j gt and FULLSSHCOMACCESSUSER lt i gt will be ignored SUPER SUPER no longer has full access to SSHCOM if an OBJECTTYPE USER record exists which explicitly denies SUPER SUPER the Create authority In previous releases SUPER SUPER always had full access independent of the OBJECTTYPE USER record The format of audit messages has changed Main change is the addition of the SESSION LOG ID at the beginning of each audit message allowing to relate log messages and STATUS SESSION information to audit messages SFTP informational messages like Uploading and Fetching now display Guardian file names in standard ssh format Unix style with OSS prefix G or E to better conform to the SFTP standard before that the Guardian style was the default Version 3 6 Describes changes in SSH2 release 88 Documentation for the following new features has been added Description for SSH2 TCP IP related parameters SOCKETSNDBUF and SOCKETRCVBUEF have been added Parameter KEEPALIVE has been renamed to SOCKETKEEPALIVE The ASLINEMODE command has been added to SFTP client commands Description of newly supported SFTP transfer modes Added description for new parameter SFTPEXCLUSIONMODEREAD Version 3
388. ier itself This was the default before this enhancement was introduced in release 89 and therefore value GUARDIANNAME needs to be used if the client mode policy of previous releases should be kept Client Mode Owner Policy BOTH The default owner is the login name but a guardian user can add or manipulate entries stored under an alias or a guardian user identifier Entries are read for both the login name and the guardian user in case these are different entries of the 158 e SSHCOM Command Reference HP NonStop SSH Reference Manual alias are read first then entries of the guardian id The value BOTH is only recommended if a guardian user and all aliases configured for this guardian user are solely used by one person and client mode records are to be stored under Guardian user identifier as well as alias names Example Assume an alias entry is present but not an entry for the associated Guardian ID and the user is logged on as the alias With client mode owner policy set to LOGINNAME privileges to read alter the entry would be granted for GUARDIANNAME they would not be granted because a matching entry is not found and for BOTH they would be granted If the Guardian entry is present but not the alias and the user is logged on as the alias LOGINNAME access would not be allowed GUARDIANNAME would be allowed and BOTH would also be allowed Client Mode Owner Policy Examples Assuming Guardian User SUPER MARIO and alias super m are configure
389. iginating from localhost will be forwarded N Do not execute a shell or command This is useful for just forwarding ports g Allows remote hosts to connect to local forwarded ports By default only connections originating from localhost 127 0 0 1 will be forwarded Using g will forward any connection Runtime options relevant only when automating SSH client H string HP NonStop SSH Reference Manual SSH and SFTP Client Reference e 223 Set specific string used as prefix for error messages displayed by the SSH client during the connection phase Double quotes can be used to define strings containing a space or special characters The prefix for errors can also be specified via PARAM environment variable SSHERRORPREFIX the H option takes precedence over the PARAM environment variable There is no specific error prefix defined as default J string Set specific string used as prefix for informational or warning messages displayed by the SSH client during the connection phase Double quotes can be used to define strings containing a space or special characters The prefix for infos warnings can also be specified via PARAM environment variable SSHINFOPREFIX the J option takes precedence over the PARAM environment variable There is no specific info warning prefix defined as default K string Set specific string used as prefix for prompt query messages displayed by the SSH client during the connection phase Double quote
390. ilable in SSHCOM lt text gt may contain any displayable character except quote and may be 1 to 64 characters long Certain embedded commands case independent in lt text gt are replaced as follows e P the target process name e X the target expand node name e T target system LCT time in format HH MM e D target system LCT date in format yyyy mm dd e N ascii carriage return line feed This allows for multi line prompts including blank lines e B ascii bel character which some terminal emulators will sound as a beep tone Example PROMPT X SP D T STN gt DEV STN2 2010 08 06 23 59 STN gt PROMPT T SP gt 23 59 SSTN2 gt The default setting is PROMPT The PROMPT command remains in effect until STNCOM terminates The null string can be specified to disable a previously entered prompt string If it is desired to retain the prompt across STNCOM sessions command STNCOM_PROMPT should be used See the description for STNCOM_PROMPT for more details HP NonStop SSH Reference Manual STN Reference e 273 PTY REPLY LEN lt n gt Byte length of reply from STN to SSH lt n gt can be in the range from 1 to 16384 Default is 4096 RECV_SIZE lt nnn gt Specifies the byte length of socket receive buffers used to accept incoming session data lt nnn gt is in the range 100 4095 default 1000 Larger values offer some improvement in performance but only when large input messages are common
391. ile code 180 If an OSS file name is specified that contains spaces or commas then double quotes are required for the attribute value All users with SSHCOM access can execute this command Example export host key file Stemp sshtemp hostkeyl export host key file Stemp sshtemp hostkeyl OK written public part of host key to file Stemp sshtemp hostkeyl x The exported file can be used to configure a known host entry on a remote system Daemon Mode Commands Overview The SSH2 user base is maintained using the following commands The commands will be discussed in details in the following subsections Please also see Database for Daemon Mode in chapter The SSH User Database for an overview of the database content e Commands operating on the USER entity o ADD USER adds a new user to the database o ALTER USER changes parameters for an existing user o DELETE USER deletes an existing user o FREEZE USER freezes a user name rendering it unable to log on from remote o INFO USER shows information about a user or a set of users o RENAME USER renames a user o THAW USER thaws a user name making it active again e Commands operating on the RESTRICTION PROFILE entity o ADD RESTRICTION PROFILE adds a new restriction profile to the database o ALTER RESTRICTION PROFILE changes parameters for an existing restriction profile o DELETE RESTRICTION PROFILE deletes an existing restriction profile o INFO RESTRICTION PR
392. ing is specified then the corresponding command is retrieved using string matching i e the last command containing the given string is retrieved and can be modified and executed sftp gt fc rep cd Sdatal reports ane 1 cd Sdatal reportl sftp gt pwd Remote working directory sftp gt G datal reportl HP NonStop SSH Reference Manual SSH and SFTP Client Reference e 237 It is possible to force string matching for a given number by enclosing the number in single or double quotes sftp gt history 1 gt ls l k 2 gt get file678 3 gt put report89 4 gt cd Sdisk subvol 5 gt cd Sdatal reports 6 gt get 1156789 7 gt get 1456789 8 gt cd Sdatal reportl 9 gt pwd sftp gt fo 4 get 1456789 Beery ar sftp gt The FC command without parameter causes the last command being retrieved for fix command processing A modified command is not executed i e ignored if the character sequence on the fix command line is as shown above The command lt n gt to execute a command in the history list is not implemented The following error is returned 7 not supported for security reasons Creation of Format 2 Guardian Files Since version 0092 it is possible to create format 2 files In pre 0092 releases data could be read from and written to existing format 2 files but format 2 files could not be newly created during an SFTP session Format 2 files had to be created before an SFTP transfer could write data
393. ing ssh connections are processed The USER records mainly define the allowed authentication methods and the mapping from SSH user to a local Guardian user or alias but also contain other attributes e g for defining access restrictions and use of resources The following information is held for remote users accessing the NonStop SSH SFTP service remotely field names to be used in administration of the database are shown in bold at the beginning of each entry The USER entity has the following properties USER The ssh user name used at the remote end of the connection COMMENT Comment text for the ssh user ALLOWED AUTHENTICATIONS The authentication mechanisms that are allowed for the ssh user PRINCIPAL Kerberos GSSAPI related attribute remote principal name configured for ssh user OWNER An existing local system user allowed to modify the USER record The allowed actions of the owner of a record and the manager of the owner of the record are be the same as defined by PARTIALSSHCOMACCESSUSER GROUP parameters SYSTEM USER The local Guardian user name or alias under which operations initiated by the remote user will be executed PUBLICKEY One or more public key s sent by the remote user for authentication see chapter SSH Protocol Reference for details The secret part of the Public Key pair is not configured in USER records Several attributes are defined for each PUBLICKEY name fingerprint last modified and last used date
394. ing subsystems provided by SSH2 e SFTP The SFTP subsystem allows the user to transfer files with the SFTP transfer protocol e TACL The TACL subsystem provides direct TACL access without requiring OSS on the NonStop server CIl COMMAND This attribute specifies the startup string to be passed to CI PROGRAM Specify CI COMMAND without lt command gt to reset the attribute to its default an empty startup string CI COMMAND is ignored if CI PROGRAM is set to MENU Cl PROGRAM Sets the command interpreter to be started on a 6530 pseudo TTY after this user is authenticated The filename is the name of the command interpreter s object file It must be a local file name If you omit any attribute value CI PROGRAM will be reset to its default TACL Startup parameters can be specified for the configured program which is especially of interest for the program value TELNET please refer to section Using TELSERV as Service Provider Please note Specifying startup parameters in addition to the program file name requires double quotes around the CI PROGRAM attribute value for example ADD USER CI PROGRAM TELNET lt ip addr gt lt port gt If MENU is specified 6530 shell will be connected to the service menu provided by the STN PTYSERVER This resembles the functionality of TELSERV which provides dynamic services as well as services connecting to static windows The services offered by the STN PTYSERVER process can
395. iption gt lt error description gt Describes the error Cause An error occurred on the SSH session Typical errors are network related Effect The SSH session is closed Recovery Any corrective action depends on lt error description gt HP NonStop SSH Reference Manual Troubleshooting e 339 Client Error Messages This section describes common errors generated by the SSH OSS and SFTP OSS client programs could not open SSH2 process lt error detail gt lt error detail gt Describes the error condition Cause The client failed to open a suitable SSH2 server process Effect The client process terminates Recovery Check if any SSH2 processes are started connect failed error lt error detail gt lt error detail gt Describes the error condition Cause The client could not establish the TCP connection to the remote host Typical causes are Message Meaning Socket Connect operation failed with error 4127 the remote host refused the connection Socket gethostbyname operation failed with error 4022 The host name could not be resolved Effect The client process terminates Recovery Any corrective action depends on lt error detail gt WARNING REMOTE HOST IDENTIFICATION UNKNOWN The host public key fingerprint is babble lt bubble babble gt MD5 lt md5 gt lt bubble babble gt Is the bubble babble fingerprint of the remote host s public key lt MD5 gt Is the bubble
396. ir own private key stored in the safe location e send over the public key belonging to their private key to the peer system for authentication e have the public key of the peer system configured in order to be able to verify its authenticity Dealing with two key pairs for any two partners communicating can be a bit confusing therefore we go over the two key pairs in a bit more detail in the next subsections Please note that e A when operating as SSH daemon you are accessing your own private key and verifying the remote public key e B when operating as SSH client you also are accessing your own private key and verifying the remote public key e the two key pairs mentioned under A and B are different resulting in a total of four key pairs being maintained when operating both as daemon and client The following list shows all four key pairs and where they are configured in the comForte SSH implementation the following subsections will go into a bit more detail the names in brackets are repeated there for ease of reference o KEYPAIR1 A key pair used to authenticate the NonStop system to the partner system when the NonStop system acts as daemon HOSTKEY parameter of SSH2 process o KEYPAIR2 A key pair used to log on the partner system to the NonStop system when the partner system is acting as client PUBLICKEY property of USER entity in user database in daemon mode o KEYPAIR3 A key pair used to authenticate the partner system
397. is as follows with the restriction that file attributes can only be appended to files in the Guardian name space get remote file local file file attributes put local file remote file file attributes where file attributes is a comma separated list which contains different file attributes depending on file type For EDIT and unstructured binary files the file attributes list is filecode primary secondary maxextents HP NonStop SSH Reference Manual SSH and SFTP Client Reference e 233 For structured files the file attributes list is as follows The filetype filecode primary secondary maxextents record len pri key len key offset index blk len The file attributes which must be specified exactly in the order shown above are filecode the file code integer from 0 through 32767 primary primary extent size in pages integer from through 65535 secondary secondary extent size in pages integer from 1 through 65535 maxextents maximum number of extents integer from 1 through 978 filetype file type indicator e for an entry sequenced file k for a key sequenced file and r for a relative file record len length of the records in a structured file pri key len primary key length in a structured file key offset key offset in a structured file index blk len index block length in a structured file Examples get txe txe 700 will create a
398. is in the realm R the Kerberos principal u R is allowed access to the account u H This rule means that a Kerberos principal can access an SSH user account if the user name exactly matches the user portion of the Kerberos principal name and the local NonStop host is in the same realm For example if the NonStop server is configured in a Microsoft Active Directory an Active Directory user may access an SSH account with a matching user name For example if the NonStop host is configured as NonStop COMPANY COM a user JohnSmith COMPANY COM can be implicitly authorized to logon as SUPER OPERATOR as follows gt RUN SSHCOM SSHO1 SSHCOM TO0801H01_22JAN2014_ABK 2014 01 24 14 42 45 368 OPEN ssh01 ADD USER JohnSmith SYSTEM USER SUPER OPERATOR OK user JohnSmith added 2 Another implicit authorization method would be to create a Safeguard ALIAS gt SAFECOM SAFEGUARD COMMAND INTERPRETER T9750HO4 13AUG2008 SYSTEM NONSTOP ADD ALIAS JohnSmith SYSTEM USER SUPER OPERATOR OK user JohnSmith added 2 HP NonStop SSH Reference Manual Configuring and Running SSH2 e 131 If the SSH2 AUTOADDS YSTEMUSER option is disabled the ALIAS must also be added to the NonStop SSH database using the SSHCOM ADD USER command Otherwise if the SSH2 AUTOADDSYSTEMUSER option is TRUE and gssapi with mic is enabled for automatically added users then creating a Safeguard ALIAS for the Kerberos user principal will be sufficient to gra
399. is no answer to the seemingly simple question How much CPU cycles will 128 bit encryption consume on my system To understand why consider asking an automobile expert the question How much fuel will I need for my vacation Without giving away more information Regardless of how much the expert knows about cars and engines he will not be able to give an answer unless you tell him such information as e The maker of the car e Where you want to go e Your driving habits Using the data provided in this chapter should allow you to get an estimate of the CPU resources that should be utilized by SSH2 within your specific environment HP NonStop SSH Reference Manual Performance Considerations e 329 330 e Performance Considerations HP NonStop SSH Reference Manual Troubleshooting Introduction This chapter lists the information items needed by support when reporting an SSH2 related problem and a number of common error messages that SSH2 or an SSH client can produce and explains what they mean in more detail We do not attempt to list all error messages here there are many that should never occur and some that should be self explanatory Information Needed By Support When sending a support request please provide the following information the more information you supply the better support can be provided e Short description one or two lines e Product Environment O O SSH2 Version Please run the SSH2INFO macro
400. is reset and the session continues If the terminal is still idle when INPUT_TIMEOUT expires then the following message appears STN36 Terminal was idle too long Disconnecting This message will be displayed for approximately 10 seconds then the session is disconnected The exact format of the STN35 and STN36 messages depends on the terminal type and mode 6530 block mode message is displayed on line 25 6530 conversational message is displayed at the cursor location and also on Line 25 ANSI message is displayed at the cursor location See also BANNER TIMEOUT OUTPUT_RESET and IDLE_WARNING BANNER_TIMEOUT and INPUT_TIMEOUT can be used individually or in combination Note For services with LOGON REQ the STN15 and STN16 messages prompt for a userid and password If either of these prompts is not answered within 60 seconds the session is terminated with an STN54 error message This timeout always is in effect regardless of INPUT_TIMEOUT or BANNER_TIMEOUT KILL_ DYNAMIC Y N If set to Y when a dynamic window session is disconnected the dynamically started process is stopped Only a process directly started by STN would be stopped descendant processes are not affected Default is N In most cases the process will stop itself when it receives an I O error on the STN window Some applications do not stop immediately because they do not have an active read on the terminal This command forces the immediate
401. is true for both inbound and outbound sessions Load Balancing Outbound SSH Sessions For outbound sessions CPU load balancing can be achieved by starting multiple SSH2 instances and distributing client processes across processors The load balancing for outbound ssh sessions depends on client processing and can only be influenced by settings in the client environment controlling the client s processing All clients delivered with SSH2 SSH SSHOSS SFTP and SFTPOSS employ a heuristic method in which an SSH2 process is opened to create the outbound session The heuristic method works as follows 1 If no explicit SSH2 process is configured which is done by specifying the S option on the command line the client evaluates first the define SSH2 PROCESS NAME and then the environment variable SSH2_PROCESS_NAME to determine the process name of the SSH2 instance to connect to 2 If neither define SSH2 PROCESS NAME nor environment parameter SSH2_PROCESS_NAME exists the client evaluates an environment variable named SSH2PREFIX to determine the process name prefix of the SSH2 instances The default is SSH 3 If an open action fails the client will look for an instance of an SSH2 process with the next higher processor number up to 15 After processor number 15 is searched 00 will be tried For example if the SSH2PREFIX is set to ABC and there are two SSH2 processes running one in cpu 4 with port 22 subnet ztcO and name ABC
402. isplayed for windows allocated by an SSH2 process e pty command The command that the SSH2 process used to allocate the window e proc The version of the SSH2 process that allocated the window e term_env_var term_rows term_columns term_width term_hight encoded terminal modes the client s terminal characteristic s passed in the SSH PTY allocation request e Client IP address Client IP port shows the remote IP address and remote port number of the SSH session e Client channel Shows the SSH channel number of the terminal session e External user name The user name that was used with SSH authentication e System user The system user to which the external user name is mapped NONE will be displayed if no system user is mapped e Auth method The authentication method that was applied to authenticate the SSH user e Cipher the encryption algorithm used on the SSH session e Mac the message authentication algorithm used on the SSH session e Compression Shows if data is compressed on the SSH session e Executed program Shows any program started by an SSH2 process on that window The field is empty at the time of application startup and is managed by STN dynamic services or externally static windows INPUT_TIMEOUT lt minutes gt INPUT_TIMEOUT allows for automatic termination of sessions that have been inactive for an extended time This improves security and releases resources used by idle connections INPUT_TIMEOUT 0
403. issued See also PROPAGATEDEFINES TCPIPNODEFILE Use this parameter as an alternative to setting a DEFINE TCPIPNODE FILE Parameter Syntax TCPIPNODEFILE filename Arguments filename Specifies the name of the TCPIP node file to be used by SSH2 The filename will override the value of the DEFINE TCPIP NODE FILE which may have been passed to SSH2 at startup Means no node file will be set However any DEFINE TCPIP4NODE FILE passed to SSH2 at startup will remain in effect Default The default for this parameter is Considerations e Use this parameter to pass the value for the DEFINE TCPIP NODE FILE to SSH2 servers configured as generic processes This can also be achieved by adding the define TCPIP NODE FILE for the generic process possible since G06 28 H06 06 e In case the define TCPIPSNODE FILE causes unwanted behaviour it is possible to disable the propagation of defines completely see parameter PROPAGATEDEFINES See also PROPAGATEDEFINES 124 e Configuring and Running SSH2 HP NonStop SSH Reference Manual TCPIPRESOLVERNAME Use this parameter as an alternative to setting a DEFINE TCPIP RESOLVER NAME Parameter Syntax TCPIPRESOLVERNAME filename Arguments filename Specifies the name of the RESCOMF file to be used by SSH2 The filename will override the value of the DEFINE TCPIP4RESOLVER NAME which may have been passed to SSH2 at startup Indicates no RESCOM
404. isten is made on an interface that is not the loopback network interface 148 e The SSH User Database HP NonStop SSH Reference Manual ALLOW MULTIPLE REMOTE HOSTS Indicating if the ssh user is allowed to connect from multiple remote hosts a remote host is identified by its IP address RESTRICTION PROFILE Name of restriction profile defining restrictions regarding incoming connections for the ssh user PRIORITY Priority for a specific ssh user s non SFTPSERV processes If omitted the priority of the SSH2 process is used as default value CPU SET List of CPUs ssh user s non SFTPSERV processes are started in SFTP INITIAL DIRECTORY The initial directory the remote user will see after successful logon SFTP GUARDIAN FILESET List of Guardian filename patterns identifying the files the ssh user can access in a SFTPSERV session SFTP SECURITY A set of operations the remote user is allowed to perform i e Read Write Purge SFTP PRIORITY This attribute is used to pre set the priority for a specific user s SFTPSERV processes If omitted the default priority of 100 is used SFTP CPU SET List of CPUs ssh user s SFTPSERV processes are started in STATUS Status of the USER record The USER entity also contains some additional information collected by SSH2 about each ssh user LAST LOGON Time of last logon LAST UNSUCCESSFUL ATTEMPT Time of last failed logon attempt LAST AUTH METHOD Authentication method used for last lo
405. ix systems comes from a company called SSH Their website is http www ssh com e A guide to the generation of SSH key pairs can be found at http apps sourceforge net trac sourceforge wiki SSH 20keys e A comprehensive book on SSH is SSH The Secure Shell Daniel J Barrett published by O Reilly Implementation Overview Supported Versions The SSH2 software package only supports version 2 of the SSH implementation Cipher Suites For a list of supported cipher suites and MACing algorithms please see the parameters CIPHERS and MACS in chapter Configuring and Running SSH2 Implementation of the SSH protocol SSH is a complex security protocol involving many sophisticated algorithms therefore implementing SSH on any platform is not a trivial task There are many intricacies in implementing SSH just the fact that it works does not guarantee the quality of an implementation The following code has been used as part of the SSH2 software package e acommercial SSH implementation bitvise sshlib see http www bitvise com products html which is based on the popular crypto library crypto see http sourceforge net projects cryptopp HP NonStop SSH Reference Manual SSH Protocol Reference e 241 e a small part of the OpenSSL project see www openssl org e a small part of the OpenSSH project see www openssh com comForte has combined this standard code with its own source code targeted specifically for
406. k together in different usage scenarios SSH2 Running as SSH Daemon Server The following figure shows how the components of SSH2 work together to implement SSH server processes often referred to as a daemon in UNIX environments on the NonStop system These SSH processes provide shell file transfer and port forwarding access to remote SSH clients such as OpenSSH on UNIX r Partner System NonStop OSS shell SSH gy Error es CTL log 99 fae TACL STN PTY O Other apps Standard SSH TACL or SFTP client C SSH2 Other apps SFTPSERV port forwarding FTP FTPSERV Any socket client or server SSHCOM PAUTH z admin Figure 1 SSH2 running as SSH daemon The SSH2 component accepts the incoming TCP IP session and authenticates the remote user against the user database optionally verifying user passwords with the PAUTH process Upon request it e spawns an OSS shell TACL or SFTPSERV process e allocates a PTY a pseudo terminal by communicating to an STN process acting as a PTY server e forwards TCP IP or FTP connections from the remote SSH client to a local server process or vice versa The SSHCOM component is used to maintain the user database allowing administrators to configure remote user s public keys and control access rights to server functionality and the file system for file transfer 28 e Introd
407. knownhost name gt The new name of the knownhost entry A knownhost entry with this name owned by the specified GUARDIAN user must NOT already exist in the user database THAW KNOWNHOST The THAW KNOWNHOST command thaws a known host The command has the following syntax THAW KNOWNHOST lt system user name gt lt knownhost name gt The individual attributes have the following meaning and syntax lt system user name gt A valid GUARDIAN user who owns the known host entry in the user database If lt system user name gt is omitted either the user being set with a previously issued ASSUME USER command or the issuer of the ADD KNOWNHOST command will be used as the default If lt system user name gt is specified it MUST be followed by a to separate it from the known host name that follows Only the SUPER SUPER user unless explicitly denied in OBJECTTYPE USER record or those configured with full SSHCOM access can thaw a known host entry for another user lt knownhost name gt The name of the known host to be thawed Status Commands The current parameter configuration of the SSH2 process can be viewed via commands INFO SSH2 and INFO DEFINE The configuration of the SSHCTL database entities like USERs KNOWNHOSTs etc can be listed via INFO USER INFO KNOWNHOSTs etc There are other entities in the SSH2 process that are of interest especially the entities defined by the SSH protocol namely sessions and channels For di
408. l a user private key stays in state PENDING after creation before it switches to state LIVE Parameter Syntax INTERVALPENDINGPRIVATEUSERKEY number of days Arguments number of days The number of days a newly generated user private key will be in state PENDING after creation and before reaching state LIVE Default The default value for this parameter is 0 i e newly generated key will go into state LIVE immediately if this parameter is not set to a different value than 0 Example INTERVALPENDINGPRIVATEUSERKEY 30 86 e Configuring and Running SSH2 HP NonStop SSH Reference Manual Considerations e The life cycle configuration of existing user private keys will not be modified due to this parameter If existing keys need to participate in life cycle control then they must be configured via ALTER KEY command specifying the LIVE DATE and EXPIRE DATE command options e Parameter value is ignored if life cycle for user private keys is disabled i e if LIFECYCLEPOLICYPRIVATEUSERKEY is set to DISABLED e Parameter value is ignored if KEY attributes LIVE DATE and EXPIRE DATE are specified in GENERATE KEY and IMPORT KEY commands if a user is allowed to specify these attributes according to the key life cycle policy See also LIFECYCLEPOLICYPRIVATEUSERKEY INTERVALLIVEPRIVATEUSERKEY INTERVALPENDINGPUBLICUSERKEY This parameter is related to a user public key s life cycle configuration of datab
409. l name lt str3 gt Pseudo terminal name used for authentication 50 lt str1 gt Allocated PTY lt str2 gt lt str1 gt Session Name lt str2 gt Pseudo terminal name 50 lt str1 gt routing connection to target ftp port lt intl gt lt str1 gt Session Name lt intl gt Target port 10 No valid license found restricting functionality to HP internal usage 10 CRYPTOPP version lt str1 gt lt str1 gt Cryptot library version 10 Invalid value specified for parameter lt str1 gt lt str2 gt Using default value lt str3 gt lt str1 gt ALLOWINFOSSH2 364 e Appendix HP NonStop SSH Reference Manual LOG LEVEL EVENT TEXT Description Variable Parts lt str2 gt Parameter value lt str3 gt Default value of ALLOWINFOSSH2 10 SSH config database file lt str1 gt does not exist creating lt str1 gt SSH database file name 10 SSH config database lt str1 gt opened lt str1 gt SSH database file name 10 Initializing SSH2 ADMIN run mode 10 Initializing SSH2 CLIENT run mode 10 Initializing SSH2 DAEMON run mode 10 Loading private key from lt str1 gt lt str1 gt Private key file name 10 Private key file lt str1 gt does not exist creating lt int1 gt bits key lt str1 gt Private key file name lt int1 gt Number of host key bits 30 Host key algorithm lt str1 gt lt str1 gt Host key algorithm 30 Host key MDS fingerprint lt str1 gt lt str1 gt MD5 finger print
410. layed The command has the following syntax STATUS OPENER lt opener id gt DETAIL WIDTH lt width gt LOG ONLY SELECT lt lt i lt xattr gt lt attr gt 4 WHERE lt attr filter gt lt attr filter gt FILTER STATISTICS ONLY J lt opener id gt The internally assigned identifier positive integer of an opener Alternatively the wild card character can be specified instead of an opener id The individual options have the following meaning and syntax DETAIL If the DETAIL flag is set detailed information is displayed WIDTH The number lt width gt is the maximum number of characters per output line If WIDTH is not specified the default value 80 is assumed In order to avoid a new line when the terminal is configured with line wrapping on the line will only be filled with one character less than the specified width LOG ONLY Normally the output of the STATUS command will be displayed at the terminal the SSHCOM was started With LOG ONLY flag set the output will be written to the log file if logging to a file is enabled SELECT The SELECT option allows defining a specific set of attributes that will be displayed instead of the default attribute set there are two default sets one for detailed output and one for non detailed output An attribute name specified for lt attr gt must be one of the names displayed in the detailed status output HP NonStop SSH Refer
411. ld knownhost name gt lt new system user name gt lt new knownhost name gt The individual attributes have the following meaning and syntax lt old system user name gt A valid GUARDIAN user who owns the key entry in the user database before renaming it If lt old system user name gt is omitted either the user being set with a previously issued ASSUME USER command or the issuer of the RENAME KNOWNHOST command will be used as the default If lt old system user name gt is specified it MUST be followed by a to separate it from the knownhost name lt old knownhost name gt Specifies the name of a knownhost entry which must already exist in the user database before it is renamed lt new system user name gt A valid GUARDIAN user who will own the key entry in the SSHCTL database after the rename Only SUPER SUPER user unless explicitly denied in OBJECTTYPE USER record or those configured with full SSHCOM access can issue a RENAME command where lt new system user name gt is different from lt old system user name gt HP NonStop SSH Reference Manual SSHCOM Command Reference e 207 If lt old system user name gt and or lt new system user name gt is omitted either the user being set with a previously issued ASSUME USER command or the issuer of the RENAME KNOWNHOST command will be used as the default user If lt new system user name gt is specified it MUST be followed by a to separate it from the key name lt new
412. ldpath newpath Symlink remote file lpwd Print local working directory ls path Display remote directory listing mkdir path Create remote directory progress on off min Toggle display of progress meter on off or set to minimum value min or display current setting put local path remote path Upload local file pwd Display remote working directory quit Quit sftp rename oldpath newpath Rename remote file rm path Delete remote file rmdir path Remove remote directory symlink oldpath newpath Symlink remote file touch path Touch file version Show SFTP version 7 Synonym for help sftp gt Rather than going through each command in sequence we will introduce the most important commands in a sample SFTP session in the next section Sample Session The following sample session shows some commands and how to use them The sample session shows usage of the SFTP client under OSS however apart from starting the SFTP client from TACL rather than from the OSS shell there are no differences in usage when running under TACL Start the SFTP client and connect to remote system hnome tb sftposs S Stba01 burgt 10 0 0 201 onnecting to 10 0 0 201 ftp gt Show current working directory on remote system sftp gt pwd Remote working directory home burgt sftp gt HP NonStop SSH Reference Manual SSH and SFTP Client Reference e 231 List files on remote system detailed output sftp gt ls l drwxr
413. les for valid CONNECT FROM values include 103 10 0 37 dev 34 45 56 34 45 56 12 201 30 tandeml 120 10 20 120 10 20 7 CONNECT TO The CONNECT TO attribute restricts user access allowing user initiated outgoing connections only to the configured host port combinations The CONNECT TO restrictions are applied whenever the user tries to connect via SSH2 using the SSH SSHOSS SFTP and SFTPOSS clients The value for this attribute can be one host port range or a list of host port ranges A comma separated list must be enclosed in parentheses Each host port range is a pair of host and port range separated by a colon lt host gt lt port range gt A port range can be a single port a single port range or a list of ports and port ranges separated by and enclosed in brackets Examples for valid values for CONNECT TO include 103 10 0 47 22 1 2 3 4 1025 1999 yourhost domain com 2013 abc domain com 2013 2100 xyz domain com 22 2013 2100 5000 5099 4 5 6 7 300 301 5555 FORWARD FROM The attribute FORWARD FROM restricts a user s ability to do port forwarding It restricts the set of hosts that can use forwarding tunnels opened by a specific user The value can be one host pattern or a list of patterns used to match the address or name of the client system connecting SSH2 on a NonStop server Please see the description for the CONNECT FROM attribute for examples LIKE When speci
414. ll be generally denied independent of the value of user attribute ALLOW TCP FORWARDING Default If omitted SSH2 will reject port forwarding Considerations This SSH2 parameter specifies on a global scope whether TCP port forwarding is allowed Even if you set this parameter to TRUE you may allow or deny port forwarding at the user level by setting the ALLOW TCP FORWARDING USER attribute See the SSHCOM Reference for details Example ALLOWTCPFORWARDING TRUE AUDITCONSOLE Use this parameter to define if and to what console device SSH2 audit messages are written to Parameter Syntax AUDITCONSOLE 0 auditdevice Arguments Signifies that no audit messages are written to a console Means that audit messages are written to the home terminal of the SSH2 process 0 Specifies that audit messages are written to 0 auditdevice HP NonStop SSH Reference Manual Configuring and Running SSH2 e 57 Log messages are written the given device e g DEV SUBDEV Default By default no audit messages will be written Considerations e Although it is possible to specify a collector setting AUDITCONSOLE to a collector name is not recommended because a collector will cut long messages after 108 characters e If writing audit messages to a collector is required then use parameter AUDITEMS instead See also e AUDITEMS AUDITFILE AUDITFORMATCONSOLE e Audit Messages in chapter Monitoring and Auditing
415. ll terminate and will not perform a backup takeover RECOVERY If PARAM POOLASIZE is too large and the disk volume containing the STN object file is full or fragmented try freeing up some disk space or carefully reduce the PARAM POOL SIZE then restart STN If the problem persists contact Support HP NonStop SSH Reference Manual STN Reference e 291 zstn evt starting valueis 3 lt l gt lt 2 gt program starting lt 3 gt lt 2 gt program name and version information lt 3 gt additional copyright information CAUSE The STN process has started EFFECT None RECOVERY None informational only zstn evt param error valueis 4 lt 1 gt Error in PARAM lt 2 gt lt 3 gt lt 2 gt parameter name lt 3 gt value CAUSE During STN startup an error was found EFFECT The param is ignored and STN startup proceeds without the param Depending on the param STN may not operate properly RECOVERY If the parameter is important correct the error then stop and restart STN zstn evt gftcom start err valueis 5 lt 1 gt Error lt 2 gt lt 3 gt starting GFTCOM OBJECT lt 4 gt lt 2 gt error code lt 3 gt detail error lt 4 gt program name CAUSE PARAM GFTCOM OBJECT was specified but an error was encountered when trying to start the program indicated EFFECT The param is ignored and STN startup proceeds without the parameter Since this command is generally used for essential configuration command
416. llows for multi line prompts including blank lines e B ascii bel character which some terminal emulators will sound as a beep tone Example STNCOM_PROMPT X P T STN gt DEV STN2 2010 08 06 23 59 STN gt STNCOM_PROMPT ST P stncom gt 23 59 SSTN2 stncom gt The default setting is STNCOM_PROMPT PROMPT and STNCOM_PROMPT are related commands They both change the prompt used for STNCOM commands and both allow parameter substitution such as P for process name But they take effect in different ways PROMPT affects only the current STNCOM process execution and is cancelled when STNCOM stops Other STNCOM users are not affected STNCOM_PROMPT setting is saved in the memory of the running STN process It takes effect on all subsequent STNCOM openers of the STN process When STNCOM starts the default prompt string for conversational command input is percent space STNCOM then opens the STN process specified in RUN STNCOM lt process name gt If the STN process has STNCOM_PROMPT configured it will be used for the prompt This will stay in effect until another OPEN command or until a PROMPT command PROMPT e Redefines the prompt for the current STNCOM process execution e Takes effect immediately unless an STNCOM_PROMPT is in effect e Does not affect other STNCOM users e Must be entered every time STNCOM is used which is inconvenient 278 e STN Reference HP NonStop SSH Reference Manual e Is overridden by STNCOM
417. mands on a line When an FC command is combined in this manner it takes effect after all other commands on the line are processed then the FC applies to the entire line including the FC itself FC commands are not allowed in OBEY files or when the IN file is not the same as the OUT file FESESSDOWN lt error code gt This command controls the file error code returned to application I O requests while a session is down Default is 140 femodemerr for compatibility with previous releases values 10 9999 are allowed Some applications expect error 66 fedevdown when a session is down FRAGSIZE lt n gt Adjusts the minimum memory pool fragment size allowed when splitting a large buffer to satisfy a new request Use only under direction of support staff lt n gt can be in the range of 26 to 1000 If the larger buffer is within FRAGSIZE of the requested size the buffer is not split This can help reduce fragmentation of the buffer pool HP NonStop SSH Reference Manual STN Reference e 265 GWN ALLOC STNCOM displays the GWN filename and details about the window name and option and optionally a new block of names This new command was introduced in TO801ABE The following current information is always displayed GWN File name or blank Blocksize Next window name Last window name allocated same as next if no GWN File Maxmium window number If ALLOC is specified a new block of session names is allocated from GWN FILE Since alloc
418. manipulating of RESTRICTION PROFILE records e Support for EXPORT of RESTRICTION PROFILE records e New SSH2 parameter RESTRICTIONCHECKFAILEDDEFAULT e New USER attributes RESTRICTION PROFILE ALLOW GATEWAY PORTS PRIORITY COMMENT CPU SET and SFTP CPU SET e New attribute WIDTH for SSHCOM command EXPORT SSHCTL e New option FORCE for USER attributes CI PROGRAM and SHELL PROGRAM e New SSH2 parameter USETEMPLATES YSTEMUSER Version 2 9 Describes changes in SSH2 release 0082 Documentation for the following new features has been added e Newly supported scp server functionality e Propagation of defines from SSH2 to shell TACL processes started by SSH2 e New define SSH2 PROCESS NAME added to shell TACL processes started by SSH2 e New parameter lt service gt after MENU property of USER attribute SHELL PROGRAM e New USER attribute SHELL ENVIRONMENT controlling environment for non login shells e New SSH2 parameter GUARDIANATTRIBUTESEPARATOR A topic has been added listing the environment variables set by SSH2 when a shell is started Version 2 8 Describes changes in SSH2 release 0081 Documentation for the following new features has been added e Documentation for new STN features PARAM LICENSE commands ABEND BANNER_TIMEOUT INPUT_TIMEOUT IDLE_WARNING OUTPUT_RESET BLAST BUFFER_SIZE and ADD SCRIPT and ADD SERVICE parameters RESILIENT LIMIT HOME USER LOGON DEBUGOPT LOGAUDIT and SCRIPT e New SSHCOM commands SET AUD
419. may not contain the latest STN templates which are provided in the STN release subvol file ZSTNTMPL To use templates from an alternate location use the same DEFINE as is used by EMSDIST before running GTRED delete define _ems_templates add define _EMS_TEMPLATES FILE SSYSTEM STNB20 ZSTNIMPL The TRACE command has the following syntax TRACE OFF RESET ON filename size Displays the current status and setting of the trace file and all parameters OFF Stops the trace RESET Resets the trace file pointers effectively restarting the trace but without the overhead of closing and reopening the trace file ON filename size Starts a trace on the specified unstructured disk file The filename should be fully qualified if it is not qualified the default volume and subvolume in effect at the time the STN application was started are used not the defaults from the STNCOM startup If the file name does NOT begin with or the keyword ON is required A file of the specified size will be created If a trace is already open it is first closed The trace file can specify the same name as an already active trace file In that case the trace file is rewritten The TRACE RESET command is more efficient for this purpose Size determines the byte length of the trace file The number can be followed by the letter K kilobytes which multiplies by 1 024 or the letter M megabytes which multiplies by 1 048 576 The default is 100
420. ming connections Parameter Syntax PORT number Arguments number Refers to the decimal number of a TCP IP port Default The default for this parameter is 22 Considerations e The ICANN manages a list of well known port numbers for various protocols see http www iana org assignments port numbers 22 is the well known port for the SSH protocol e The choice for the port value in your specific environment will depend on the applications already running on your NonStop systems the ports in use and your firewall configuration PROPAGATEDEFINES This parameter controls whether SSH2 propagates defines in the SSH2 process context to newly started processes Parameter Syntax PROPAGATEDEFINES TRUE FALSE Arguments TRUE FALSE Specifies if SSH2 propagates defines or not Valid values are e TRUE Defines will be propagated e FALSE Defines will not be propagated Default HP NonStop SSH Reference Manual Configuring and Running SSH2 e 103 If omitted PROPAGATEDEFINES will be set to TRUE This is consistent with the behavior since introduction of define propagation Considerations e The DEFAULTS DEFINE is always propagated to other processes regardless of the setting of the PROPAGATEDEFINES parameter Example PROPAGATEDEFINES FALSE See also PTCPIPFILTERKEY PTCPIPFILTERKEY Use this parameter to specify a filter key to enable round robin filtering with parallel library TCP IP or TCP IPV6 Parameter Synta
421. minute when no input had been received and fewer than IDLE_WARNING minutes remain until BANNER_TIMEOUT expires The following message appears STN35 WARNING Terminal will be disconnected if it stays idle If input is received after this warning the timer is reset and the session continues If nothing is received when BANNER_TIMEOUT expires then the following message appears STN36 Terminal was idle too long Disconnecting This message will be displayed for approximately 10 seconds then the session is disconnected The exact format of the STN35 and STN36 messages depends on the terminal type e 6530 Message is displayed at the cursor location and also on Line 25 e ANSI Message is displayed at the cursor location For services with LOGON REQ the STN15 and STN16 messages prompt for a userid and password If either of these prompts is not answered within 60 seconds the session is terminated with an STN54 error message This timeout always is in effect regardless of INPUT_TIMEOUT or BANNER_TIMEOUT See also e INPUT_TIMEOUT IDLE_WARNING BLAST lt message gt BLAST lt message gt sends a broadcast to all active sessions lt message gt is limited to 54 characters of displayable ASCII hex 20 7e The text will be prefixed with BEL ESC o hex 07 1b 6f which will sound the audible beep and place the text on Line 25 for 6530 terminals This command should only be used for urgent messages since it can interrupt normal terminal a
422. mmand thus overriding the program configured in CI PROGRAM ALLOW GATEWAY PORTS This attribute is used to grant or deny gateway ports when port forwarding is initiated by a specific user If the value of this attribute is NO then any port forwarding request with SSH option g will be rejected by SSH2 ALLOW MULTIPLE REMOTE HOSTS When set to NO this attribute is used to restrict a user to a maximum of one remote host the user can establish a connection from at any time The restriction is based on the SSH user configured in the SSH2 database not the system user After disconnecting all sessions from one host the user can connect from a different host All SSH2 processes that access the same SSH2 database share the restriction If the attribute is set to YES then a user can establish sessions from different remote hosts at the same time ALLOW PTY This attribute is used to grant or deny the allocation of a pseudo TTY for a session The pseudo TTY enables the user to execute full screen interactive applications such as Emacs or vi ALLOW SHELL This attribute is used to grant or deny shell access to a user ALLOW TCP FORWARDING This attribute is used to grant or deny port forwarding for a user The value of this user attribute is ignored if the global SSH2 parameter ALLOWTCPFORWARDING is set to FALSE ALLOWED AUTHENTICATIONS This attribute is used to specify the authentication mechanisms that are allowed for a user The following a
423. mode record type KEY holds user key information for the local Guardian user initiating a client connection on NonStop The key information in the client mode database includes the complete Public Key pair i e both public and private part KEY records are created via SSHCOM command GENERATE KEY Database key to the KEY entity consists of KEY the name of the public key pair generated for the Guardian user USER the name of the local Guardian user the public key was generated for The KEY entity has the following additional properties COMMENT a free text field allowing you to enter a descriptive comment TYPE The type of the key supported key types are RSA and DSA BITS The number of bits of the key PUBLICKEY FINGERPRINT The fingerprints of the public key associated with that private key STATUS whether the key is frozen or thawed CREATION DATE the time the key was generated if available A key is in state PENDING if LIVE DATE has not been reached yet LIVE DATE the time the key changes or has changed to state LIVE If the attribute LIVE DATE is not set then a key is automatically in state LIVE A key stays in this state until EXPIRE DATE is reached EXPIRE DATE the time the key changes or has changed to state EXPIRED 150 e The SSH User Database HP NonStop SSH Reference Manual e LIFE CYCLE STATE the life cycle state the user private key is in Possible values are PENDING LIVE and EXP
424. mote systems to only those cases in which the host s public key is explicitly configured as a KNOWNHOST entity in the SSHCTL Parameter Syntax STRICTHOSTKEYCHECKING TRUE FALSE Arguments TRUE FALSE Specifies whether host key of remote hosts must be preconfigured in SSHCTL Following are the possible arguments o TRUE Access to unknown hosts will be denied o FALSE Users will be prompted if they want to continue a connection to an unknown host and add the host s public key as a KNOWNHOST entity to the SSHCTL Considerations e KNOWNHOST entities can be configured using SSHCOM Default If this option is omitted SSH2 will use a value of TRUE Example STRICTHOSTKEYCHECKING FALSE SUBNET Use this parameter to specify the TCP IP process es an SSH2 process should listen on for incoming connections Parameter Syntax SUBNET tcpip process name tcpip process name Arguments tcpip process name Name of an existing TCP IP process in your system Default If omitted the SSH2 process will be bound to ZTCO Example SUBNET ZTCO3 Considerations 122 e Configuring and Running SSH2 HP NonStop SSH Reference Manual e Ifyou added a DEFINE TCPIP4PROCESS NAME to the TACL environment you use to start SSH2 this setting will override the SUBNET parameter e If you use parallel library TCPIP and want to share identical ports across multiple instances of SSH2 you need to add an identical DEFINE to all i
425. n only be renamed by the SUPER SUPER user unless explicitly denied in OBJECTTYPE USER record or those configured with full SSHCOM access or by the user who owns the password The command has the following syntax RENAME PASSWORD lt oldusername gt lt oldremoteuser gt lt oldtargethost gt lt oldtargetport gt lt newusername gt lt newremoteuser gt lt newtargethost gt lt newtargetport gt A password entry with the old password name identified by the sequence lt oldusername gt lt oldremoteuser gt lt oldtargethost gt lt oldtargetport gt must exist The entry with the new password name identified by lt newusername gt lt newremoteuser gt lt newtargethost gt lt newtargetport gt must not exist The individual attributes have the following meaning and syntax 202 e SSHCOM Command Reference HP NonStop SSH Reference Manual lt oldusername gt A valid GUARDIAN user who owns the password entry in the user database before renaming it If lt oldusername gt is omitted either the user being set with a previously issued ASSUME USER command or the issuer of the RENAME PASSWORD command will be used as the default If lt oldusername gt is specified it MUST be followed by a to separate it from the password name lt oldremoteuser gt A user name of the targeted system lt oldtargethost gt The IP address or the DNS name of the targeted system lt oldtargetport gt The listening port of the
426. n 19 14 58 ktestbig 509 100 Jun 19 2003 public_html 509 100 Nov 23 08 13 sshtest rwWxr xr x drwxr xr x drwxr xr x sftp gt DTO GOG OO OQ a i gt To Create an FTP Port Forwarding Tunnel with a NonStop SSH Client You can establish FTP port forwarding channels for both the OSS SSH client SSHOSS and the Guardian SSH client SSH The following example illustrates this using the Guardian SSH client Run SSH as follows DATA1 MHSSH 5 gt run ssh N L ftp 5021 localhost 21 m horst 10 0 0 201 SFTP client version T9999H06_22Jan2014_comForte_SFTP_0097 You have no private keys in the key store Trying password authentication Enter m horst 10 0 0 201 s password Add password for m horst 10 0 0 201 to the password store yes no no The N option suppresses the start of a remote shell The L ftp 5021 localhost 21 option tells SSH2 to listen on port 5021 and forward any incoming FTP connection to the remote SSH daemon and further to an FTP server on the same host listening on port 21 After the SSH session is successfully established the SSH process will quietly wait until the SSH session is terminated or it is stopped Thus if you hit lt break gt you can get the TACL prompt back and try to connect an FTP session over the SSH tunnel lt break gt DATA1 MHSSH 19 gt ftp FTP Client T9552J01 30MAR2012 COPYRIGHT TANDEM COMPUTERS INCORPORATED 2012 ftp gt open 127 0 0 1 5021 Connecting to 127 0 0 1 Established 2
427. n host name lt knownhost name gt The name of the known host owned by the current user A as part of the known host name will be interpreted as wildcard character and information about all known host names matching the wildcard character will be displayed OUTPUT Format of INFO KNOWNHOST Command If used without the DETAIL modifier INFO KNOWNHOST will provide a brief summary for each known host displayed The following is an example of the output of INFO KNOWNHOST o info knownhost info knownhost KNOWNHOST KNOWNBY STATUS 10 0 s0 T122 super super THAWED 10 0 0 194 55022 superulrich THAWED 10 0 0 196 22 superulrich THAWED fe80 a00 8eff fe00 d14e 55022 superulrich THAWED npnsOlipv6 54022 superulrich FROZEN 2 If used with the DETAIL modifier INFO KNOWNHOST will provide some detailed information about each known host displayed The following is an example of the output of INFO KNOWNHOST DETAIL info knownhost superulrich npnsOlipv6 54022 detail info knownhost superulrich npnsOlipv 54022 detail KNOWNHOST KNOWNBY STATUS npnsOlipv6 54022 superulrich FROZEN KNOWNHOST npnsOlipv6 54022 COMMENT automatically added by SSH2 KNOWNBY superulrich ADDRESSES npnsOlipv6 PORT 54022 ALGORITHM ssh dss PUBLICKEY FINGERPRINT MD5 87 33 4c 98 3e a4 cd 0c 40 0b 51 d8 0d 6f f2 fd BABBLE xibod gogif deret sezip bymek decam gonyt ripoc fygyr pobet kaxox LAST USE NONE LAST MODIFIED 23Apr12 10 32 STATU
428. n of directories on the NonStop system e RMDIR allows removal of directories on the NonStop system e SYMLINK allows creation of symbolic links on the NonStop system e ALL shortcut for all operations e NONE shortcut for no operation Operations can be abbreviated as long as the abbreviation is unambiguous Example e SFTP SECURITY WRITE LIST o will only allow perusal of files and uploading of files o can be abbreviated as SFTP SECURITY W L SHELL COMMAND This attribute specifies a forced command that is to be executed rather than any command given by an exec request from the SSH client A forced command allows you to limit shell access to specific tasks or implement additional security measures SSH2 will retain the command given in the user s exec request in the SSH_ORIGINAL_COMMAND environment variable to allow a shell script to analyze and or execute the original command SHELL ENVIRONMENT The full OSS file name of a shell script preparing the shell environment for non login shells which are started without executing etc profile or profile The value will be used to set environment variable ENV see man pages of ksh for information on how the shell processes ENV The attribute value shell script can contain absolute paths but also pre defined values like HOME or Default for this parameter empty string i e no shell script will be executed that prepares the user environment for non login shells which do not execu
429. n select if the ssh client gets access to an OSS shell or a TACL In case the user executes a SHELL request e g ssh usr host S Qa b gt y et g D a a Tar ge n 4 Z eN Nn ie So p D 5 v 4 gt Q m n Q 3 la es gt za io jk D Nn o x Q c a n w n o n lt n 4 Z Q O a x 5 subsystem name tacl e g ssh s usr host tacl then a TACL is started If the user executes a SHELL request like ssh usr host and the terminal type is not TN6530 then a shell is started In case the user starts an EXEC request specifying a command like in ssh usr host ls 1 then the command is executed in a shell If a TACL command should be executed then the gtacl shell command can be used e g ssh usr host gtacl c fileinfo or the command tacl with options c like ssh usr host tacl c fileinfo A program can be started in the TACL environment using option p e g ssh usr host tacl p fup A way to force a user to connect to a TACL is to define an STN service and configure the SSH USER record to use this service Assuming a service TACLI is defined via STNCOM like ADD SERVICE TACL1 TYPE DYNAMIC PROG Ssystem system tacl LOGON REQ And the SSH user is configured using SSHCOM commands ALTER USER usr SHELL PROGRAM MENU TACL1 FORCE Then both SHELL and EXEC requests independent of t
430. n supports the standard set of commands implemented in the SFTP protocol The help command gives a brief syntax summary gt run sftp S zssl oPort 51022 comf us 10 0 0 196 SFTP client version T9999H06_22Jan2014_comForte_SFTP_0097 Connecting to 10 0 0 196 via SSH2 process zss1l sftp gt help Available commands ap local path remote path append local path remote path ascii dos unix mac Upload local file and append to remote file Upload local file and append to remote file Change transfer mode to ascii and optionally change the remote newline convention aslinemode cut wrap none Cut wrap or do nothing to long ascii lines binary Change the transfer mode to binary cd path Change remote directory to path chgrp grp path Change group of file path to grp chmod mode path Change permissions of file path to chown own path Cc hange owner of file path to own delete path Delete remote file exit Quit sftp fc lt num gt lt string gt Fix command number lt num gt or contains lt string gt get remote path local path Download remote file help Display this help text h lt cnt gt Display historic commands all or lt cnt gt cmnds history lt cnt gt Display historic commands all or lt cnt gt cmnds lap remote path local path Download remote file and append to local file lappend remote path local path Download remote file and append to local file lcd path Change local directory to path ln o
431. n will be terminated Recovery Any corrective action depends on the reason for the authentication failure It may be required to add correct or thaw a user name using SSHCOM lt session id gt No more authentication requests possible for lt user name gt lt user name gt Name of the remote user Cause The maximum number of authentication requests exceeded Typically this condition can occur with password authentication if the SSH clients sends an invalid password for three times Effect The remote SSH user cannot be authenticated The session will be terminated Recovery Use correct credentials for the user with the SSH client lt session id gt password change for user lt user name gt failed lt error detail gt lt user name gt Name of the remote user lt error detail gt is a description of the error that made the password change fail Cause An error occurred when trying to change the user s password upon request of the SSH client Effect The password could not be changed Recovery Any corrective action depends on cause lt session id gt public key authentication failed algorithm not supported Cause The SSH client tried to use an algorithm for public key authentication that is not supported by SSH2 Effect The password could not be changed Recovery Configure the SSH client to use a public key algorithm supported by SSH2 lt session id gt public key authentication failed too many keys Cause T
432. n your system This can be done by starting multiple SSH2 instances as described in the Load Balancing section above Running multiple SSH2 instances may have an influence on the fault tolerance mechanism you choose Following are key considerations e When running multiple process pairs of SSH2 listening on the same port you should not start a primary SSH2 process in a CPU that is used as a backup process by another SSH process pair If you do there will be a conflict with two processes trying to listen on the same port in case of failover Consequently the maximum number of SSH2 process pairs listening on the same port is the number of CPUs on your system divided by two Furthermore the CPU load generated by the SSH encryption would only be distributed across the primary CPUs of the SSH2 instances e When running SSH2 as a generic process you can rely on the persistence manager to restart SSH2 It is not necessary to start SSH2 as a process pair Hence if you want to distribute the load evenly across all processors it may be better to configure a generic SSH process in each CPU that would be restarted automatically when a CPU comes up after a failure Processing of DEFINEs SSHz2 has been enhanced to propagate almost all defines found in the SSH2 process context to TACL and shell processes started by SSH2 directly Exceptions are The DEFAULTS DEFINE is set from the Guardian user configuration In case parameters PTCPIPFILTERKEY TCPI
433. naecaeesaeceaecaaecaeeeaeeeneeses 216 Configuring the SSH2 Process to USe ccccesccsseesseesecseeeseeeseeeeceeceseceseeeeescenseceaeeaeceaecaeceaeeaecnaeeneeeas 218 Inquiring User Name If Not Supplied cceccceseeseesceeseeeeeeeeceeeceseceseeeceeeeeseenseceaeceaecaeeeaeenseeaeeaeeeas 218 Suppressing the Banner printed by Clients ccccescceseeseeeseceeecseeeeeeeeeseeeseeeceeeceeeeseeeseeesseeeneenaes 219 Automating the SFTP SSH clients cceccceccesseesecsceeseeeaeeeeeeeeeseceseeeceeeeeeeeeseeaecaeceeeeaeeeaeenaeenaeeneeeas 219 FILE I O Parameters for SFTP SFTPOSS 0 ccccccccccccesssscceseessssscssccccsesesssssececeesssssesssesseeseesssssesseenees 219 SSH Client Command Reference cccccscsscccccsssssssscccsscsessscsscccscsssssscssevsecssssssssscvscsssssssessesessssssesens 220 viii e Contents HP NonStop SSH Reference Manual Command Line Reference csscssescscocessensecccececsessnsvececscosssneuecevcecvssenssecesvovsssesecevcssvenens 220 Using the SSH client to create a shell controlling a remote SysteM ceeeeeeeecsecreeeeeneeeee 224 Using the SSH client to create a port forwarding daeMon ee ceseeeeeceecseeeeceeeeeeeaeeeeeeeens 225 Using the SSH client to create an FTP port forwarding daemon eceeseeseeeeeseereeeeeeeees 226 SFTP Client Command Reference sccscccihcccssssecdsette ar a E wnt oa ie bedte a E N A 227 Command line R feren Esseen parea a a a a
434. name gt deleted Warning 1 SERVICE s still reference this iprange DELETE SCRIPT lt script name gt The specified script or all scripts will be removed from the configuration DELETE SERVICE lt service name gt The specified service or all services will be removed from the configuration DELETE WIN DOW lt window names DELETE WINDOW removes a previously added window from the configuration Dynamic windows are automatically deleted upon session termination Windows created by AUTO_ADD_WIN Y are automatically deleted when all applications using the window terminate or close the window no longer relevant since SPR TO801 ABE where AUTO_ADD_WIN is not supported anymore WIN and WINDOW are equivalent lt window name gt specifies a window to be deleted means to delete all windows including DYNAMIC and AUTO_ADD_WIN windows DEV_ SUBTYPE BO5COMP WINDOW lt nn gt Controls the values returned to an application that has called DEVICEINFO against a window The following options are available BO5COMP default compatible with STN releases BO5 and earlier no session active 6 0 6530 session active 6 4 non 6530 session 6 0 WINDOW response determined by ADD WINDOW configuration SUBTYPE nn 6 nn overrides TERM_TYPE SUBTYPE NONE and no session active response determined by TERM_TYPE TERM_TYPE 6530 6 4 TERM_TYPE other 6 0 When SUBTYPE is NONE and a session is active then BO5COMP rules above are used lt
435. name or alias of the configured SSH user This guardian user will have partial access to all the configured SSH user records and will be able to do SSHCOM INFO USER or SSHCOM ALTER USER commands on these records if a match was found using the login name value GUARDIANNAME The guardian name of the login name value which can be a guardian name or alias of the guardian user that started the SSHCOM session will be compared to the OWNER field value guardian name or alias of the configured SSH user This guardian user will have partial access to all the configured SSH user records and will be able to do SSHCOM INFO USER or SSHCOM ALTER USER commands on these records if a match was found using the guardian name of the login name value BOTH The login name value which can be a guardian name or alias or guardian name of the login name value of the guardian user that started the SSHCOM session will be compared to the OWNER field value guardian name or alias of the configured SSH user This guardian user will have partial access to all the configured SSH user records and will be able to do SSHCOM INFO USER or SSHCOM ALTER USER commands on these records if a match was found using the login name or guardian name of the login name values NONE The OWNER field value of the configured SSH user will NOT be evaluated Considerations e The DAEMONMODEOWNERPOLICY allows the same access rights to the daemon mode USER records as given by PARTIALSSHCOM
436. nd remote SSH host s public keys HP NonStop SSH Reference Manual Introduction e 29 30 e Introduction HP NonStop SSH Reference Manual Installation amp Quick Start System Requirements To run SSH2 components associated systems must meet the following requirements HP NonStop host e G Series G06 21 or later e H Series H06 07 or later e J Series J06 03 or later e OSS is not required If present OSS is fully supported Partner systems e AnSSH client and or daemon supporting version 2 of the SSH protocol Acquiring the Product Archives The HP NonStop SSH product is delivered with the H series Release Version Update RVU H06 11 and later or the J series RVU J06 03 and later A license file is no longer required for H06 21 and later or JO6 10 and later These releases correspond to SPR T0801AAQ and later For G06 32 and G06 32 based Time Critical Fix releases TCFs NonStop SSH is only licensed for use with MR Win6530 on the NonStop System Console NSC for secure communications with the default IP maintenance stacks To enable full product use you must contact your HP Sales representative for details on licensing SSH2 also comes with the comForte SecurSH or SecurFTP SSH product packages These products require the SSH2 installation archive SSHINST 100 or SSHINST 800 depending on the NonStop Server type to be unpacked on the NonStop server HP NonStop SSH Reference Manual Installation amp Quick Start e 31 In
437. nded will be calculated depending on the number of files to keep With LOGFILERETENTION set to 10 the default value the archive files for a LOGFILE of SLOG will be called SLOGO SLOGI SLOG9 With LOGFILERETENTION set to 1000 the archive files for a LOGFILE of SLOG will be called SLOGO00 SLOG001 SLOG999 HP NonStop SSH Reference Manual Monitoring and Auditing 321 Viewing File Contents from Guardian with SHOWLOG SSH2 servers may be configured to write log or audit files to disk For performance reasons those log files are created as unstructured files 15 gt fileinfo SSH2log Sdatal comfSSH2 CODE EOF LAST MODIFIED OWNER RWEP PEXt Sext SSH2log 0 5044 25sep2003 15 14 110 111 aaaa 4 28 16 gt While the program is running the log file is always open however it may be concurrently opened for viewing To convert the unstructured file into a readable format a tool SHOWLOG is supplied Invoking SHOWLOG without arguments will display a brief syntax summary 20 gt run showlog SHOWLOG log file converter Version T9999A06_15Nov2012_HP_SHOWLOG_0024 usage SHOWLOG lt log file gt lt out file gt lt start gt lt end gt lt log file gt the input log file to be converted lt out file gt file to write to default is meaning the home terminal lt start gt either byte offset from beginning or a timestamp lt end gt either number of bytes after beginning or a timestamp Supported timestamp formats
438. ndow A user can be enforced to use a pre configured STN service or window In this case STN will not display a service menu but will directly give the user access to the pre configured service or window This feature allows pre selection of items defined in the STN service menu depending on the SSH user The following SSHCOM commands show how an STN service or window can be enabled for 6530 pseudo terminals gt RUN SSHCOM SSHO1 SSHCOM TO0801H01_22JAN2014_ABK 2014 01 24 14 42 45 368 OPEN ssh01 ALTER USER SERVICE USER CI PROGRAM MENU srvcl OK user SERVICE USER altered ALTER USER WINDOW USER CI PROGRAM MENU winl OK user WINDOW USER altered 2 For non 6530 pseudo terminals the STN service or window can be enabled via gt RUN SSHCOM SSHO1 HP NonStop SSH Reference Manual Configuring and Running SSH2 e 127 SSHCOM T0801H01_22JAN2014_ABK 2014 01 24 14 42 45 368 OPEN ssh01 ALTER USER SERVICE USER SHELL PROGRAM MENU srvcl OK user SERVICE USER altered ALTER USER WINDOW USER SHELL PROGRAM MENU winl OK user WINDOW USER altered 2 The pre selected service or window srvc1 and win1 in the examples above must exist in the STN configuration STN services and windows can be added with STNCOM using the ADD SERVICE and ADD WINDOW commands Please refer to the STNCOM Commands section for further details Forcing TACL Access via Server side Configuration Usually a remote user ca
439. ndow Naming PARAM GWN4BLOCKSIZE number Controls session and window names Refer to section Session and Window Naming PARAM LICENSE filename Specifies the location of the STN LICENSE file The default is filename LICENSE in the subvol containing the STN object file Note that a license for NonStop SSH is no longer required starting with SPR TO801 AAQ STN does not require a license to run pty sessions with SSH A license is required for optional features that are not available in NonStop SSH PARAM NOTACL 1 The value 1 in the example is not used the presence of this PARAM disables the automatic default service TACL If this parameter is NOT used STN will automatically perform the command ADD SERVICE TACL PROG SYSTEM SYSTEM TACL PARAM OPEN TABLEASIZE number Specifies the maximum number of opens from application processes to STN windows The default is 3000 and the maximum is 32000 See STNCOM command MAX OPENERS PARAM POOLASIZE number Specifies the size in words of the extended segment memory pool used for control tables and I O buffers The default is 4194304 4meg A decimal number can be used to specify the parameter Users may also append the letter K kilowords to the number which multiplies by 1 024 or they can add the letter M megawords which multiplies by 1 048 576 POOLASIZE may need to be increased for larger configurations contact Support for details PARAM SECURITY letter Defines the l
440. nel i e when using L option this is the remote host After the SSH session is successfully established the SSH process will wait until the SSH session is terminated or it is stopped Thus if you hit lt break gt you can get the TACL prompt back and try to connect a telnet session over the SSH tunnel lt break gt SUS SSH90 47 gt telnet 127 0 0 1 5021 TELNET Client T9558HO1 19MAR12 IPMAAH Copyright Tandem Computers Incorporated 2004 Trying Connected to 127 0 0 1 TAJA Escape character is Welcome to SuSE Linux 8 2 i586 Kernel 2 4 20 4GB 0 np dev login In this example the local telnet client connects through the tunnel to the telnet server on remote host 10 0 0 111 that listens on loopback address 127 0 0 1 port 23 Forwarding Remote Port to Local Port Port forwarding channels can also be enabled in the opposite direction i e from a remote port to a local port The following example illustrates how to establish an SSH port forwarding tunnel from a remote host to the local host using the Guardian SSH client HP NonStop SSH Reference Manual Installation amp Quick Start e 41 SUS SSH90A 48 gt run ssh N R 5021 localhost 23 testusr 10 0 0 234 SSH client version T9999H06_22Jan2014_comForte_SSH_0097 The N option suppresses the start of a remote shell The R option tells the remote SSH daemon on host 10 0 0 234 to listen on port 5021 and forward any incoming connection on that port to the local SS
441. ng Unlike SU windows the workstation configurations are identical simplifying logistics TERM_TYPE TN6530 ANSI ANY STN does not presently use the window TERM_TYPE setting SERVICE service name Not allowed with TYPE DEDICATED or SU required with TYPE STATIC Also required with TYPE DYNAMIC but DYNAMIC windows are only internally created they should not be entered via STNCOM For TYPE STATIC this window is associated with the specified service name This window can then be selected to satisfy session requests for the specified service IPADDR dotted ip address Only allowed for TYPE DEDICATED Specifies the IP address of the client workstation Any session request from the specified IP address will be automatically connected to this window no menu is displayed No two windows may have the same IP address This means that remote nodes that want to run multiple sessions especially terminal servers like AWAN 3883 4 5 or 3886 models cannot effectively use TYPE DEDICATED SUBTYPE nn NONE Default is NONE Otherwise a number in the range 0 63 may be used See DEV_SUBTYPE command for details SCRIPT script name Default is no script A script is a series of setmode commands which are automatically performed at the beginning of a session and also after an application call to setmode 28 A script can be referenced by ADD SERVICE and ADD WINDOW commands ADD SCRIPT and ADD SERVICE WINDOW may be performed in any order although the sc
442. ng area in the database Please see section Overview of SSH Operation Modes for an explanation for the logical separation of those database entities that are related to outgoing connections client mode entities and database entities that are related to incoming connections SSHCOM commands can be continued over multiple lines When an ampersand amp appears as the last character on a line the command is continued with the first column of the next line There is no limit on the number of lines over which a command may be continued but commands are limited to 10240 characters Prior to STN version B24 the limit was 1024 characters Note that SSHCOM and STNCOM have the same code base If SSHCOM is prompting at a terminal for input the prompt for continuation lines will be the current prompt prefixed by ampersand ampersand space amp amp Continuations are allowed from terminals IN files and OBEY files SSHCOM is started with a simple TACL command After switching to the proper mode see Overview of SSH Operation Modes in the chapter The SSH User Database the HELP command will give you a brief overview of the supported commands Note that the HELP command will result in a different output in the two modes The following example shows the output in client mode SQAHPSSH TO801ABK 3 gt run sshcom ssh01 SSHCOM T0801H01_22JAN2014_ABK 2014 01 24 14 18 49 958 OPEN ssh01 mode client mode client OK switched to client mode
443. ng connections The previous behavior can be activated by setting the new parameter INTERFACEOUT to value 0 0 0 0 The output of SSHCOM command INFO KEY has changed The brief information contains the life cycle state header LIFE CYCLE instead of the LAST MODIFIED field Version 3 7 Describes changes in SSH2 release 89 Documentation for the following new features has been added Description for SSH2 parameters ALLOWFROZENS YSTEMUSER CLIENTMODEOWNERPOLICY and SUPPRESSCOMMENTINSSHVERSION have been added Description for parameter RECORDDELIMITER now lists newly supported values CR and CRLF Added description for new SSH SFTP Client parameters SUPPRESSCLIENTBANNER SSHERRORPREFIX SSHINFOPREFIX and SSHQUERYPREFIX Added description for new SSH SFTP Client options Z corresponding to SUPPRESSCLIENTBANNER H corresponding to SSHERRORPREFIX J corresponding to SSHINFOPREFIX and K corresponding to SSHQUERYPREFIX Description of the SSH2 database was enhanced Added description for new parameter SFTPEXCLUSIONMODEREAD Added description of new USER attribute ALLOW MULTIPLE REMOTE HOSTS Added section about modified behavior if an OBJECTTYPE USER record exists in Safeguard Added section listing all audit messages 18 e Preface HP NonStop SSH Reference Manual Added section for SSHCOM client mode commands RENAME KNOWNHOST and RENAME PASSWORD Changes in SSH2 release 89 that are incompatible with previous releases Previo
444. nge in accordance with the RFC 4462 standard gss gex shal key exchange algorithms Parameter Syntax GSSGEXKEX TRUE FALSE Arguments TRUE GSSAPI kex with group exchange is enabled FALSE GSSAPI kex with group exchange is disabled Default By default GSSAPI key exchange with group exchange is disabled FALSE Considerations e GSSGEXKEX is ignored if GSSAUTH is set to disabled or GSSKEX is set to FALSE disabled e Enabling GSSGEXKEX may cause problems with an SSH client if there is a faulty implementation of GSS key exchange with group exchange See also e GSSAUTH GSSKEX ALLOWEDAUTHENTICATIONS e Section Single Sign on with GSSAPI Authentication GSSKEX Use this parameter to enable GSSAPI key exchange in accordance with RFC 4462 Parameter Syntax GSSKEX TRUE FALSE Arguments TRUE GSSAPI key exchange is enabled FALSE GSSAPI key exchange is disabled Default By default GSSAPI key exchange is enabled TRUE Considerations 80 e Configuring and Running SSH2 HP NonStop SSH Reference Manual e GSSKEX only takes effect if GSSAPI authentication is enabled GSSKEX is ignored if GSSAUTH is set to disabled See also e GSSAUTH GSSGEXKEX ALLOWEDAUTHENTICATIONS e Section Single Sign on with GSSAPI Authentication GUARDIANATTRIBUTESEPARATOR The value which should only consist of one character is used as additional separator character between Guardian file
445. nn gt always responds with type 6 and subtype lt nn gt DYNAMIC_PRI lt nnn gt Specifies the default priority used for dynamic window applications when the SERVICE does not specify PRI Where lt nnn gt is the Guardian priority in the range 1 199 default is 149 264 e STN Reference HP NonStop SSH Reference Manual DYN_CPU cpu cpu Sets default CPU for subsequent ADD SERVICE TYPE DYNAMIC Default is DYN_CPU 0 15 DYN_WIN_MAX lt nnn gt The existing DYN_WIN_MAX command is generally superseded by the features of GWNATEMPLATE introduced in TO801 ABE but it is still allowed lt nnn gt is the maximum number of window names including zero 0 lt nnn gt must be in the range 100 to 100000 default is 100000 DYN_WIN_MAX may be used to reduce the number of windows allowed by GWN TEMPLATE For example PARAM GWN TEMPLATE 20000 STNCOM SSTN DYN_WIN_MAX 250 cycles from Z0000 to Z0249 then back to Z0000 EXIT EXIT stops STNCOM This is the normal method of terminating an STNCOM session STN is not affected There are several forms of the EXIT command e EXIT e E e control Y e eof on disc or process IN file In an OBEY file an eof command returns to the previous OBEY file or IN file and does not terminate STNCOM FC FC provides a typical FC facility see Guardian TACL or EDIT documentation for a full description Like the EDIT product s implementation STNCOM allows FC to be combined with other com
446. nning under OSS to connect to a remote SSH daemon It provides Secure Shell sessions as well as TCP and FTP port forwarding capabilities The SSH component implements a Secure Shell client running under Guardian to connect to a remote SSH daemon It provides Secure Shell sessions as well as TCP and FTP port forwarding capabilities The SFTPSERV component is started by SSH2 for each SFTP client that connects to SSH2 components The SFTPSERV component then handles the file I O associated with the file transfers initiated by the SFTP client Because SFTPSERV is started by the SSH2 component configuration of SFTPSERV is implicit by the configuration of the SSH2 component The SFTPOSS component implements an SFTP client running under the OSS personality The SFTP component implements an SFTP client running under the Guardian personality The SSHCOM component allows the maintenance of the SSH user database To do so it communicates with the SSH2 component The PAUTH component is used by SSH2 for authenticating user passwords against the system user base The STN component is a pseudo TTY server providing full screen shell access to remote SSH clients The SCPOSS component is the scp server implementation It is started on request of a remote scp client via shell command The scp client on Guardian OSS has not been added yet HP NonStop SSH Reference Manual Introduction e 27 Architecture Overview This section shows how the various components wor
447. not support the corresponding socket option TCP_MINRXMT i e the default value must be used for parameter SOCKTCPMINRXMT if CIP is involved See document HP NonStop TCP IPv6 Configuration and Management Manual for details Default The default is 0 SOCKTCPMAXRXMT Use this parameter to control the maximum time for TCP retransmission timeout When setting this parameter to a non zero value the specified parameter is used on socket level Parameter Syntax SOCKTCPMAXRXMT time Arguments time A number representing the maximum time for TCP retransmission timeout A value of 0 means the maximum time for TCP retransmission timeout configured in the TCP IP monitor process is used Considerations e Normally the value configured on TCP IP monitor process level TCP MAX REXMIT TIMEOUT should be sufficient i e the default value should be used for parameter SOCKTCPMAXRXMT See document HP NonStop TCP IPv6 Configuration and Management Manual for details e The Cluster I O Protocols CIP subsystem does not support the corresponding socket option TCP_MAXRXMT i e the default value must be used for parameter SOCKTCPMAXRXMT if CIP is involved See document HP NonStop TCP IPv6 Configuration and Management Manual for details Default The default is 0 HP NonStop SSH Reference Manual Configuring and Running SSH2 e 117 SOCKTCPRXMTCNT Use this parameter to control the maximum number of continuous retransmissions prior to dropping a TCP c
448. now generated SSTN OUT parameter is not used OUT lt out gt ignored and STN startup continues normally STN uses the IN parameter to specify an edit 101 file This file contains PARAM commands other commands are ignored Refer to the manual under GFTCOM OBJECT and GFTCOMX IN for further details The IN parameter may be used with or without PARAM GFTCOM OBJECT e When IN is not specified it defaults to the home terminal and STN startup continues normally without any IN processing e If the IN parameter specifies ZHOME the following EMS event zstn ems evt misc 9 is now generated IN parameter must specify a edit 101 file or be omitted IN ZHOME is ignored and STN startup continues normally e Ifthe IN parameter specifies something other than a disc file or SZHOME the following EMS event zstn ems evt misc 9 is now generated IN file lt in gt is not a disc file startup terminated and STN terminates abnormally e Ifthe IN parameter specifies a disc file that is not an edit 101 file the following EMS event zstn ems evt misc 9 is now generated IN file lt in gt is not a edit 101 file startup terminated and STN terminates abnormally STN does not use any parameters on the RUN command including the backup cpu number in the manner used by other products The STN backup cpu must be specified by either PARAM BACKUPCPU or the STNCOM command BACKUPCPU 6 run stncom Use stncom
449. nowledgement from the other endpoint configured in the TCP IP monitor process is used Considerations e Normally the value configured on TCP IP monitor process level should be sufficient i e the default value should be used for parameter SOCKTCPTOTRXMTVAL See document HP NonStop TCP IPv6 Configuration and Management Manual for details e The Cluster I O Protocols CIP subsystem does not support the corresponding socket option TCP_TOTRXMTVAL i e the default value must be used for parameter SOCKTCPTOTRXMTVAL if CIP is involved See document HP NonStop TCP IPv6 Configuration and Management Manual for details Default The default is 0 118 e Configuring and Running SSH2 HP NonStop SSH Reference Manual SSHAUTOKEXBYTES Use this parameter to control the frequency of automatic key re exchange in SSH sessions Parameter Syntax SSHAUTOKEXBYTES bytes Arguments bytes Provides a number representing the amount of bytes after which a key re exchange should be initiated A value of 0 disables key re exchange based on data volume Default The default is 1073741824 1GB This is the value recommended in RFC 4253 See also SSHAUTOKEXTIME SSHAUTOKEXTIME Use this parameter to control the frequency of automatic key re exchange in SSH sessions Parameter Syntax SSHAUTOKEXTIME seconds Arguments seconds Specifies the intervals between key re exchanges in seconds A value of 0 disables key re exchange based on time interval
450. nse to the menu but the specified service was stopped by STNCOM STOP ABORT SERVICE command STN13 No Static Window available for this Service User entered a service name in response to the menu but the specified static service either has no windows configured or all configured windows are in use or STOPPED STN14 Connected to Static Window lt window gt User entered a service name in response to the menu and the session was successfully connected to lt window gt which was configured for the requested static service STN15 The Dynamic Service selected required a userid and password STN15 Enter group user For services with LOGON REQ Enter the Guardian userid or alias without the password STN16 Enter password This prompt follows the response to STN1S 298 e STN Reference HP NonStop SSH Reference Manual STN17 Input error proper syntax is group user Improper response to STN15 prompt STN18 Unknown userid or incorrect password please wait This follows the response to the STN16 prompt After a delay to discourage hackers and automated logon attacks the STN15 prompt is repeated After three STN18 consecutive logon failures the session is terminated STN19 Add Window failed for Dynamic Service User entered a dynamic service name in response to the menu but a new dynamic window could not be added usually due to a resource shortage Notify Support STN20 Starting Dynamic Service application STN is starting the
451. nsole AUDITEMS Determines whether audit messages are written to EMS AUDITFILE Determines whether audit messages are written to a file AUDITFORMATCONSOLE Controls the format of the audit messages that are written to the console AUDITFORMATEMS Controls the format of the audit messages that are written to EMS AUDITFORMATFILE Controls the format of the audit messages that are written to a file LOGCACHEDUMPONABORT Determines if the internal log cache is written to the log file in case of process aborting LOGCACHESIZE Determines the size of the internal log cache LOGCONSOLE Determines whether log messages are written to a console LOGEMS Determines whether log messages are written to EMS LOGFILE Determines whether log messages are written to a file LOGFORMATCONSOLE Controls the format of the log messages that are written to the console LOGFORMATFILE Controls the format of the log messages that are written to a file LOGFORMATEMS Controls the format of the log messages that are written to EMS LOGLEVELCACHE Determines whether log messages are written to the internal log cache LOGLEVELCONSOLE Determines which messages will be written to the console LOGLEVELFILE Determines which messages will be written to the log file LOGLEVELEMS Determines which messages will be written to EMS Please see the chapter Monitoring and Auditing section Destinations for Log Messages for a description of those parameters The following screenshot
452. nstances sharing that port as in the following example ADD DEFINE PTCPIP FILTER KEY class map file A1234 e If parameter is set via PARAM and a comma separated list is defined then the list must be enclosed in double quotes See also INTERFACE INTERFACEOUT SUPPRESSCOMMENTINSSHVERSION Use this parameter to suppress the comments field in SSH protocol version exchanged between ssh server and ssh client The format of the ssh protocol version is defined in RFC 4253 The comments field is defined as optional Parameter Syntax SUPPRESSCOMMENTINSSHVERSION TRUE FALSE Arguments TRUE FALSE Specifies whether comment part in the ssh protocol version is suppressed or not o TRUE Comment part will be suppressed o FALSE Comment part will not be suppressed Default If omitted the SSH2 process will include the comment part as done in the previous release i e default value is FALSE Considerations e RFC 4253 defines that client and server ssh protocol version string must be exchanged in clear text This could give away information about implementation details which might be seen as a vulnerability Using this parameter only the optional part of the protocol version string can be suppressed e On the other hand the comments part may indicate specific capabilities of an implementation i e can be helpful information for the remote system TCPIPHOSTFILE Use this parameter as an alternative to setting a DEFINE TCPIP HOST
453. nt Command Reference Note The SSH protocol is a complex protocol with many features This Reference Manual only provides an overview about some features for detailed information beyond this manual please refer to publications such as SSH the Secure Shell 2nd Edition by Daniel J Barrett Robert G Byrnes Richard E Silverman O Reilly The SSH OSS Client is used for the following purposes e Start a SSH shell to control a remote system A shell is an encrypted communication channel between two untrusted hosts over an insecure network which allows the client to control the server similar to TACL TELNET in the NonStop environment e Execute a command on the remote system e Start a port forwarding daemon process Port forwarding is a way to tunnel unencrypted protocols over an SSH session so that they become encrypted Command Line Reference The SSH client allows you to specify some parameters on the command line Starting the client without any parameters provides a syntax summary SUS SSH89 4 gt run ssh SSH client version T9999H06_22Jan2014_comForte_SSH_0097 Usage ssh options user Jhost command Options user Log in using this user name Tty allocate a tty even if command is given Do not allocate a tty Display version number only Suppress ssh client banner Quiet don t display any warning messages string Set prefix used for error messages Default no prefix string Set prefix used for info warning mess
454. nt KNOWNHOST using SSHCOM as follows ALTER KNOWNHOST lt keyname gt PUBLICKEY b Using SSHCOM delete the existing KNOWNHOST entry as follows DELETE KNOWNHOST lt keyname gt HP NonStop SSH Reference Manual Troubleshooting e 341 After reconnecting the client a WARNING REMOTE HOST IDENTIFICATION UNKNOWN will be issued and a new KNOWNHOST entry for the remote host s new public key is automatically added to the SSHCTL If the SSH2 parameter STRICTHOSTKEYCHECKING is TRUE then you need to thaw the newly added KNOWNHOST entry to establish a connection THAW KNOWNHOST lt hostname gt Couldn t read packet lt error detail gt Couldn t write packet lt error detail gt lt error detail gt Describes the error condition Cause The client failed to receive send a packet from to the SSH2 SFTP channel Typical causes are that the remote SSH server has terminated the SSH session of SFTP channel Effect The client process terminates Any ongoing file transfer will be aborted Recovery Any corrective action depends on lt error detail gt 342 e Troubleshooting HP NonStop SSH Reference Manual Appendix Event Summary The tables below lists log messages with log level log text and short description of variable parts used in the event text Event Category ERROR LOG LEVEL EVENT TEXT Description Variable Parts 10 failed to import name major status lt uint1 gt lt uint2 gt lt uint3 gt lt
455. nt Reference e 229 sftp gt help Available commands ap local path remote path append local path remote path ascii dos unix mac Upload local file and append to remote file Upload local file and append to remote file Change transfer mode to ascii and optionally change the remote newline convention aslinemode cut wrap none Cut wrap or do nothing to long ascii lines binary Change the transfer mode to binary cd path Change remote directory to path chgrp grp path Change group of file path to grp chmod mode path Change permissions of file path to mode chown own path Change owner of file path to delete path Delete remote file exit Quit sftp fc lt num gt lt string gt Fix command number lt num gt or contains lt string gt get remote path local path Download remote file help Display this help text h lt cnt gt Display historic commands all or lt cnt gt cmnds history lt cnt gt Display historic commands all or lt cnt gt cmnds lap remote path local path Download remote file and append to local file lappend remote path local path Download remote file and append to local file lcd path Change local directory to path lls ls options path Display local directory listing imkdir path Create local directory ln oldpath newpath Symlink remote file lpwd Print local working directory ls path Display remote directory listing lumask umask Set local umask to umask mkdir path Cre
456. nt SSO access Explicit Authorization Explicit authorization involves defining an access control list containing specific Kerberos principals authorized to access an account The access control list can be defined using the SSHCOM USER PRINCIPAL attribute For example if the NonStop host is configured as NonStop COMPANY COM a user JohnSmith COMPANY COM can be explicitly authorized to logon as SUPER OPERATOR as follows ALTER USER SUPER OPERATOR PRINCIPAL JohnSmith COMPANY COM OK user SUPER OPERATOR altered 2 Note You can authorize multiple Kerberos principals to logon as a specific NonStop user by specifying multiple PRINCIPAL attributes in one or more ALTER USER commands HP does not currently offer a Kerberos solution but such a solution can be purchased from an HP NonStop partner and applied to your system Restricting Incoming and Outgoing Connections Port forwarding on a global level is determined by the SSH2 parameter ALLOWTCPFORWARDING The user attribute ALLOW TCP FORWARDING is used to grant or deny port forwarding on a user level Sometimes a finer granularity is needed to restrict forwarding to specific hosts The RESTRICTION PROFILE objects and the user attribute ALLOW GATEWAY PORTS can be used to configure forwarding restrictions with more granularity Rejecting Gateway Ports If a user specifies the g SSH2 option when initiating a port forwarding request the listening on the local port will not occur on th
457. ntifier independent if the logon name is an alias or a Guardian user Entries are read using the Guardian user ID only This means that a Guardian user can add read manipulate entries for associated alias users and vice versa The assumption is that the same person uses the aliases of a Guardian user identifier and the Guardian user identifier itself This was the default before this enhancement was introduced in release 89 and therefore value GUARDIANNAME needs to be used if the client mode policy of previous releases should be kept BOTH The default owner is the login name but a guardian user can add or manipulate entries stored under an alias or a guardian user identifier Entries are read for both the login name and the guardian user in case these are different entries of the alias are read first then entries of the guardian id The value BOTH is only recommended if a guardian user and all aliases configured for this guardian user are solely used by one person and client mode records are to be stored under Guardian user identifier as well as alias names Example Assume an alias entry is present but not an entry for the associated Guardian ID and the user is logged on as the alias With client mode owner policy set to LOGINNAME privileges to read alter the entry would be granted for GUARDIANNAME they would not be granted because a matching entry is not found and for BOTH they would be granted If the Guardian entry is present but not th
458. nual PARTIALSSHCOMACCESSGROUP lt n gt This parameter set allows granting limited administrative SSHCOM command privileges to users that have the configured group as PRIMARY GROUP in the Safeguard USER configuration Admin groups with limited SSHCOM access are defined via the parameter set PARTIALSSHCOMACCESSGROUP lt n gt where lt n gt is a number between 1 and 99 Limited administrative SSHCOM access includes viewing and altering USER records 1 e execution of daemon mode commands INFO USER and ALTER USER All USER attributes can be modified except the most critical ones which are ALLOWED AUTHENTICATIONS and SYSTEM USER These fields can only be modified by users with full SSHCOM access Additional restrictions apply depending on the setting of parameter LIFECYCLEPOLIC YPUBLICUSERKEY Users with partial SSHCOM access can specify the L VE DATE and EXPIRE DATE when adding or altering a user s public key only if LIFECYCLEPOLICYPUBLICUSERKEY is set to VARIABLE Parameter Syntax PARTIALSSHCOMACCESSGROUP lt j gt lt group gt Arguments lt group gt A Guardian group name All members of the group will have partial SSHCOM access Default By default none of the parameters are set i e only users with full SSHCOM access can execute privileged commands Example PARTIALSSHCOMACCESSGROUP1 admin PARTIALSSHCOMACCESSGROUP2 super Considerations e Some of the privileged commands in SSHCOM are critical to the security of the system The
459. number between 0 and 100 and is shown immediately after the timestamp A lower number means a higher importance of the message The parameters LOGLEVELFILE LOGLEVELCONSOLE and LOGLEVELEMS control which messages are generated for the various log destinations also see next section only log messages with a level greater than or equal than the level configured for the target will be generated The log level configuration should be chosen as follows e 50 default log normal operation e 30 only log startup messages and warnings e 70 detailed diagnostic messages Should only be set if the additional verbosity is really required e 100 very detailed diagnostic messages This configuration is not recommended for production environments as it will create significant overhead 308 e Monitoring and Auditing HP NonStop SSH Reference Manual Destinations for Log Messages The SSH2 component can log to the following destinations e A file configured with the LOGFILE parameter e An process internal memory cache for log message parameters LOGLEVELCACHE LOGCACHESIZE e A device configured with the LOGCONSOLE parameter e An event collector process configured with the LOGEMS parameter By default the SSH2 component logs messages only to the home terminal Logging to a file or EMS is not enabled by default It is possible to log to multiple destinations Which combination is best will depend on your operative environment The following shows some exam
460. ny Windows specific code or a derivative thereof from the apps directory application code you must include an acknowledgement This product includes software written by Tim Hudson tjh cryptsoft com THIS SOFTWARE IS PROVIDED BY ERIC YOUNG AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT INDIRECT INCIDENTAL SPECIAL EXEMPLARY OR CONSEQUENTIAL DAMAGES INCLUDING BUT NOT LIMITED TO PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES LOSS OF USE DATA OR PROFITS OR BUSINESS INTERRUPTION HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY WHETHER IN CONTRACT STRICT LIABILITY OR TORT INCLUDING NEGLIGENCE OR OTHERWISE ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE The licence and distribution terms for any publically available version or derivative of this code cannot be changed i e this code cannot simply be copied and put under another distribution licence including the GNU Public Licence OpenSSH Copyright Statement This file is part of the OpenSSH software The licences which components of this software fall under are as follows First we will summarize and say that all components are under a BSD licence or a licence more free than that OpenSSH contains no GPL code 1 Copyrigh
461. o a remote ssh server Parameter Syntax SFTPUPSHIFTGUARDIANFILENAMES TRUE FALSE Arguments TRUE FALSE Specifies whether the remote target file names are upshifted when Guardian files are transferred using the mput command o TRUE Target file names will be upshifted 114 e Configuring and Running SSH2 HP NonStop SSH Reference Manual o FALSE Target file names will be downshifted Default If omitted SSH2 will use a value FALSE The resulting behavior is the same as before this parameter was added Example SFTPUPSHIFTGUARDIANFILENAMES TRUE Considerations e Ifthe parameter is used as SSH2 parameter with value TRUE then all Guardian file names displayed by the Is command appear in upper case The SSH2 parameter is relevant for incoming connections e For outgoing connections the parameter must be set as PARAM for SFTP and as environment variable for SFTPOSS e Ifthe value is set to TRUE the file template in the mput command specifying the local files to be transferred must consist of upper case characters Otherwise an error file not found will be returned SHELLENVIRONMENT Set default value for USER attribute SHELL ENVIRONMENT used when the USER attribute is not configured The configured script is executed for non login shells and is important to prepare the shell environment e g PATH variable for non login shells which use a different shell initialization than login shells Parameter Syntax SHELLENVIRONMENT sh
462. o all code found HP NonStop SSH Reference Manual Appendix e 367 in this distribution be it the RC4 RSA lhash DES etc code not just the SSL code The SSL documentation included with this distribution is covered by the same copyright terms except that the holder is Tim Hudson tjh cryptsoft com Copyright remains Eric Young s and as such any Copyright notices in the code are not to be removed If this package is used in a product Eric Young should be given attribution as the author of the parts of the library used This can be in the form of a textual message at program startup or in documentation online or textual provided with the package Redistribution and use in source and binary forms with or without modification are permitted provided that the following conditions are met Redistributions of source code must retain the copyright notice this list of conditions and the following disclaimer Redistributions in binary form must reproduce the above copyright notice this list of conditions and the following disclaimer in the documentation and or other materials provided with the distribution All advertising materials mentioning features or use of this software must display the following acknowledgement This product includes cryptographic software written by Eric Young eay cryptsoft com The word cryptographic can be left out if the routines from the library being used are not cryptographic related If you include a
463. o restrict outgoing access via the RESTRICTION PROFILE attribute CONNECT TO The CONNECT TO 132 e Configuring and Running SSH2 HP NonStop SSH Reference Manual attribute defines a list of host port combinations that a user is allowed to reach via a specific SSH2 instance No pattern matching is allowed but several hosts can be defined and several ports can be specified per host If the user attribute RESTRICTION PROFILE is defined and the CONNECT TO attribute of the restriction profile is set the SSH2 process limits access to the configured host port combinations only when starting an outgoing connection for that user Restricting Local Ports used for Port Forwarding In an environment in which some users should not be allowed to listen on any unused local ports for forwarding purposes a list of allowed 0 0 0 0 port and 127 0 0 1 port combinations can be defined The RESTRICTION PROFILE attribute PERMIT LISTEN holds this list For remote clients the user specified in the incoming SSH request is checked against SSHCTL This forwarding listen port restriction is applied if the attribute RESTRICTION PROFILE of the user record is set and the PERMIT LISTEN attribute of the corresponding restriction profile record is configured Restricting Remote Hosts Ports for Port Forwarding If a user should not be permitted to open a tunnel to any host port for forwarding purposes administrators can configure specific host port combinations for specific us
464. o terminal lt str1 gt Session Name 50 lt str1 gt sending subsystem request for subsytstem sftp lt str1 gt Session Name 50 lt str1 gt sending shell request lt str1 gt Session Name 50 lt strl gt sending exec request for command lt str2 gt lt str1 gt Session Name lt str2 gt EXEC request command 50 lt str1 gt remote process terminated with exit code lt int1 gt lt str1 gt Session Name lt intl gt Exit status HP NonStop SSH Reference Manual Appendix e 361 LOG LEVEL EVENT TEXT Description Variable Parts 50 lt str1 gt channel request ok lt str1 gt Session Name 50 lt str1 gt server version string lt str2 gt lt str1 gt Session Name lt str2 gt SSH server software version 50 lt str1 gt session disconnected by server lt str2 gt lt str1 gt Session Name lt str2 gt Reason for disconnect 10 DEFINE TCPIP PROCESS NAME has value lt str1 gt lt str1 gt TCP IP process name define 10 parameter SUBNET will be ignored and the define value will be used 50 lt str1 gt spawned program lt str2 gt successfully pid lt int1 gt lt str1 gt Session Name lt str2 gt Program name of spawned process lt int1 gt Process id of spawned process 50 lt strl gt spawned program lt str2 gt terminated with exit code lt int1 gt lt str1 gt Session Name lt str2 gt Program name of spawned process lt intl gt Completion code of spa
465. ocessing the SSH2 process executes regarding name resolving during startup Without explicit settings the TCP IP stack uses DNS for name resolving This causes long delays if name resolving is incorrectly configured If a name resolving test at startup takes too long then the SSH2 process assumes the name resolving is not 136 e Configuring and Running SSH2 HP NonStop SSH Reference Manual correctly configured and the define TCPIP HOST FILE is set to the default value A warning is logged in this case Disabling incorrectly configured DNS resolving A new define SSH2 PROCESS NAME will be created and propagated It contains the name of the SSH2 process which started the TACL or shell process The SSH clients objects SSH SSHOSS SFTP and SFTPOSS make use of this define to look up the SSH2 server process before the CPU dependent lookup using SSH2PREFIX is tried Those SSH clients running within a shell started by an SSH2 server process no longer require specifying the SSH2 server process via the S flag Defines may have unwanted influence on the processing of started processes e g if a TCP IP application is started that needs to use different DEFINE settings If defines should not be forwarded to processes started by the SSH2 process then parameter PROPAGATEDEFINES can be set to FALSE and the forwarding of defines will be suppressed default is TRUE The define _DEFAULTS is always propagated to new processes independent of the setting
466. of stored password lt str2 gt for local system user lt str3 gt failed password is frozen lt str1 gt Session Name lt str2 gt Name of password record stored in SSH2 database lt str3 gt Owner of password record 20 lt str1 gt could not add or update stored password lt str2 gt for local system user lt str3 gt lt str4 gt lt str1 gt Session Name lt str2 gt Name of password record stored in SSH2 database lt str3 gt Owner of password record lt str4 gt Exception text 20 lt str1 gt Unexpected WRITEREAD from SSH client lt str1 gt Session Name 20 lt str1 gt Unexpected READ from SSH client lt str1 gt Session Name 20 lt str1 gt Unexpected WRITE from SSH client lt str1 gt Session Name 20 lt str1 gt cannot forward data because remote side has closed the channel ignoring data lt str1 gt Session Name 20 lt str1 gt client access to known host lt str2 gt denied known host entry known by local system user lt str3 gt is frozen lt str1 gt Session Name lt str2 gt Known host lt str3 gt Owner of known host entry 20 lt str1 gt client access to known host lt str2 gt known by local system user lt str3 gt denied public remote host key received is different to stored one lt str1 gt Session Name lt str2 gt Known host lt str3 gt Owner of known host entry 20 lt str1 gt client access to unknown host at lt str2 gt prompting local system user lt str3 gt to continu
467. om over to under this event is generated This event also occurs one minute after startup time EFFECT If pool usage is UNDER some sessions may terminate RECOVERY Use the POOL command to monitor pool usage Increase PARAM POOL_SIZE and restart STN when convenient zstn evt th open err value is 1034 lt 1 gt Open TH lt 2 gt error lt 3 gt lt 2 gt Terminal Handler process name lt 3 gt Guardian open file error code CAUSE I O error opening the OSS Terminal Helper ZTTnn process EFFECT The affected terminal session may hang RECOVERY None Recovery is automatic If other symptoms are noted such as hanging sessions include this EMS event when reporting the problem zstn evt th writeread err value is 1035 lt 1 gt Writeread TH lt 2 gt error lt 3 gt lt 2 gt Terminal Handler process name lt 3 gt Guardian writeread file error code CAUSE I O error writing to the OSS Terminal Helper ZTTnn process HP NonStop SSH Reference Manual STN Reference e 289 e EFFECT The affected terminal session may hang e RECOVERY None Recovery is automatic If other symptoms are noted such as hanging sessions include this EMS event when reporting the problem Recovery is automatic zstn evt gwn file err value is 1058 lt l gt GWN File lt 2 gt error lt 3 gt on lt 4 gt lt 2 gt GWN file name lt 3 gt Guardian file error code lt 4 gt File operation where error occured e CAUSE An erro
468. on lt str1 gt channel request for subsystem lt str2 gt launching lt str3 gt lt str1 gt Session Name HP NonStop SSH Reference Manual Appendix e 363 LOG LEVEL EVENT TEXT Description Variable Parts lt str2 gt Subsystem name lt str3 gt Program 50 lt str1 gt channel request for 6530 shell connecting to lt str2 gt lt str1 gt Session Name lt str2 gt Program 50 lt str1 gt channel request for 6530 shell launching lt str2 gt lt str1 gt Session Name lt str2 gt Program 50 lt str1 gt channel request for 6530 shell connecting to PTYSERVER lt str2 gt lt str3 gt lt str1 gt Session Name lt str2 gt Pseudo terminal server lt str3 gt Service name 50 lt str1 gt channel request for shell connecting to lt str2 gt lt str1 gt Session Name lt str2 gt Shell program 50 lt str1 gt channel exec request launching lt str2 gt c lt str3 gt lt str1 gt Session Name lt str2 gt Shell program lt str3 gt Command to execute 50 lt str1 gt channel shell request launching lt str2 gt lt str1 gt Session Name lt str2 gt Command to execute 50 lt str1 gt channel request for shell connecting to PTYSERVER lt str2 gt lt str3 gt lt str1 gt Session Name lt str2 gt Pseudo terminal server lt str3 gt Service name 50 lt str1 gt Allocated PTY lt str2 gt authentication dummy pty lt str3 gt lt str1 gt Session Name lt str2 gt Pseudo termina
469. on is required make the backup CPU available or use the STNCOM command BACKUPCPU to select another backup CPU zstn evi misc valueis 9 lt 1 gt lt 2 gt lt 2 gt Text There are several variations of this event currently only one is listed STN requires SAFECOM ADD DISKFILE lt file name gt PRIV LOGON ON but it is lt error text gt lt file name gt the STN object file name lt error text gt could be Safeguard not running Not configured DISKFILE record not found DISKFILE PRIV_LOGON OFF CAUSE STN object not properly configured under Safeguard EFFECT STN cannot start dynamic service applications when SERVICE USER or LOGON is used RECOVERY Start Safeguard then perform the following Safecom command for the STN object file ADD DISKFILE lt stn object filename gt PRIV LOGON ON This command can be performed when STN is running and takes effect immediately zstn evt checkalloc valueis 10 HP NonStop SSH Reference Manual STN Reference e 293 lt 1 gt Checkallocatesegment err lt 2 gt lt 2 gt error code e CAUSE STN could not allocate its internal buffer pool in the backup process due to an error condition e EFFECT STN runs without a backup STN will automatically restart the backup process e RECOVERY If backup operation is required use the STNCOM command BACKUPCPU to select another backup CPU zstn evt backup loop valueis 11 lt 1 gt Backup creation loop BACKUPCPU NONE assumed e
470. one of the IP addresses or IP address ranges in the specified IPRANGE If the address matches then the session is allowed to proceed If the address does not match or the IPRANGE is not defined then the session is terminated ten seconds after displaying the following message on the remote workstation STN51 Workstation IP address not in range for requested service Note that ADD SERVICE can be done before ADD IPRANGE however any attempt to connect to the service will be rejected until the ADD IPRANGE command is completed Similarly DELETE IPRANGE will result in rejection of any connection attempts to services specified in the deleted IPRANGE until another ADD IPRANGE command is used to redefine the IPRANGE If an ADD SERVICE command refers to an undefined IPRANGE the ADD SERVICE command is accepted and the following warning message is presented SERVICE added warning IPRANGE not presently defined HOME home terminal name HOME controls the home terminal name for processes started by STN for TYPE DYNAMIC services The default home terminal is the name of the dynamic window being started STN 4ZWNxxxx If HOME is used it should refer to a valid terminal name or to a home terminal process like ZHOME HOME is needed in cases where a program continues to run after the STN session terminates The most common example is when using the following configuration ADD SERVICE pathdyn TYPE DYNAMIC PROGRAM Ssystem system pathcom HOME Szhome
471. onfigure the PTCPIPFILTERKEY parameter for every SSH2 instance listening on the same port as follows RUN SSH2 NAME SSH00 CPU 0 ALL PORT 22 PTCPIPFILTERKEY mykey RUN SSH2 NAME SSHO1 CPU 1 ALL PORT 22 PTCPIPFILTERKEY mykey After you have started multiple SSH2 processes in the manner described above inbound SSH sessions will then be distributed across the SSH2 instances in a round robin manner The application processes started by SSH2 for incoming connection can be distributed over CPUs on a user level via different settings of USER attribute CPU SET and SFTP CPU SET The SSH2 parameters CPUSET and SFTPCPUSET 134 e Configuring and Running SSH2 HP NonStop SSH Reference Manual allow defining default values for these USER attributes on a global level If multiple CPUs are configured then these will be used in a round robin fashion Another way of load balancing of incoming SSH connections is to configure multiple IP processes for one SSH2 process see parameter SUBNET and let users connect to different IP addresses of the NonStop system In this way the TCP IP traffic load is distributed over the CPUs if the configured TCP IP processes run in different CPUs Fault Tolerance SSH2 can be configured to ensure constant availability of NonStop based SSH applications across the network Running on the Guardian platform SSH2 takes advantage of the fundamental availability characteristics of NonStop SSHz2 services can be c
472. onfigured as generic processes enabling automatic recovery from failures such as CPU outages SSH2 can also be started as a NonStop process pair Both mechanisms will not prevent sessions to fail after the primary CPU of the SSH2 process goes down However SSH2 will restart operation in a backup CPU ensuring that clients can reconnect immediately Configuring SSH2 as a NonStop Process Pair SSH2 can easily be started as a NonStop process pair by specifying the BACKUPCPU parameter as follows RUN SSH2 NAME SSSHOO CPU 0 ALL BACKUPCPU ANY In case of a failure of the primary CPU the backup process of SSH2 will take over and restart the operation Configuring SSH2 as a Generic Process The following sample SCF commands can be used to configure a SSH2 server as a generic process ALLOW ALL ERRORS ASSUME PROCESS ZZKRN ABORT SSH2 DELETE SSH2 ADD SSH2 AUTORESTART 10 HOMETERM S ZHOME PRIORITY 158 PROGRAM S SYSTEM COMFSSH2 SSH2 DEFAULTVOL SSYSTEM COMFSSH2 NAME S SSH2 STARTUPMSG SERVER PORT 22 SUBNET ZTC0O1 LOGCONSOLE LOGFILE SSHLOG STARTMODE MANUAL USERID SUPER SUPER CPU FIRST MMM HM MM SM HM SM SK START SSH2 INFO SSH2 STATUS SSH2 Before running SSH2 as a generic process we recommend that you have a working RUN SSH2 command at the TACL level This command should be easy to convert to the respective SCF ADD command For example the SSH2 startup line parameters are specifi
473. onfigured in SYSTEM USER or could be any other local system user PRINCIPAL This attribute is used to explicitly specify which Kerberos principal s are authorized to logon to this user account using gssapi with mic authentication To define an access control list with multiple principals within a single command the PRINCIPAL attribute can be repeated within a single ALTER USER command Note Specifying one or more Kerberos principals using this attribute will override the default Kerberos authorization rule which implicitly grants access to the Kerberos principal with a matching local account name The PRINCIPAL attribute may have the following values e lt user gt lt REALM gt A fully qualified Kerberos principal name will authorize a specific Kerberos principal to access this user account e lt REALM gt This pattern will authorize any principal in the given REALM to access this user account e This pattern will authorize any principal in any REALM i e anybody with a valid service ticket to access this user account Note Specifying a wildcard pattern as principal is useful when delegating authorization to the resource started for this user i e CI PROGRAM or SHELL PROGRAM CAUTION When specifying a wildcard PRINCIPAL user access should be properly locked down to avoid security breaches in which per user authorization is bypassed e g by setting SYSTEM USER NONE The Kerberos principal name authenticated an
474. onnection When setting this parameter to a non zero value the specified parameter is used on socket level Parameter Syntax SOCKTCPRXMTCNT count Arguments count A number representing the maximum number of continuous retransmissions prior to dropping a TCP connection A value of 0 means the maximum number of continuous retransmissions prior to dropping a TCP connection configured in the TCP IP monitor process is used Considerations e Normally the value configured on TCP IP monitor process level should be sufficient i e the default value should be used for parameter SOCKTCPRXMTCNT See document HP NonStop TCP IPv6 Configuration and Management Manual for details e The Cluster I O Protocols CIP subsystem does not support the corresponding socket option TCP_RXMTCNT i e the default value must be used for parameter SOCKTCPRXMTCNT if CIP is involved See document HP NonStop TCP IPv6 Configuration and Management Manual for details Default The default is 0 SOCKTCPTOTRXMTVAL Use this parameter to control the maximum continuous time spent retransmitting without receiving an acknowledgement from the other endpoint When setting this parameter to a non zero value the specified parameter is used on socket level Parameter Syntax SOCKTCPTOTRXMTVAL time Arguments time A number representing the maximum time for TCP retransmission timeout A value of 0 means the maximum continuous time spent retransmitting without receiving an ack
475. op SSH Reference Manual SSH and SFTP Client Reference e 225 Using the SSH client to create an FTP port forwarding daemon To tunnel FTP connections through a SSH connection the SSH implementation must apply additional logic to ensure that the data port is also encrypted The following example shows the encryption of an FTP connection between two NonStop systems by tunneling it over an SSH session The example is based on the following assumptions e An SSH2 daemon is installed on the remote NonStop system with Port forwarding allowed That requires the parameter ALLOWTCPFORWARDING to be set to true e The IP address on the remote NonStop system is 10 0 0 198 FTPSERV is configured through PORTCONF to take connections coming in on port 21 on that IP stack e A guardian user named COMF TB exists on the remote system Starting FTP port forwarding on the client system The following command will start a FTP port forwarding daemon on the client system STB TBSSH79 16 gt run ssh S STBS79 N L ftp 2121 127 0 0 1 21 comf tb 10 0 0 198 SSH client version T9999H06_22Jan2014_comForte_SSH_0097 You have no private keys in the key store Trying password authentication Enter comf tb 10 0 0 198 s password The client will not be active before the password is given at the prompt The port forwarding client listens for incoming connections on port 2121 127 0 0 1 21 is the IP address port of FTPSERV on the remote system from the perspective of th
476. or if that is not set the CPU the SSH2 process is running in is used SFTP GUARDIAN FILESET A list of patterns identifying the GUARDIAN systems volumes subvolumes and files the user is allowed to access The default for this attribute is as follows CARS Oe oe This enables access limited by the SFTP SECURITY attribute to any GUARDIAN system volume subvolume or file In each pattern configured with the GUARDIAN file set the sign is used as a wildcard for any sequence of characters The sign is used in a pattern as a wildcard for one single character SFTP INITIAL DIRECTORY This attribute specifies the initial server side directory the user will access after establishing the SFTP session The default value for the initial directory is either the value taken from INITIAL DIRECTORY when defined in Safeguard or from the Guardian default subvolume of the SYSTEM USER If the option LOCKED is used a user will not be allowed to leave that path by issuing a cd command For example if a value of home jdoe is used only access to directories below is allowed Access to upper level directories such as 180 e SSHCOM Command Reference HP NonStop SSH Reference Manual home or usr or will not be allowed Specifying option LOCKED results in a pseudo root visible for the user i e a pwd command will show as current directory If a value G LOCKED is used then the user can only access Guardian files and no OSS files
477. or other system users HP NonStop SSH Reference Manual SSHCOM Command Reference e 203 Client Mode Commands Operating on the KNOWNHOST Entity ADD KNOWNHOST The ADD KNOWNHOST command adds a new known host to the database and has the following syntax ADD KNOWNHOST lt system user name gt lt knownhost name gt ADDRESSES lt ip or dns gt lt ip or dns gt lt ip or dns gt PORT lt portnr gt PUBLICKEY FINGERPRINT lt fingerprint gt FILE lt file name gt ALGORITHM SSH DSS SSH RSA COMMENT lt word gt lt word gt lt word gt F FROZEN The individual attributes have the following meaning and syntax lt system user name gt A valid GUARDIAN user who owns the known host entry in the user database If lt system user name gt is omitted either the user being set with a previously issued ASSUME USER command or the issuer of the ADD KNOWNHOST command will be used as the default If lt system user name gt is specified it MUST be followed by a to separate it from the known host name that follows The user name ALL means that all users can access that known host Only the SUPER SUPER user unless explicitly denied in OBJECTTYPE USER record or those configured with full SSHCOM access can add a known host entry for other users lt knownhost name gt The name of the known host to be added ADDRESSES Specifies an IP address a DNS name or a comma separated list of IP ad
478. ority used to start the dynamic application If omitted the priority specified by the DYNAMIC_PRI command is used Priority can be a number from 0 to 199 TERM_TYPE TN6530 6530 ANSI ANY TERM_TYPE controls the inclusion of services on STNO2 Service menus The default is ANY TN6530 and 6530 are equivalent Workstation terminal emulators are divided into two groups Those that support HP 6530 telnet extensions and which are configured for the HP 6530 protocol are considered type TN6530 all others are considered type ANSI For TN6530 emulators the STNO2 will include only those services with TERM_TYPE TN6530 or ANY For ANSI all other emulators the STNO2 will include only those services with TERM_TYPE ANSI or ANY TERM_TYPE only affects the display formatted for the STNO2 Service menu It does not restrict access to services or otherwise affect application or terminal activity For example an ANSI emulator could request a service configured for TERM_TYPE TN6530 even though the service name was not displayed on the STNO2 service menu HP NonStop SSH Reference Manual STN Reference e 253 MODE CONV BLOCK Default is CONV At the beginning of a session the terminal client and the WINDOW are placed into the selected mode MENU HIDDEN VISIBLE Default is VISIBLE Service menus are built using the names of services with MENU VISIBLE MENU HIDDEN suppresses the service name on the menu but the service name can still be entered by the
479. ormational message to emphasize that the session is secure Encryption details are provided STN48 lt window or service gt This is an informational message to echo the response to the menu prompt This is especially useful when the service name is automatically entered by the terminal emulator STN50 Negotiation timeout check Line Mode setting in terminal emulator Session terminated Telnet IAC negotiations did not complete within 20 seconds HP NonStop SSH Reference Manual STN Reference e 301 STN51 Workstation IP address not in range for requested service The IP address of the remote workstation is not defined in the IPRANGE or the IPRANGE is not defined STN54 session timed out waiting for user logon response A session connected to a SERVICE with LOGON REQ but the user did not respond to the logon prompt STN57 This 6530 emulator does not support required WSINFO See STNCOM command WSINFO STN58 WSINFO address does not match network address See STNCOM command WSINFO STN59 Input discarded For an SSH session with no read active TACL PAUSE d etc a very large amount of keyboard input was received Further input is discarded STN70 No existing window available for resilient service window lt win gt added A resilient service was requested but no previously created windows were available STN creates a new window and starts the application STN70 Reconnecting to resilient window lt win gt Last access lt date gt l
480. orted help items displayed within SFTP and SFTPOSS when help command entered Version 3 8 Describes changes in SSH2 release 90 Documentation for the following new features has been added Added description for new parameters ENABLESTATISTICSATSTARTUP INTERFACEOUT LOGEMSKEEPCOLLECTOROPENED LIFECYCLEPOLICYPRIVATEUSERKEY INTERVALPENDINGPRIVATEUSERKEY and INTERVALLIVEPRIVATEUSERKEY Added description for new host key related SSHCOM commands INFO HOST KEY EXPORT HOST KEY Modified description for SSHCOM client mode commands ALTER KEY GENERATE KEY IMPORT KEY and INFO KEY Added description for new statistics related SSHCOM command STATISTICS SESSION Added description of new audit event SftpServerFatalErrorEvent Added section FILE I O parameters for SFTP SFTPOSS Enhanced section Installation on the NonStop Server Added an example for Forwarding Remote Port to Local Port in section To Establish a Port Forwarding Tunnel with the NonStop SSH Client Changes in SSH2 release 90 that are incompatible with previous releases In previous releases the value for INTERFACE had not been used for outgoing connections i e if a TCP IP process defined several subnets then it was undetermined which of the local IP addresses was used when connecting to remote systems Now the IP address configured via INTERFACEOUT is used or if that is not set the value of parameter INTERFACE determines the local IP address selected for outgoi
481. ot be found in the User Database Parameter Syntax DISCONNECTIFUSERUNKNOWN TRUE FALSE Arguments TRUE The session will be disconnected immediately with indication Access denied FALSE A list of all supported authentication methods is sent back this avoids returning the information that the user does not exist Default The default for this parameter is FALSE Example DISCONNECTIFUSERUNKNOWN TRUE Considerations e RFC 4252 allows both ways of processing requests of unknown users e Ifthe parameter is not specified or is set to FALSE the behavior is the same as before the parameter was introduced DNSMODE When host names get resolved multiple IP addresses may be the result for one host name In versions before 0097 the first IP address of a possible list of IP addresses was always used Starting with version 0097 the way how DNS name resolving is done regarding the use of multiple IP addresses per host name can be configured using parameter DNSMODE Parameter Syntax DNSMODE FIRST ALL HP NonStop SSH Reference Manual Configuring and Running SSH2 e 75 Arguments FIRST ALL Specifies whether all IP addresses returned from a DNS server or only the first one are considered Valid values are o FIRST for using just the first IP address o ALL for using all returned IP addresses Default If omitted FIRST is the default value ensuring the DNS name resolving is handled as before introduction of this parameter Consid
482. other SSH2 process for TACL sessions e Although shell exec requests are not subsystem requests the parameter ALLOWEDSUBSYSTEMS can be used to generally prevent a user from starting a TACL If parameter ALLOWEDSUBSYSTEM does not include subsystem tacl then any request for a TACL is prevented even when ALLOW CT is set to TRUE If in this case CI PROGRAM is configured as MENU or telnet i e a TACL is not directly started then the telnet service menu or the telnet forwarding is processed as configured A user cannot get a TACL prompt but it is possible to execute single commands in this case see section TACL Subsystem and Command Interpreter Configuration Example ALLOWEDSUBSYSTEMS sftp ALLOWFROZENSYSTEMUSER This parameter controls the behavior when SSH2 detects that the configured SYSTEM USER of the ssh user is in state FROZEN in Safeguard Parameter Syntax ALLOWFROZENSYSTEMUSER TRUE FALSE Arguments TRUE FALSE Specifies whether Safeguard users in state frozen are allowed to access the NonStop Valid values are o TRUE A frozen user is not rejected i e can authenticate via configured authentication methods o FALSE Authentication fails without trying any of the configured authentication methods if a Safeguard user is in state FROZEN Default If omitted ALLOWFROZENSYSTEMUSER will be set to FALSE This is a change compared to releases prior to 0089 as frozen users were allowed before version 008
483. parameter will control whether the database will be created as an audited file or not To reuse an existing database SSH2 needs to be started with SSH2 parameter SSHCTL pointing to an existing file The content of the database is viewed and maintained with the SSHCOM utility which is described in the next section Exporting the Database The SSHCTL database can be exported into text files in order to allow further processing of the content The text files are written in standard comma separated form which allows importing of the text files into speadsheet and database programs or any SQL database For a description how to export the database please refer to the section Miscellaneous commands in SSHCOM in chapter SSHCOM Reference Copying the Database After copying the SSH database file you may need to alter table records depending on the requirements of the new SSH environment The commands to alter attributes of existing records or to delete or add records are discussed in the next section 152 e The SSH User Database HP NonStop SSH Reference Manual SSHCOM Command Reference SSHCOM Overview SSHCOM is a command interpreter delivered with the SSH2 component It is used to view and maintain the SSH2 user database Using SSHCOM is similar to working with the HP PATHCOM utility You connect to an existing SSH2 process using the OPEN command then you issue commands against that instance of SSH2 which will access the correspondi
484. pha characters are upshifted For example if the terminal reports 10 1 2 3 for the IP address field then 2 would yield 10123 e 1 Workstation host name e 2 Workstation IP address which may be different from the value returned by I due to NAT firewalls etc e 3 Workstation domain name e 4 Workstation netBios name e S5 Workstation user name e 6 Workstation client name Any parameter above may be followed by a width specification which is a number in round parentheses A positive or unsigned number refers to the leftmost characters of the string and a negative number refers to the rightmost characters For example assume the Expand node name is PROD3 x PROD3 x 3 PRO x 1 3 WIN_PAT defaults to ZWNnnnn as with previous STN releases Example Generate a name based on the last three bytes of the client IP address in hex WIN_PAT QPPW QI K 6 an IP address of 10 18 127 163 would generate QPPW QT127FA3 If a window name is changed as a result of WIN_PAT the following message will appear at the terminal STN92 Window name changed from ZWNnnnn to lt new name gt If the window name could not be changed because there was a problem in WIN_PAT or because the new name duplicated existing window names then the session is terminated after displaying the message STN92 Window name change failed Example configuration ADD SERVICE RESTACL TYPE DYNAMIC RESILIENT YES PROGRAM SSYSTEM SY
485. ples on how to combine the log destinations in different scenarios e Getting used to SSH2 experimenting It may be easiest to start SSH2 with the default settings In that case SSH2 will issue log messages to the home terminal only making it easy to view the messages Note that you cannot start the SSH2 component NOWAIT this way It may be helpful to raise the LOGLEVEL to 100 in that case LOGFILE LOGEMS LOGLEVELCONSOLE 100 LOGCONSOLE e Log to EMS and only log startup and severe messages LOGFILE LOGCONSOLE LOGEMS SO LOGLEVELEMS 30 e Log normal operations to a file and startup and severe messages to EMS LOGCONSOLE LOGFILE S vol subvol logfile LOGLEVELFILE 50 LOGEMS 0 LOGLEVELEMS 30 e Log normal operations to a file and startup and severe messages to EMS log detail information to log cache and write content to the log file via SSHCOM command FLUSH LOGCACHE only after specific events LOGCONSOLE LOGFILE S vol subvol logfile LOGLEVELFILE 50 LOGEMS 0 LOGLEVELEMS 30 LOGLEVELCACHE 85 Writing to the log cache causes the least overhead If detailed log messages need to be analyzed then it is often best to set the value of LOGLEVELCACHE to a higher value e g via SSHCOM command SET LOGLEVELCACHE and leave the parameter LOGLEVELFILE at the default level After the event occurred that is of interest the messages in the log cache should then be written to the log file using SSHCOM command FLUSH LOGCACHE see se
486. r CI PROGRAM e g SYSTEM S YSTEM FUP can be executed by specifying ci on the command line e g ssh usr host ci The command interpreter will be started and its prompt appears the FUP prompt in the example and the user can execute commands processed by the started command interpreter Alternatively a command can be specified on the ssh command line e g ssh usr host ci c info After the command interpreter was started the specified command gets executed and the session is closed This works only if CIL COMMAND is not set in the USER configuration Otherwise the CI COMMAND gets executed and the command on the SSH client command line is ignored The user can specify a program e g ssh usr host ci p scf but this will be rejected with error Command interpreter initialization failed if ALLOW CI PROGRAM OVERRIDE is NO After changing the value of this attribute to YES the above command gets executed and the specified command interpreter starts and its prompt is displayed The user may try to start a TACL via the ci feature e g like ssh usr host ci p tacl This will be rejected because subsystem TACL is not allowed and granting TACL access via command interpreter access would circumvent the configured subsystem restriction Having configured TACL as CI PROGRAM and ALLOW CI PROGRAM OVERRIDE set to NO a TACL with a specific command can still be executed even if subsystem TACL is not allowed Unless CI COMMAND is configur
487. r host tacl p fup With a 6530 terminal on the client side the program SYSTEM S YSTEM FUP is started actual object FUP found on the SY Snn subvolume and the user sees a FUP prompt and can enter any number of FUP commands The session ends after the user entered the FUP command EXIT It is possible to specify a command for the requested command interpreter via tacl p lt program gt lt command gt For example when executing the following command ssh usr host tacl p fup info a FUP is started the FUP command INFO is executed and the session ends Even though USER attribute ALLOW CI PROGRAM OVERRIDE is set to NO in the default configuration the above commands work The reason is that subsystem tacl is allowed in the default USER configuration i e a user can request subsystem tacl gets the TACL prompt and can execute the lt program gt FUP in the example anyway Therefore the value of attribute ALLOW CI PROGRAM OVERRIDE is ignored in this case Configuration with Subsystem TACL not Allowed Since version 0097 it is possible to start a command interpreter even when subsystem tacl is not allowed USER attribute ALLOWED AUTHENTICATIONS does not list subsystem tacl Before version 0097 the execution of CI PROGRAM or a command interpreter specified as remote command on the SSH client command line was rejected if tacl was not an allowed subsystem Now with ALLOW CI yes and a 6530 terminal on the client side the program configured unde
488. r name lt str1 gt user lt str2 gt automatically added to SSHCTL upon first authentication request lt str1 gt Session Name lt str2 gt User name lt str1 gt signature ok authentication of lt str2 gt successful lt str1 gt Session Name lt str2 gt User name lt str1 gt accepting user lt str2 gt without authentication lt str1 gt Session Name lt str2 gt User name lt str1 gt Making user lt str2 gt change the password lt str1 gt Session Name lt str2 gt User name lt str1 gt password lt str2 gt for user lt str3 gt lt str4 gt authentication successful lt str1 gt Session Name lt str2 gt Text changed if password was changed else text verified lt str3 gt User name lt str4 gt Last authentication method tried lt str1 gt gssapi authenticated principal is lt str2 gt lt str1 gt Session Name lt str2 gt Client principal name lt str1 gt principal lt str2 gt mapped to local user lt str3 gt system user lt str4 gt lt str1 gt Session Name lt str2 gt Client principal name lt str3 gt User name lt str4 gt System user name lt str1 gt gssapi mic ok authentication of lt str2 gt successful lt str1 gt Session Name lt str2 gt User name lt str1 gt channel request for subsystem sftp launching sftp server lt str1 gt Session Name lt str1 gt client version string lt str2 gt lt str1 gt Session Name lt str2 gt SSH client software versi
489. r occured on the GWN file e EFFECT STN will attempt to recover Additional related EMS event s will give further information e RECOVERY None but see additional EMS events zstn evt gwn file created value is 1059 lt l gt GWN File lt 2 gt Created lt 2 gt GWN file name e CAUSE STN created a new GWN file based in GWN FILE because the file did not already exist e EFFECT GWN startup continues e RECOVERY None informational zstn evt gwn file init value is 1060 lt l gt GWN File lt 2 gt Initialized to lt 3 gt lt 2 gt GWN file name lt 3 gt Window name e CAUSE STN created a new GWN file e EFFECT The GWN file is initialized to the specified window name e RECOVERY None informational zstn evi gwn file bad data_ value is 1061 lt 1 gt GWN File lt 2 gt contains bad data lt 3 gt lt 2 gt GWN file name lt 3 gt Sample of bad data e CAUSE STN encountered unexpected data in the GWN file e EFFECT GWN is disabled e RECOVERY Correct the problem with the file purge the file or change PARAM GWN FILE to the proper filename then restart STN 290 e STN Reference HP NonStop SSH Reference Manual zstn evt gwn disabled value is 1062 lt l gt GWN File disabled using lt 2 gt session window names lt 2 gt Number of session window names CAUSE STN encountered an error with GWN processing as detailed in a previous event This event also occurs once at STN startup when no PARAM GWN FIL
490. r super the LAST LOGON timestamp will be updated whenever any user process is started i e the update occurs also when users other than super super log on LAST UNSUCCESSFUL ATTEMPT The timestamp of the last unsuccessful authentication attempt of that user LAST AUTH METHOD The last authentication method used for last logon LAST PUBLICKEY The name of the last public key used for publickey authentication of an incoming ssh connection LAST IP ADDRESS The IP address from which the user last connected LAST MODIFIED The timestamp of the last modification of the user attributes User attributes in that context are attributes that can be changed with the ALTER command Note any attributes not listed above are explained in the ADD USER section RENAME USER The RENAME USER command renames a user and has the following syntax 184 e SSHCOM Command Reference HP NonStop SSH Reference Manual RENAME USER lt old user name gt lt new user name gt Both lt old user name gt and lt new user name gt are mandatory in the command no wild cards are allowed in either one Please see description of lt user name gt under the ADD USER command for unconventional names that must be put in double quotes THAW USER The THAW USER command thaws a user and has the following syntax THAW USER lt user name gt The lt user name gt is mandatory in the command no wild cards are allowed in the user name A thawed user can log
491. r1 gt Define name lt str2 gt File name parameter SUBNET was evaluated TCP IP process is lt str1 gt lt str1 gt Subnet Name lt str1 gt remote lt str2 gt forwarding request failed server could not listen on lt str3 gt lt str4 gt lt str1 gt Session Name lt str2 gt Protocol lt str3 gt Normalized remote address and port lt str4 gt Description lt str1 gt Error lt str2 gt lt str1 gt Session Name lt str2 gt Exception text lt strl gt Disconnect from remote lt str2 gt lt str1 gt Session Name lt str2 gt Reason for disconnect lt str1 gt User auth method mismatch available lt str2 gt requested lt str3 gt lt str1 gt Session Name lt str2 gt Remaining authentication methods lt str3 gt Requested authentication method lt str1 gt request rejected authentication requested from host lt str2 gt with unknown SSH user name lt str3 gt and lt str4 gt is set to FALSE HP NonStop SSH Reference Manual Appendix e 351 LOG LEVEL EVENT TEXT Description Variable Parts 20 20 20 20 20 20 20 20 20 lt str1 gt Session Name lt str2 gt Remote host TCP IP address lt str3 gt User name lt str4 gt AUTOADDS YSTEMUSERS lt str1 gt request rejected USER lt str2 gt is not permitted to connect from host lt str3 gt due to RESTRICTION PROFILE settings lt str1 gt Session Name lt str2 gt User name lt str3 gt
492. red Following is more information about the values allowed e A valid number must be between 0 indicating no messages and 100 The value of 100 indicates the maximum amount of messages The maximum number should not to be used in production environments e The recommended level of detail is 30 indicating only startup and problem messages are written or 50 specifying some usage messages are also written Considerations e This parameter is retained for downward compatibility only and has been replaced by the LOGLEVELCONSOLE and LOGLEVELFILE parameters e If no value is set for the LOGLEVELCONSOLE or LOGLEVELFILE parameters they will inherit their value from the LOGLEVEL parameter e If both LOGLEVELCONSOLE and LOGLEVELFILE parameters are assigned a value the LOGLEVEL parameter becomes meaningless See also LOGLEVELCONSOLE LOGLEVELEMS LOGLEVELFILE LOGLEVELCACHE Use this parameter to control what messages are written to the log cache Parameter Syntax LOGLEVELCACHE detail Arguments detail A number specifying the detail level Default A default of 50 is used Considerations HP NonStop SSH Reference Manual Configuring and Running SSH2 e 97 e Using the LOGLEVELCACHE parameter allows users to set a different log level for the log messages written to the log cache than for the output written to LOGFILE e Writing log messages to the log cache and writing the current content to the log file sporad
493. refore granting access to other user accounts than super super must be carefully considered e The parameters must be set contiguously i e if one parameter PARTIALSSHCOMACCESSGROUP lt p gt is not defined the checking of PARTIALSSHCOMACCESSGROUP lt n gt parameters stops e This parameter set is valid whether a thawed OBJECTTYPE USER record exists in Safeguard or not But if a user is configured with C access in the OBJECTTYPE USER record as well as included in the parameter set PARTIALSSHCOMACCESSGROUP lt n gt then the user has full SSHCOM access e If auser is included in parameter sets PARTIALSSHCOMACCESSGROUP lt n gt as well as sets FULLSSHCOMACCESSUSER lt i gt or FULLSSHCOMACCESSGROUP lt j gt then the user has full SSHCOM access See also e PARTIALSSHCOMACCESSUSER lt i gt FULLSSHCOMACCESSUSER lt i gt FULLSSHCOMACCESSGROUP lt j gt LIFECYCLEPOLICYPUBLICUSERKEY e See table in SSHCOM Access Summary in section SSHCOM Command Reference PARTIALSSHCOMACCESSUSER lt k gt This parameter set allows granting limited administrative SSHCOM command privileges to configured users Admin users with limited SSHCOM access are defined via the parameter set PARTIALSSHCOMACCESSUSER lt k gt where lt k gt is a number between and 99 HP NonStop SSH Reference Manual Configuring and Running SSH2 e 101 Limited administrative SSHCOM access includes viewing and altering USER records i e execution of daemon mode commands
494. remote SSH server If this optional attribute is omitted the default of 22 is used lt newusername gt A valid GUARDIAN user who will own the password entry in the SSHCTL database after the rename Only SUPER SUPER user unless explicitly denied in OBJECTTYPE USER record or those configured with full SSHCOM access can issue a RENAME command where lt newusername gt is different from lt oldusername gt If lt oldusername gt and or lt newusername gt is omitted either the user being set with a previously issued ASSUME USER command or the issuer of the RENAME PASSWORD command will be used as the default user If lt newusername gt is specified it MUST be followed by a to separate it from the password name lt newremoteuser gt A user name of the targeted system lt newtargethost gt The IP address or the DNS name of the targeted system lt newtargetport gt The listening port of the remote SSH server If this optional attribute is omitted the default of 22 is used THAW PASSWORD The THAW PASSWORD command thaws a password The command has the following syntax THAW PASSWORD lt system user name gt lt remote user gt lt target host gt lt target port gt The individual attributes are identical as in the DELETE PASSWORD command please see that section for details Only the SUPER SUPER user unless explicitly denied in OBJECTTYPE USER record or those configured with full SSHCOM access can thaw a password entry f
495. remote user See the command BANNER which can disable menus and other messages LIB lib file name Default is no LIB file For dynamic sessions this parameter specifies the library object file name for PROG program object files that require a library SWAP volume name Default is no SWAP volume specified Specifies the swap volume for dynamic sessions USER groupnum usernum groupname username USER is only allowed for TYPE DYNAMIC services If USER is specified it must match the userid authenticated for the session or the session is terminated with an STN71 message If the SSH userid has SYSTEM USER not set to NONE then that is the userid for the session otherwise the userid and password are prompted from the terminal with STN15 STN16 messages Whatever the source for the session userid it must match the SERVICE USER parameter USER is appropriate for applications which do not perform their own logon or which need to be restricted For example RESILIENT services are often restricted to SUPER SUPER As of STN version B17 H06 25 J06 14 USER can be specified independent of LOGON REQ Prior to that when USER was specified LOGON REQ was automatically set When USER is present and LOGON is REQ then the session must be authenticated for the specified userid either by SSH or by response to the STN15 userid prompt When USER is present and LOGON is NONE the dynamic application will be started under the specified userid without au
496. rence Manual Event Event Name Conditions Pattern Token Values Id Joaction terminate object SFTP process errInfo error detail processType SFTPSERV processName process name Log File Audit File Rollover When logging to a file SSH2 uses a round robin mechanism to switch to a new file Log file rollover applies both to auditing to the file configured with the AUDITFILE parameter and logging to the file configured with the LOGFILE parameter A log file rollover occurs when the logfile is greater than the size configured in the parameter LOGMAXFILELENGTH or when the audit file is greater than the size configured in the parameter AUDITMAXFILELENGTH It is also possible to force the rollover via SSHCOM command see ROLLOVER AUDITFILE and ROLLOVER LOGFILE in chapter SSHCOM Command Reference SSH2 implements a log file round robin with at least 10 files The number of files can be configured using the LOGFILERETENTION or AUDITFILERETENTION parameter If the number of retention files is set to 0 LOGFILERETENTION or AUDITFILERETENTION then the content of file configured via LOGFILE or AUDITFILE will be purged as soon as the file size reaches the maximum configured size But it is recommended to use at least 10 retention files Archive files generated during rollover will be created by appending a number to the log file name The number of digits of the number appe
497. ript must be defined before a session attempts to use it 260 e STN Reference HP NonStop SSH Reference Manual AUDITCOLL OFF lt ems collector gt AUDITCOLL names an EMS collector to receive EMS events for Audit type events OFF is the default No Audit type EMS events are generated Also used to stop generation of events Audit type EMS events are written to the specified collector lt ems collector gt AUDITCOLL specifies an EMS collector for audit EMS events only This is independent of 0 which always receives other EMS events emscol is the name of an EMS collector which may specify 0 or an alternate collector AUDITCOLL OFF stops generating the new EMS events and closes the alternate collector normal EMS events to 0 will continue in any case See ZSTNDDL and ZSTNTMPL AUDITMSG lt text gt Writes an audit event with the specified text AUTO_ADD_WIN DYNAMIC STATIC OFF Starting with SPR TO801 ABE STN version B21 the AUTO_ADD_WIN configuration parameter is no longer supported All openers of STN must refer to an existing window name AUTODEL_WAIT lt seconds gt Windows that are automatically added TYPE DYNAMIC and AUTO_ADD_WIN are automatically deleted when the TCP session is terminated or when all openers applications have closed the window Some applications close the window and then quickly reopen it from a different process this happens with Pathmon and Pathway TCP this could prematurely delete the
498. roperty of a USER entity of the SSH user database please see chapter The SSH User Database for details To find out the fingerprint of an existing public key on a remote system please refer to the documentation of the sftp implementation you use The following example shows how to display the fingerprint with the ssh keygen and the 1 option utility in OpenSSH T gt ssh keygen 1 Enter file in which the key is home comf burgt ssh id_rsa 1024 5c 16 2f 95 fe 0e 1e 97 15 98 0f ba ae 32 03 67 home comf burgt ssh id_rsa pub T gt The fingerprint to be configured on the NonStop system is highlighted in bold Publickey client logon when operating as client The public key of the remote system is configured using the KNOWNHOST entity of the user database using the CLIENT mode of the SSHCOM command interpreter KEYPAIR4 The private key used to log on the partner system is configured using the KEY entity of the user database using the CLIENT mode of the SSHCOM command interpreter The public key to be configured on the remote system can be displayed using the INFO KEY command or exported into a file using the EXPORT KEY command 244 e SSH Protocol Reference HP NonStop SSH Reference Manual STN Reference Introduction The STN component is a pseudo TTY server providing full screen shell access to remote SSH clients Running STN as Pseudo TTY Server for SSH2 Note For cases in which SSH2 was delivered with HP NonStop SS
499. rovided DAEMON_ADMIN combines the run modes DAEMON and ADMIN CLIENT runs a process that allows local SFTP clients to connect to the SSH2 process No other functionality is provided CLIENT_ADMIN combines the run modes CLIENT and ADMIN ADMIN runs a process that allows SSHCOM instances to connect to the SSH2 process and to configure the user database No other functionality is provided NOADMIN combines the run modes DAEMON and CLIENT ALL combines all run modes SERVER can be used instead of DAEMON e paramname paramvalue is a list of SSH2 configuration parameter settings as described in the previous section Note When you start SSH2 in NOWAIT mode make sure you have disabled logging to the home terminal To do so set the following PARAM PARAM LOGCONSOLE HP NonStop SSH Reference Manual Configuring and Running SSH2 e 49 SSH2 Parameter Reference This section describes all available SSH2 parameters in alphabetical order Note that parameter names are case insensitive regardless of the source in which they appear Some of the parameters are also valid for clients please reference section FILE I O parameters for SFTP SFTPOSS Parameter Overview The following table lists all available SSH2 parameters and their meanings Parameter Meaning ALLOWEDAUTHENTICATIONS ALLOWEDSUBS YSTEMS ALLOWFROZENS YSTEMUSER ALLOWINFOSSH2 ALLOWPASSWORDSTORE ALLOWTCPFORWARDING AUDIT
500. rovided by the STN PTYSERVER This resembles the functionality of TELSERV providing dynamic services as well as services connecting to static windows The services offered by the STN PTYSERVER process can be configured using STNCOM If MENU is followed by a service or window name the corresponding service or window is automatically selected If the service or window does not exist the STN menu will be displayed If the option FORCE is appended then the user is forced to use the pre configured STN service or window In this case the user will not see the STN menu even when the configured service or window does not exist SYSTEM USER This attribute defines the Guardian user name to which the lt user name gt is mapped If this attribute is omitted it is assumed that lt user name gt is a valid user on the system I e the lt user name gt value is used for attribute SYSTEM USER in this case If NONE is specified the user is not mapped to a system user causing all channel requests that require a valid system user e g exec subsystem SFTP to be rejected SYSTEM USER NONE is useful to grant anonymous access to services which perform their own authentication e g Pathway applications When SYSTEM USER NONE is used and CI PROGRAM or SHELL PROGRAM are MENU and TACL or OSH can be selected from the STN menu then a logon for TACL or OSS is required It is possible to specify the logon id e g 11 23 in double quotes The logon id
501. rrent log file e g via FUP SECURE command will be used for subsequently created log files The very first log file will have the default file security of user super super See also LOGMAXFILELENGTH LOGFILE LOGFORMAT Use this parameter to control the format of the log messages that are written to the console or log file Parameter Syntax LOGFORMAT format Arguments format A number is used to represent a bit mask that controls the format Following are the values and their corresponding format bit 1 decimal 1 Date bit 2 decimal 2 Header log messages a pre fixed with log bit 3 decimal 4 Time bit 4 decimal 8 Milliseconds bit 5 decimal 16 Process name Bit 7 decimal 64 Log level of message Default The default log format is 93 process name date time milliseconds and log level Example Display date time and milliseconds only LOGFORMAT 13 Display date and time only LOGFORMAT 5 Considerations 94 e Configuring and Running SSH2 HP NonStop SSH Reference Manual e This parameter is retained for downward compatibility only and has been replaced by the parameters LOGFORMATCONSOLE and LOGFORMATFILE e If no value is set for the parameters LOGFORMATCONSOLE or LOGFORMATFILE they will inherit their value from the parameter LOGFORMAT e If both LOGFORMATCONSOLE and LOGFORMATFILE are set with a value the parameter of LOGFORMAT becomes meaningless
502. rst suppression for log target EMS is enabled if either parameter BURSTSUPPRESSION or parameter EMSBURSTSUPPRESSION is set to TRUE 76 e Configuring and Running SSH2 HP NonStop SSH Reference Manual Default If omitted EMSBURSTSUPPRESSION is set to FALSE Example EMSBURSTSUPPRESSION TRUE See also BURSTSUPPRESSION BURSTSUPPRESSIONEXPIRATIONTIME BURSTSUPPRESSIONMA XLOGLEVEL ENABLESTATISTICSATSTARTUP This Boolean parameter allows enabling gathering statistics at startup of the SSH2 process Parameter Syntax ENABLESTATISTICSATSTARTUP TRUE FALSE Arguments TRUE Statistics will be gathered immediately after the SSH2 process has started FALSE Gathering statistical data will be enabled only after SSHCOM command ENABLE STATISTICS was issued Default The default for this parameter is FALSE Example ENABLESTATISTICSATSTARTUP TRUE Considerations e Maintaining statistics may slow down the SSH2 process FILEBURSTSUPPRESSION Use this parameter to configure burst suppression for log message duplicates of log target of file Parameter Syntax FILEBURSTSUPPRESSION TRUE FALSE Arguments TRUE FALSE Specifies whether FILEBURSTSUPPRESSION is enabled or not o TRUE Duplicate log messages will be suppressed o FALSE Duplicate log messages will not be suppressed Considerations The value of parameter FILEBURSTSUPPRESSION is ignored if BURSTSUPPRESSION is set to TRUE Burst suppression for log target file is enabled i
503. rview GSSAPI Generic Security Service Application Programming Interface is a standardized function interface that provides security services for applications in a mechanism independent way In addition GSSAPI GSSAPI is also a standardized RFC 4462 compliant way to establish a security context for user authentication and key exchange between an SSH client and server The prevalent security mechanism supported for use with GSSAPI is Kerberos SSH2 supports the RFC 4462 standard for GSSAPI user authentication with Kerberos as the security mechanism both in DAEMON and CLIENT mode This approach can be used to implement Kerberos based single sign on for users connecting with a GSSAPI Kerberos enabled SSH client Since Microsoft Active Directory supports Kerberos Windows domain users can be enabled to log onto HP NonStop Servers without being prompted for a password If credential forwarding also known as TGT forwarding was selected for the session subsequent SSH connections from the NonStop host to other network resources participating in Kerberos single sign on can also be accessed without additional authentication SSH2 also supports the RFC 4462 standard for GSSAPI key exchange with Kerberos as the security mechanism This includes the server authentication of the SSH2 daemon via GSSAPI Kerberos rather than using its public key which eliminates the need to manage SSH host public keys on the client side Prerequisites For GSSAPI authen
504. rying to establish a listen for remote port forwarding Effect The remote port forwarding request fails Recovery Any corrective action depends on lt error detail gt A typical error is a failure to bind to the given port The SSH client may need to correct its port forwarding configuration Session Related Messages of SSH2 in Client Mode All SSH2 messages related to an outgoing connection to a remote SSH daemon initiated by a NonStop client process e g SFTP SFTPOSS are preceded by a session ID These messages adhere to the following format HP NonStop SSH Reference Manual lt session id gt lt process id gt lt process name gt is the name of the NonStop client process initiating the SSH connection lt session id gt client access to known host lt known host name gt denied host is frozen Troubleshooting e 337 lt known host name gt Is the name of a KNOWNHOST entity contained in the SSHCTL Cause The SSH client e g SFTP tried to access a known host that was frozen Effect The client access to the host is denied The client connection fails Recovery If access to the host is desired use the SSHCOM THAW KNOWNHOST command to thaw the host lt session id gt client access to known host lt known host name gt denied public key changed lt known host name gt Is the name of a KNOWNHOST entity contained in the SSHCTL Cause The public key of the host the SSH client e g SFTP tried to access does not ma
505. s Default The default is 3600 1 hour This is the value recommended in RFC 4253 See also SSHAUTOKEXBYTES SSHCTL Use this parameter to specify the filename of the user database file Parameter Syntax SSHCTL filename Arguments filename Specifies the name of the user database file Considerations e The user data base stores information about remote users accessing the NonStop system The user database is stored in a single ENSCRIBE file and maintained through the SSHCOM command interpreter For more details of the user database please see the The SSH User Database chapter HP NonStop SSH Reference Manual Configuring and Running SSH2 e 119 e In order to prevent unauthorized access the user database is stored in a proprietary format and encrypted The database file is secured as e The customer name configured via parameter CUSTOMER or if that does not exist the customer name held within the license file for the SSH2 program is used as an input for host based key encryption When you plan to duplicate the host key and user database onto other NonStop systems such as a disaster recovery system you need to make sure the parameter CUSTOMER or the license file of that other system has the same customer name in it Otherwise the host key file and user data base cannot be used on the other system If you purge the HOSTKEY and SSHCTL files and restart the SSH2 process a new HOSTKEY and SSHCTL file will be created using
506. s S SSSH55 oPort 54022 comf us fe80 a00 8eff fe00 d14e SSH client version T9999H06_22Jan2014_comForte_SSHOSS_0097 GSSAPI authentication disabled You have no private keys in the key store Trying password authentication Enter comf us fe80 a00 8eff fe00 d1l4e s password Add password for comf us fe80 a00 8eff fe00 d1l4e 54022 to the password store yes no no STNOO Connected to STN version B17 2012 04 23 12 36 NPNSO1 SPTY54 ZWNOO015 STN46 Secure SSH session xterm password aes256 cbc hmac shal STN81 Client IP address fe80 a00 8eff fe00 dl4e port 4196 STN82 SSH external user comf us Guardian system user COMF US STN44 Application has connected to this window G DATA1 USHOME Example for starting SFTPOSS client using IPv6 address HP NonStop SSH Reference Manual SSH and SFTP Client Reference 217 sftposs u sauer fe80 250 56ff fea7 4bdc SFTPOSS client version T9999H06_22Jan2014_comForte_SFTPOSS_0097 Connecting to fe80 a00 8eff fe00 dl4e via SSH2 process SSH01 GSSAPI authentication disabled You have no private keys in the key store Trying password authentication Enter comf us fe80 a00 8eff fe00 dl4e s password Add password for comf us fe80 a00 8eff fe00 d1l4e 54022 to the password store yes no no sftp gt Configuring the SSH2 Process to Use As mentioned earlier the SSH and SFTP clients will interact with a running instance of the SSH2 object file There are multiple ways to spe
507. s STN will probably not operate properly RECOVERY Correct the error then stop and restart STN or use STNCOM command to directly enter any required configuration commands zstn evt backup started value is 6 lt 1 gt Backup created in cpu lt 2 gt lt 2 gt cpu number CAUSE STN created a backup process a after startup time when PARAM BACKUP is used b after STNCOM BACKUPCPU command c after a takeover or d after a backup CPU became available EFFECT STN is now operating with a backup process RECOVERY None informational only 292 e STN Reference HP NonStop SSH Reference Manual zstn evt backup stopped valueis 7 lt 1 gt Backup stopped CAUSE The STN backup process stopped Another EMS event may give additional information EFFECT STN runs without a backup In some cases STN will automatically restart the backup process immediately or after a backup CPU becomes available RECOVERY If backup operation is required make the backup CPU available or use the STNCOM command BACKUPCPU to select another backup CPU zstn evt backup start err valueis 8 lt 1 gt Backup create error lt 2 gt lt 3 gt lt 2 gt error code lt 3 gt detail error CAUSE STN could not create a backup process due to a process_create_ error EFFECT STN runs without a backup In some cases STN will automatically restart the backup process immediately or after a backup CPU becomes available RECOVERY If backup operati
508. s keepalive messages on the secure shell protocol level while SOCKETKEEPALIVE controls whether keepalive messages should be enabled on TCP socket level e Sending these messages on idle sessions is an additional measure of protection against advanced traffic analysis techniques STOREDPASSWORDSONLY Use this SSH2 parameter to disable the prompt for password during user authentication with method password in outgoing connections assuming that the password is stored in the database Parameter Syntax STOREDPASSWORDSONLY TRUE FALSE Arguments TRUE FALSE Specifies whether password prompt is suppressed or not Following are the possible arguments o TRUE Password prompt is suppressed If the password cannot be found in the SSHCTL database then the password authentication will fail o FALSE Users will be prompted for the password if that was not found in the SSHCTL database Default The default is FALSE The default behavior is therefore the same as before this parameter was introduced HP NonStop SSH Reference Manual Configuring and Running SSH2 e 121 Considerations e This parameter is only relevant for outgoing connections i e with ssh clients SSH OSSS and SFTP OSS running on a NonStop server e Jn a scenario of ssh clients running in batch mode where password authentication is a requirement the password prompt does not make sense STRICTHOSTKEYCHECKING This option controls whether to restrict client access to re
509. s are reserved for use by this STN process 3 STN adds lt blocksize gt to the numeric portion of the window name and rewrites with unlock GWN file 4 STN then uses the reserved window names for new sessions When the reserved list is exhausted another allocation is performed 5 If any error occurs reading or writing GWN FILE the file is closed and the default ZWN0001 is used for the duration of the STN process GWN BLOCKSIZE is automatically reduced if necessary so that is does not exceed a tenth of the numeric range defined by GWN TEMPLATE For example with GWNATEMPLATE T00 there are only 100 names in the range so the maximum is 10 For PTY0000 the maximum is 1000 With this allocation scheme there may be some gaps in window numbering but there will generally be no duplication which can simplify tracking of windows GWN Related STNCOM Commands INFO STN Displays GWN parameters DYN_WIN_MAX The existing DYN_WIN_MAX command is generally superseded by the features of GWN TEMPLATE but it is still allowed DYN_WIN_MAX nnn nnn is the maximum number of window names including zero 0 nnn must be in the range 100 to 100000 default 100000 DYN_WIN_MAX may be used to reduce the number of windows allowed by GWN TEMPLATE For example PARAM GWN TEMPLATE Z0000 STNCOM SSTN DYN_WIN_MAX 250 cycles from Z0000 to Z0249 then back to Z0000 GWN ALLOC STNCOM displays the GWN filename and details about
510. s can be used to define strings containing a space or special characters The prefix for infos warnings can also be specified via PARAM environment variable SSHQUERYPREFIX the K option takes precedence over the PARAM environment variable There is no specific query prefix defined as default Using the SSH client to create a shell controlling a remote system Creating a full shell The following example shows how to connect to a Linux system and execute some commands on that system using the SSH client from Guardian STB TBSSH79 7 gt run ssh S S TBS79 burgt 10 0 0 12 SSH client version T9999H06_22Jan2014_comForte_SSH_0097 You have no private keys in the key store Trying password authentication Enter burgt 10 0 0 12 s password Add password for burgt 10 0 0 12 to the password store yes no no Last login Thu Jun 5 07 45 45 2008 from 10 0 3 98 Have a lot of fun burgt np dev02 gt pwd home burgt burgt np dev02 gt 1s abc etestftp etestsftp_old glubwrap t4gig_file bin burgt np dev02 gt exit logout STB TBSSH79 8 gt Note that for the first connection a KNOWNHOST will have to be configured for the remote system in able to connect Also note that the password of the remote system was queried once and not stored in the database The last command exit tells the remote system to end the shell session Executing a single command The following example shows how to connect to a Linux system and execute
511. s chosen to be other than SYSTEM ZSSH the startup files ZSSHGP SSHCFG SSHMCFG must be changed to point to the correct locations Therefore it is recommended to keep the production installation always in YSTEM ZSSH The executables SSH2 SSH server and STN pseudo TTY reside in this subvolume as well they are not placed in SYSTEM SY Snn however the executables SSHCOM SSH and SFTP are installed in SYSTEM SYSnn The startup parameter for processes ZSSPO and ZSSP1 has been modified in the ZSSHGP file for SPR TO8014AAS and now points to configuration file SSHMCFG instead of SSHCFG in the ADD process section and a new ALTER process section After a fallback to a pre J06 11 H06 22 RVU or to an SPR prior to TO8014AAS the ZSSPO and ZSSP1 processes will not start because their startup parameter definition points to configuration file SSHMCFG which does not exist in pre AAS NonStop SSH releases The ZSSHGP file in earlier NonStop SSH releases does not contain an ALTER section and the process add commands in the ADD section fail because the process definitions already exist To resolve this problem issue these commands at a TACL prompt SCF DELETE PROCESS ZZKRN SSH ZTCP RUN ZMODGP SYSTEM ZSSH ZSSHGP SCF START PROCESS ZZKRN SSH ZTCP Installing the SSH Components on the NonStop System After you have downloaded the files to your workstation transfer the SSH2 installation archive SSH2INS 100 or SSHINSTI 800 depending on
512. s is enabled If the DETAIL flag is set detailed information is displayed The SSHCOM command has the following syntax STATUS STATISTICS STATS DETAIL Abort Session Command In rare cases it may be required for an administrator to stop a session e g because a user process was started in the wrong CPU or is using too much CPU or causing an unexpected high data throughput Stopping a session can be achieved via the ABORT SESSION command The Syntax for the ABORT SESSION command is as follows ABORT SESSION lt session id gt lt session id gt The internally assigned identifier positive integer of a session Wild card character cannot be specified instead of a session id Only users with full SSHCOM access are allowed to execute the ABORT SESSION command Warning Any unsaved changes made by processes related to the aborted session may be lost HP NonStop SSH Reference Manual SSHCOM Command Reference e 213 214 e SSHCOM Command Reference HP NonStop SSH Reference Manual SSH and SFTP Client Reference Introduction The SSH2 package provides an SSH and SFTP client program to interact with SSH daemons on other systems The clients programs will communicate with the SSH2 process which will create the actual SSH session to the remote daemon This chapter describes the usage of the SSH and SFTP client and assumes an SSH2 process is already running Starting the Guardian Client Programs The clients for Guardian have
513. s public key is FROZEN Effect The client process terminates Recovery To allow access to the host which has been set FROZEN you can use the following SSHCOM command THAW KNOWNHOST lt hostname gt ERROR REMOTE HOST IDENTIFICATION HAS CHANGED Someone could be eavesdropping on you right now man in the middle attack It is also possible that the host key has just been changed The fingerprints for the key sent by the remote host are babble lt bubble babble gt MD5 lt md5 Offending key is lt keyname gt Please contact your system administrator lt bubble babble gt Is the bubble babble fingerprint of the remote host s public key lt MD5 gt Is the bubble babble fingerprint of the remote host s public key lt keyname gt Is the name of the KNOWNHOST object holding the remote host s public key Cause The remote host s public key does not match the key stored in the KNOWNHOST object for this IP address and port number This can happen if the remote SSH daemon has changed its public key It can also be caused by a man in the middle attack Effect The client process terminates Recovery You should ensure that the error is caused by a legitimate change of the remote host s key If the error is not caused by eavesdropping you should update the KNOWNHOST referring to the remote host This can be done as follows a Obtain the remote host s new public key or public key fingerprint and update the releva
514. s set For non interactive shells the default scripts do not get executed and the PATH is not defined For this purpose SHELL ENVIRONMENT needs to be set via SSHCOM command ALTER USER xyz SHELL ENVIRONMENT home xyz myPATH 174 e SSHCOM Command Reference HP NonStop SSH Reference Manual In this example the script home xyz myPATH contains export PATH SPATH usr bin The third step is to create an executable shell script usr bin test script for example ho Entering 0 ho Parameters gt lt ho SSH_ORIGINAL_COMMAND ho SSH_ORIGINAL_COMMAND ho Leaving 0 Now the actual test is executed by starting an ssh client C WINDOWS gt ssh oPort 15022 xyz 10 0 0 194 test script home xyz repol xyz 10 0 0 194 s password Entering test script Parameters gt home xyz repol lt SSSH_ORIGINAL_COMMAND test script home xyz repol Leaving test script SYSTEM USER This attribute defines the Guardian user name to which the lt user name gt is mapped If this attribute is omitted it is assumed that lt user name gt is a valid user on the system If NONE is specified the user is not mapped to a system user causing all channel requests that require a valid system user e g exec subsystem SFTP to be rejected SYSTEM USER NONE is useful to grant anonymous access to services which perform their own authentication e g Pathway applications When SYSTEM USER NONE is used and CI PROGRAM or SHELL PROGRAM
515. s spaces it must be enclosed in double quotes lt host pattern gt One or more patterns used to match addresses or names of hosts Wildcard characters any number of characters and one character are allowed The is supported for expressing negation lt host ports gt Specifies a pair of host addresses or names and port ranges separated by a colon A port range can be either one port one port range or a list of port ranges separated by and enclosed in brackets COMMENT Enables users to enter free text to describe the entity or provide a short explanation of the intended use of the entity All comment text must be enclosed in double quotes if the comment includes spaces The content will not be used for any processing CONNECT FROM The attribute CONNECT FROM restricts which host systems a user can connect from Whenever an incoming connection for the user is accepted the CONNECT FROM restrictions are applied HP NonStop SSH Reference Manual SSHCOM Command Reference e 187 The value can be one host pattern or a list of patterns used to match the address or name of the client system connecting to SSH2 on the NonStop server The format of each pattern and the pattern matching done is the same as in OpenSSH for parameter from If a list is specified it must be enclosed in parentheses One pattern represents a host name or its IP address and can include wildcard characters matching any number of characters
516. sed If a license file does not exist and an existing HOSTKEY or SSHCTL file is accessed the parameter CUSTOMER must be set to the original value for the customer name e For new installations without license file that include a creation of anew SSHCTL and HOSTKEY there is no reason to set the CUSTOMER parameter See also e HOSTKEY SSHCTL HP NonStop SSH Reference Manual Configuring and Running SSH2 e 73 DAEMONMODEOWNERPOLICY Defines security granularity for daemon mode USER records in the SSH2 database based on the OWNER field of the configured SSH user Access to the daemon mode USER records in the SSH2 database will be granted in the same fashion as for PARTIALSSHCOMACCESSUSER PARTIALSSHCOMACCESSGROUP which is defined as partial access Access granted due to settings of FULLSSHCOMACCESSUSER FULLSSHCOMACCESSGROUP and PARTIALSSHCOMACCESSUSER PARTIALSSHCOMACCESSGROUP parameters and Safeguard OBJECTTYPE USER record are independent of the OWNER field i e partial full access granted via PARTIALSSHCOMACCESSUSER PARTIALSSHCOMACCESSGROUP and FULLSSHCOMACCESSUSER FULLSSHCOMACCESSGROUP parameters and Safeguard OBJECTTYPE USER record is not affected by this policy Parameter Syntax DAEMONMODEOWNERPOLICY LOGINNAME GUARDIANNAME BOTH NONE Arguments LOGINNAME The login name value which can be a guardian name or alias of the guardian user that started the SSHCOM session will be compared to the OWNER field value guardian
517. seessecseseecsaeceseeeesseseeeecsaessceecaeceseeecseseeaees 274 RESET SERVICE lt service name gt ccceccesssccssscessecsssceesseceeeeeesseceeecuesseeeecsaesseseecsseeenees 274 ROOM OGR DEP TEE a a A RE 274 SAVECEG lt filename a E iE 274 SECURELY letter iisic 2 a Sac tinG QAO EGR A rte Ao Gc hte he 275 SHUTDOW Ni Seite ee Ne hoe AY og he ANE ed Aceh N 275 ROY aa 0 A Bn ANEETA AEE ne Cen ey ee nee 275 HP NonStop SSH Reference Manual SSH_DEFAULT_SVC lt service name gt NONE ereere START SERVICE lt service name gt ccccceccccceceessssceseeeseesseeseseees START WINDOW lt window name gt wi ce cceeeeescsseeseessesseesees STATUS SERVICE lt service name gt ccccccceeceesseeeeeesseeeeees STATUS SESSION lt session name gt cccccceeseesteeeeeesseeeeees STATUS WINDOW lt window name gt oc cee eesseceseeesteeeeeee SEES PRESET ESEE EEA EAE eis eee STNCOM_PROMPT lt text gt oo ccccccccccceseeesssssssssssssssssssessssssssteneeaes STINE OG Ste xt costs ede E tesa es este etki awe aeons STOP SERVICE lt service name gt ccccccescssccesecsssscesseessesseseseees STOP SESSION lt session name gt cccceescssecesesssesceseeesessseseseees STOP WINDOW lt window name gt ccccccccceessescseceseesseeseseees WELCOME_SEQ BEFORE AFTER BOTH eee WIN_AVAIL_ ALWAYS YUN wo ceceecceseeccsseeseeecsseeeeeseceeeeeneseeseeens WIN AVAL CITY Necesaria n
518. service specified by SSH_DEFAULT_SVC is used STN74 Dynamic Service Session Limit Exceeded The selected service included a LIMIT parameter and there are already lt limit gt sessions active The session is terminated STN75 Service window required by SSH user config not available Service window required by SSH configuration FORCE not available STN76 Authenticated lt auth mechanism gt client lt client display name gt At session startup this confirms the authentication mechanism and the user name STN81 Client IP address lt n n n n gt port lt nnn gt The TCP IP address and port number of the remote client workstation as reported by NonStop TCP IP socketlib STN82 SSH external user lt ext user gt Guardian system user lt group user gt The user names reported by SSH STN83 WSINFO User lt users gt IPaddr lt n n n n gt Host lt PC hostname gt For sessions when WSINFO is set to QUERY or REQUIRED the information reported by the client workstation 6530 emulator is displayed STN84 Cannot create new session no dst available For Type Dynamic and Pathway services a dynamic window could not be created because the maximum number of dynamic windows DYN_WIN_MAX lt has been exceeded STN87 Too many services lt NN gt additional services not displayed STNO2 only lists first 200 service names HP NonStop SSH Reference Manual STN Reference e 303 STN94 Userid lt group user gt provided by SSH not valid SSH se
519. sfer is made in binary mode Parameter Syntax RECORDDELIMITER LF CR CRLF ANY Arguments LF HP NonStop SSH Reference Manual Configuring and Running SSH2 e 105 End of Record is indicated by an LF hexadecimal 0A escape character n CR End of Record is indicated by a CR hexadecimal OD escape character r CRLF End of Record is indicated by a CR followed by an LF hexadecimal ODOA escape characters n r ANY End of Record can be CR OD LF OA or CRLF ODOA Considerations e In SSH2 versions before 0085 the default processing was ANY If files transferred and directly stored in a structured NonStop use other end of record delimiters i e CR OD or CRLF OD 0A then the parameter RECORDDELIMITER must now be set with a value of ANY e The SFTP client on NonStop supports the command ASCII with additional options see chapter SFTP Client Command Reference allowing setting the accepted end of record delimiter ASCII MAC corresponds to CR ASCII DOS to CRLF and ASCII UNIX to LF That is for the SFTP client the setting of parameter RECORDDELIMITER is just the default setting which can be overwritten using the SFTP client command ASCII e The characters LF and CR cannot occur inside the record data if the value of RECORDDELIMITER is ANY The character LF 0A is not allowed in the record data if the parameter is set to LF The character CR OD is not allowed in the record data if the parameter is set to CR
520. shows how the LOGLEVELFILE is changed to 70 using the SET command SQAHPSSH TO801ABK 29 gt run sshcom ssh01 SSHCOM T0801H01_22JAN2014_ABK 2014 01 24 14 42 45 368 OPEN ssh01 set loglevelfile 70 set loglevelfile 70 OK LOGLEVELFILE set to 70 5 INFO SSH2 The INFO SSH2 command will display the startup configuration as well as the current settings of all parameters that can be changed using the SET command The following screenshot shows the output of the INFO SSH2 command after changing the LOGLEVELFILE with the command shown above example 2 info ssh2 info ssh2 Startup configuration file lt log configuration gt def ALLOWEDAUTHENTICATIONS lt keyboard interactive password publickey gt file ALLOWEDSUBSYSTEMS lt sftp tacl gt def ALLOWFROZENSYSTEMUSER lt FALSE gt def ALLOWINFOSSH2 lt ALL gt HP NonStop SSH Reference Manual SSHCOM Command Reference e 161 LLOWPASSWORDSTORE LLOWTCPFORWARDING UDITCONSOLE UDITEMS UDITFILE UDITFILERETENTION UDITFORMAT U U U U H H DITFORMATCONSOLE DITFORMATEMS DITFORMATFILE DITMAXFILELENGTH UTOADDAUTHPRINCIPAL UTOADDSYSTEMUSERS ACKUPCPU H D Z Zz fsal ps URSTSUPPRESSION lt TRUE gt lt TRUE gt lt gt lt gt lt SQAHPSSH TO801ABK ZTC1LAUD gt lt 10 gt lt 21 gt lt 0 gt lt 0 gt lt 21 gt lt 1000 gt lt FALSE gt lt TRUE gt lt NONE gt lt gt lt FALSE gt Hh H H H
521. siderations Burst suppression CONSOLEBURSTSUPPRESSION is ignored if BURSTSUPPRESSION is set to TRUE Burst suppression for log target file is enabled if either parameter BURSTSUPPRESSION or parameter CONSOLEBURSTSUPPRESSION is set to TRUE Default If omitted CONSOLEBURSTSUPPRESSION is set to FALSE Example CONSOLEBURSTSUPPRESSION TRUE See also BURSTSUPPRESSION BURSTSUPPRESSIONEXPIRATIONTIME BURSTSUPPRESSIONMA XLOGLEVEL CPUSET This parameter allows configuring the default set of CPUs the SSH2 process starts non SFTPSERV user processes in Parameter Syntax CPUSET cpu set Arguments cpu set A comma separated list of CPU numbers or CPU number ranges defining allowed CPUs Default If omitted SSH2 will start all non SFTPSERV processes in the CPU the SSH2 process is running in unless the USER record specifies a different CPU set for a specific user via attribute CPU SET 72 e Configuring and Running SSH2 HP NonStop SSH Reference Manual Example CPUSET 2 4 6 9 Considerations e A value configured in USER attribute CPU SET has higher priority than the value defined in the SSH2 parameter CPUSET e CPU restrictions for processes dynamically started by STN can be established using option CPU of the ADD SERVICE STNCOM command Please refer to the STNCOM Commands section for further details See also SFTPCPUSET CUSTOMER Use this parameter to set the customer name or overwrite the customer name in the license file If
522. sionId Yuser remoteAddress action Yobject Youtcome error error sessionld Yuser remoteAddress action Yobject Youtcome mode file open mode read if file exists or write if file does not exist sessionId SESSION LOG ID user SSH username remoteAddress remote IP address action touch object file name mode file open mode read if file exists or write if file does not exist outcome denied or failed error error detail sessionId SESSION LOG ID user SSH username remoteAddress remote IP address action touch object file name outcome denied or failed mode file open mode read if file exists or write if file does not exist sessionId SESSION LOG ID Puser SSH username remoteAddress remote IP address oaction read object file name outcome granted sessionId SESSION LOG ID Puser SSH username remoteAddress remote IP address action read remote error or write local file local error object file name Youtcome denied or failed error error detail sessionId SESSION LOG ID Puser SSH username remoteAddress remote IP address action read remote error or write local file local error object file name outcome denied or failed 314 e Monitoring and Auditing HP NonStop SSH Referen
523. specified using the normal Unix file name notation such as home tb for a directory and home tb myfile for a file e Files and directories under the Guardian file system can be specified in two ways o Using the normal Guardian notation such as datal tbhome for a subvolume or datal tbhome myfile for a file Subvolume changes can be specified using the normal syntax such as cd datal tbhome or cd mysubvol Note that a subvolume needs to be present in a cd command See the note below regarding Guardian file name notation o Using the Unix style notation for Guardian files For instance to specify the fully qualified file name data 1 testvol myfile you can use the notation G data1 testvol myfile Note Unlike with HP NonStop FTP there is no explicit command quote oss or quote guardian to switch between the two notations The Guardian file name notation is only allowed if parameter SFTPALLOWGUARDIANCD is set to true and if a cd G command has first been issued to switch to the Guardian notation The default for SFTPALLOWGUARDIANCD is false for details please refer to the description in chapter SSH2 Parameter Reference Extended Syntax for Creation of New Guardian Files By adding a comma and a list of options to a filename the attributes for this file can be controlled in e get commands executed on the NonStop system e put commands executed on the remote system The syntax for get and put command
524. splaying status data about the SSH2 process sessions and channels a set of STATUS commands exists in mode DAEMON e Status Commands o STATUS SSH2 displays SSH2 process status information o STATUS SESSION displays SSH session information o STATUS CHANNEL displays SSH channel information o STATUS OPENER displays information about processes that have opened the SSH2 process STATUS SSH2 Status information about the SSH2 process will be displayed The command has the following syntax STATUS SSH2 DETAIL WIDTH lt width gt RECURSIVE LOG ONLY SELECT lt attr gt lt attr gt The individual command options have the following meaning and syntax 208 e SSHCOM Command Reference HP NonStop SSH Reference Manual DETAIL If the DETAIL flag is set detailed information is displayed WIDTH The number lt width gt is the maximum number of characters per output line If WIDTH is not specified the default value 80 is assumed In order to avoid a new line when the terminal is configured with line wrapping on the line will only be filled with one character less than the specified width RECURSIVE This attribute controls if the sessions channels and opener are displayed as well A hierarchy is assumed with SSH2 at the top sessions below and channels below sessions Openers are displayed below SSH2 as well when RECURSIVE is specified LOG ONLY Normally the output of the STATUS command will be displaye
525. ss than the specified width RECURSIVE This attribute controls if the channels related to a specific session are displayed after each session A hierarchy is assumed with SSH2 at the top sessions below and channels below sessions Openers are below SSH2 LOG ONLY HP NonStop SSH Reference Manual SSHCOM Command Reference e 209 Normally the output of the STATUS command will be displayed at the terminal the SSHCOM was started With LOG ONLY flag set the output will be written to the log file if logging to a file is enabled SELECT The SELECT option allows defining a specific set of attributes that will be displayed instead of the default attribute set there are two default sets one for detailed output and one for non detailed output An attribute name specified for lt attr gt must be one of the names displayed in the detailed status output WHERE The WHERE option can be used to filter sessions Only those sessions that fulfill all listed filter conditions lt attr filter gt will be displayed Each attribute filter must have the following format the space characters surrounding the lt operator gt field are mandatory lt attr gt lt operator gt lt value gt For information about lt attr gt please see under option SELECT The following operators are supported for lt operator gt lt gt for not equal lt lt gt and gt The value in lt value gt can be either a string quoted string or number FILTE
526. ssions TERMTYPE has been established and the STN is waiting for line mode This state usually lasts for less than a second e MENU_NEEDED TERMTYPE has been established and for TN6530 line mode has been established This state is usually immediately replaced by MENU e RESIL_RECON A resilient window has been reconnected to a new session This state is usually immediately replaced by CONNECTED e MENU STN is waiting for a service name or window name from the remote SSH 6530 client usually after displaying a menu of service names e ABORTED The session has been aborted but is being left up for a short time to allow the user at the remote SSH 6530 client to notice and read error messages that describe the reason for session termination e RSCMGR_BUSY For dynamic sessions all resource managers are presently busy with other new dynamic session requests e DYN_PROC_LAUNCH For dynamic sessions the associated process is being launched e DYN_PROC_OPEN_TO For dynamic sessions the associated process is being opened to write the startup message e DYN_PROC_SUMSG For dynamic sessions the startup message is being written to the associated process e DYN_PROC_OPEN_FROM For dynamic sessions the associated process has been launched and has received the startup message but has not yet opened the STN window e CONNECTED The session is connected to a window If a service is associated with the session its name is displayed e PTY
527. ssions with MENU and an SSH Guardian system user in group user format that do not match SERVICE USER are now terminated with this message STN94 Userid lt alias gt provided by SSH not valid SSH sessions with MENU and an SSH Guardian system user in alias format that matches SERVICE USER but the STN object does not have PRIV LOGON set via the command Safecom ADD DISKFILE STN PRIV LOGON ON STN Application I O Handling Standard SETMODE Functions 6 line spacing 7 automatic LF 8 block mode conversational mode 9 interrupt character definitions 11 break owner 12 break mode 14 interrupt character enable disable 20 echo 22 set retrieve baud rate Only used to retrieve values detected by setmode 204 23 character size always in 8 bit mode 28 initialize all setmodes to default values except block mode then apply any SCRIPT associated with the window 144 set ignored retrieve always returns hex 8200 0900 258 full duplex Extended SETMODE Functions unique to STN 201 Only used with special terminals Enable timing mark flow control P1 0 default disables the feature 0 lt P1 lt 10000 specifies the number of bytes to send before sending IAC DO TM and waiting for a response P2 is a timeout in seconds range 1 3600 default 3600 if no response is received to IAC DO TM output proceeds after the timeout 202 Only used with special terminals Enabl
528. sssceceesececeesseccnsseeceeseeeceesseeecssseeeessseeeseaeees 56 ALLOWTCPFORWARDING 0 ccccccccssscessscececsssceceessececeessecensececeeseeecessseeecessececsiseecseaeees 57 AWDIT CONSOLE fscntcee tethers notarial ia ices Ooo Ae ee 57 AUNE 1 Ba a sn a tr PR a ee 58 PANDI DIH Be DY ee aie ee ete mr oS Se 58 AUDITTEIGERETENTION a a van eneses Movies 59 AUDEEFORMA ST 320 fecascncisice eaves esvicorceg eerste eae eee cas eas 59 AUDITFORMA TEONS OLE r EE E NIRE etaaes 60 AV PTF ORM A TEMS a conn teeta aE 61 AUDITFORMA T E a a n a 61 AYVPMM AA P NG DH a n 62 AUTOADDAUTHPRINCIPA D oeenn o N E N T 62 AUTOADDSYSTEMUSERS enn a aR E E E E N 63 AUTOADDSYSTEMUSERSLIKE prre a E aa AN 64 BACK UPCPU a es 64 BANNERS a a a Tl Ee ea EA 65 BURSTSUPPRESSION ssgdcseceiscovead cose a Sn ce vin E E Suck assastes idea uantenseieicss abet 65 BURSTSUPPRESSIONEXPIRATIONTIME 0 cccccccccsccccessccecssseececsseeecssssesenssseceenseeeessnaees 66 BURSTSUPPRESSIONMAXLOGLEVEL cccccccccsssccssscececsssceceenseeecessseecnssseeeesseeeesenaees 66 CACHEBURSTSUPPRESSION c cccccssscccsssscecsssceceessececssssececssceceenseeecessaececnsesecensseecsssaeees 67 CIPCOMPATERROR 55 csvevice Sibel ae Sieeeioeloll aueeds PO on ed a EE is 68 CT PIERS 25 8 EA ects ok ccs vec EEE E es ate saeco soiree AE O RE ERTA E AE eee eae dd eases 68 CLIENTALLOWEDAUTHENTICATIONS 00 ccccccecssscccessececsssceceessececessseccnssseceenseeeesenaees 69 CLIENTMODEOWNERPOLI
529. sswords cssccsssscssesseseceeeseceaeeeeeaecaseecsaecaeeseeneearenaeeeeeas 242 Public Key Authentication sis cctenasuescdiiadeeetneiarh dination Gesamte e ea atau iee anbatiion 242 Introduction to Public Key Authentication Terminology c cesseesseeseeseeeeeeeeeeeeeeereeeeees 242 Public Key Authentication and SSH ceceesscssessseceseeseesecseesecneeeesecnaeeecsaecesesecseeeeeneeneaes 242 Assuring Host Authenticity sercar aoii E e e A ER E E EE N TRESE eia 243 Chent logon asteen e eE a EEE E E AE EEEE TEE EATER 243 STN Reference 245 Introductio anen aa e a a EE haa ane ai eet aeaa as 245 Running STN as Pseudo TTY Server for SSH2 eseessreesresesresrrseesssesreteereeseneetrvestnessrsteeiceseeeeseeesesses 245 Starting STN from TACE ieia ae aa aeee iaee aAa EEE E Aa TE EE EEE Sa aE SE 245 Running STN as Persistent Process ccssessssscsseseeseceseeecssecstesecseesesecaeesecseeseesaeeeeaceaseeeaesateneeneees 248 STNCOM PRE AEA EEEE a beet eit Santi easiest sees 248 Commenti 43 44 poten Hoste ats Reale ets Mi Gi MEA T Siete etree aa ates 249 SENCOM Commands ieron Retid ste eased cone gid wisi ele i sR ehsbe beta SIR a Sas 250 ABEND eninin prea Sie ead Sal ni iG Ae Ria aout ne 250 ABORT SERVICE sos ricn iss i Rush thsi heal cde Mob eid SE Re 250 ABORT SESSION meriiri aea hg lip aah cosh Rae ate ie eee Rpts 250 ABORT WINDOW fies tira iiieg ein desi nna aden A NEES SAER O R 250 ADD IPRANGE poreon e bird aea enea gine i N
530. stallation on the NonStop Server Note s For SSH2 as part of HP NonStop SSH the installation procedures are different and the steps outlined in sections Installing the SSH Components on the NonStop System and Quick starting the SSH2 System should be skipped HP NonStop SSH will be pre installed with your H series RVU J series RVU or G series RVU G06 32 or later This enables SSH connectivity on the default TCP IP stacks Please refer to the SOFTDOC and support notes details for information on enabling SSH on additional TCP IP stacks For G Series prior to G06 32 perform the standard independent product installation procedure and refer to the README file for post installation instructions Both for H Series and G Series the installation subvolume of HP NonStop SSH is SYSTEM ZSSH and the processes are managed through the SCF Kernel manager ZZKRN As of H06 22 J06 11 SPR TO801 AAS a configuration file named SSHMCFG has been added for exclusive use by SSH2 processes ZSSPO and ZSSP1 configured for the maintenance LANs SSHMCFG has entries specifying a dedicated data base SSHMDB a dedicated host key file HOSTKEYM and log file SSHMLOG The original SSHCFG file can now be used for SSH2 processes configured for non maintenance LANs but keep in mind that this file will be overwritten with the installation of a new RVU A backup should be kept in case changes have been made Note that if for some reason the installation subvolume i
531. starts subsystem tacl if tacl is an allowed subsystem But now it is possible to specify a new command ci instead of tacl on the SSH client command line with options c lt cmd gt and p lt program gt lt cmd gt with the same meaning as the tacl p and c options The processing of EXEC ci is as follows if ALLOW CTI is set to YES e Command on ssh client command line is ci The value of USER attribute CI PROGRAM is started as command interpreter default SYSTEM SYSTEM TACL If additionally CI COMMAND is configured then this command is executed If no command is specified and tacl is not an allowed subsystem the request will be rejected e Command on ssh client command line is ci c lt cmd gt The value of USER attribute CI PROGRAM is started as command interpreter default SYSTEM SYSTEM TACL and the command lt cmd gt is executed by the command interpreter unless CI COMMAND is configured In this case the command lt cmd gt is ignored but available via PARAM SSH ORIGINAL COMMAND and the command configured under user attribute CI COMMAND is executed e Command on ssh client command line is ci p lt program gt lt cmd gt The command interpreter program lt program gt is started default subvolume if not specified is SYSTEM SYSTEM and if lt cmd gt is specified then this command is executed If no lt cmd gt is specified then the user will get the prompt of the command interpreter and can enter
532. str1 gt chdir failed with error lt int1 gt lt str1 gt Initial SFTP directory as configured for an SSH user lt int1 gt Error number 10 could not lock user into SFTP INITIAL DIRECTORY lt str1 gt chroot failed with error lt int1 gt lt str1 gt Initial SFTP directory as configured for an SSH user lt int1 gt Error number 10 Value lt str1 gt for RECORDDELIMITER not acceptable lt str2 gt lt str1 gt End of record indicator lt str2 gt Error description 10 Value lt intl gt for SFTPEDITLINESTARTDECIMALINCR not in allowed range lt intl gt Value configured for parameter SFTPEDITLINESTARTDECIMALINCR 10 Value lt intl gt for SFTPEDITLINENUMBERDECIMALINCR not in allowed range lt intl gt Value configured for parameter SFTPEDITLINENUMBERDECIMALINCR 10 Functionality is restricted to HP internal usage 10 Please contact License Manager hp com for a full license 10 No valid license found functionality is restricted to HP internal usage 10 Could not listen on interface lt str1 gt port lt intl gt lt str2 gt lt str1 gt Interface the SSH2 process listens on lt int1 gt Port lt str2 gt Exception text 10 Retrying to listen in lt intl gt second lt str1 gt lt int1 gt Retry listen time in seconds lt str1 gt Plural s 10 Exception occurred lt str1 gt lt str1 gt Exception text 10 Retrying to listen 10 lt str1 gt Failure during decoding of Kerberos5 OID received in lt str2 gt authent
533. succeeded or failed if no message is displayed it should be assumed that the command could not be parsed successfully It is possible to add comments in IN files OBEY files and at the interactive prompt Any text following an exclamation mark is considered as comment text A comment line is continued on the next line if the last character is an ampersand Note A single exclamation mark alone entered at the SSHCOM terminal prompt means repeat last command unchanged while a single exclamation mark in an IN or OBEY file is treated as comment line Startup Values for the MODE and ASSUME USER Commands When being started from TACL SSHCOM applies some heuristics to set the startup values for the MODE and ASSUME USER commands The ASSUME USER command is described later in subsection Client Mode Commands Introduction It will determine the startup values as follows e If SSHCOM is started by the Guardian User SUPER SUPER it will set DAEMON mode and assume the user SUPER SUPER e For any other user CLIENT mode will be set and that user will be assumed Security within SSHCOM SSHCOM implements security by checking the user who has started SSHCOM from TACL The following commands are considered sensitive and can only be executed from users or groups who are explicitly given full SSHCOM access e Exporting any private key with the EXPORT KEY PRIVATE command This means that the private key of the user for instance COMF MH can onl
534. support has been replaced with ARC4 support from OpenSSL Blowfish is now external in the OpenSSL library The licence continues Note that any information and cryptographic algorithms used in this software are publicly available on the Internet and at any major bookstore scientific library and patent office worldwide More information can be found e g at http www cs hut fi crypto The legal status of this program is some combination of all these permissions and restrictions Use only at your own responsibility You will be responsible for any legal consequences yourself I am not making any claims whether possessing or using this is legal or not in your country and I am not taking any responsibility on your behalf NO WARRANTY HP NonStop SSH Reference Manual Appendix 369 BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE THERE IS NO WARRANTY FOR THE PROGRAM TO THE EXTENT PERMITTED BY APPLICABLE LAW EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND OR OTHER PARTIES PROVIDE THE PROGRAM AS IS WITHOUT WARRANTY OF ANY KIND EITHER EXPRESSED OR IMPLIED INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU SHOULD THE PROGRAM PROVE DEFECTIVE YOU ASSUME THE COST OF ALL NECESSARY SERVICING REPAIR OR CORRECTION IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED
535. system id system type and the date when the order for the software was placed HP NonStop SSH Reference Manual Installation amp Quick Start e 33 SSH2 License and Version Information The SSH2 release provides a TACL macro that retrieves license and version information After changing the current subvolume to a subvolume containing an SSH2 installation the macro is started using the RUN command e g VOLUME SSYSTEM ZSSH RUN SSH2INFO The SSH2INFO macro will display the content of the license file if found First the default subvolume will be checked when looking for the license file then the standard installation subvolume SYSTEM ZSSH Then the macro lists the vproc information of the files SSH2 SFTPSERV SFTP SFTPOSS SSH SSHOSS SSHCOM SCPOSS STN and SHOWLOG For objects SFTP SSH SSHCOM SHOWLOG the macro checks the default subvolume first then subvolume SYSTEM SYSnn and finally SYSTEM ZSSH The vproc information of all objects found is retrieved but only the vproc of the first object found is displayed These objects are expected to reside in subvolume SYSTEM SYSnn after the standard HP installation process For the other objects namely SSH2 SFTPSERV SFTPOSS SSHOSS SCPOSS STN the SSH2INFO macro checks the default subvolume first then subvolume SYSTEM ZSSH and finally S YSTEM S YSnn The vproc information of all objects found is retrieved but only the vproc of the first object found is displayed These objects ar
536. t lt str1 gt Session Name lt str2 gt Protocol lt str3 gt Normalized originator host address and port lt str4 gt Normalized target host address and port lt str5 gt Reason lt str1 gt remote lt str2 gt forwarding request o k server listens on lt str3 gt forwarding to lt str4 gt lt str1 gt Session Name lt str2 gt Protocol lt str3 gt Remote address and port lt str4 gt Normalized target host address and port lt str1 gt remote lt str2 gt forwarding canceled server listen on lt str3 gt terminated lt str1 gt Session Name lt str2 gt Protocol lt str3 gt Remote address and port lt str1 gt forwarding request o k listening on lt str2 gt lt str1 gt Session Name lt str2 gt Normalized address and port to bind lt str1 gt cancel forwarding request listening on lt str2 gt terminated lt str3 gt HP NonStop SSH Reference Manual Appendix e 359 LOG LEVEL EVENT TEXT Description Variable Parts lt str1 gt Session Name lt str2 gt Normalized address and port to bind lt str3 gt Reason 50 lt str1 gt forwarding lt str2 gt connection from lt str3 gt to lt str4 gt lt str1 gt Session Name lt str2 gt Protocol lt str3 gt Normalized originator host address and port lt str4 gt Normalized target host address and port 50 lt str1 gt forwarding lt str2 gt connection from lt str3 gt accepted on lt str4 gt to remote lt str1 gt Session
537. t c 1995 Tatu Ylonen lt ylo cs hut fi gt Espoo Finland All rights reserved As far as I am concerned the code I have written for this software 368 e Appendix HP NonStop SSH Reference Manual can be used freely for any purpose Any derived versions of this software must be clearly marked as such and if the derived work is incompatible with the protocol description in the RFC file it must be called by a name other than ssh or Secure Shell Tatu continues However I am not implying to give any licenses to any patents or copyrights held by third parties and the software includes parts that are not under my direct control As far as I know all included source code is used in accordance with the relevant license agreements and can be used freely for any purpose the GNU license being the most restrictive see below for details However none of that term is relevant at this point in time All of these restrictively licenced software components which he talks about have been removed from OpenSSH i e RSA is no longer included found in the OpenSSL library IDEA is no longer included its use is deprecated DES is now external in the OpenSSL library GMP is no longer used and instead we call BN code from OpenSSL Zlib is now external in a library The make ssh known hosts script is no longer included TSS has been removed MD5 is now external in the OpenSSL library RC4
538. t Using a Remote SSH Client You can also directly establish a connection to a TACL process without involving any OSS functionality Direct TACL access is provided by SSH2 as an SSH2 subsystem You may connect to the TACL subsystem by specifying starting the remote SSH client with the s option and tacl as subsystem name Like with an ordinary shell session you have to specify the Guardian userid and the IP address or host name where SSH2 is listening on as parameters for the SSH command m horst np dev02 gt ssh s comf mh 10 0 0 199 tacl comf mh 10 0 0 199 s password TACL T9205D46 190CT2004 Operating System G06 Release G06 25 00 C 1985 Tandem C 2004 Hewlett Packard Development Company L P CPU 1 process has no backup February 10 2006 13 09 41 Invoking SSYSTEM SYSTEM TACLLOCL Invoking S DATA1 MHHOME TACLCSTM Current volume is DATA1 MHHOME 1 gt Note Standard SSH clients will only support line mode interaction You will not be able to invoke any block mode applications or applications that use advanced 6530 terminal features unless using a SSH client supporting 6530 terminal sessions over SSH such as comForte s MR Win6530 Secure Shell Access from NonStop to Remote Systems Note This functionality will be not be available with the SecurFTP SSH and SecurTN products SSH2 includes two SSH clients which allow the creation of secure shell sessions with a remote SSH daemon e SSHOSS is the OSS version of the S
539. t command is executed by a sftp client on the NonStop server then the parameter must be set in the environment of the sftp client as PARAM for SFTP running in the Guardian environment or as environment variable for SFTPOSS running in the OSS environment Default If omitted value SHARED will be used which was the value used prior to adding parameter SFTPEXCLUSIONMODEREAD Example SFTPEXCLUSIONMODEREAD EXCLUSIVE SFTPIDLETIMEOUT Use this parameter to control how long SFTPSERV keeps running without any SFTP protocol traffic before terminating itself Parameter Syntax SFTPIDLETIMEOUT lt seconds gt Arguments lt seconds gt The time in seconds the SFTPSERV waits after the last SFTP command before it stops serving the client Considerations e The SFTP client will not be able to issue further SFTP commands Default If omitted there is no SFTP idle timeout The SFTPSERV will be running until the STP client ends the session Example SFTPIDLETIMEOUT 180 SFTPMAXEXTENTS Use this parameter to specify the MAXEXTENTS value for files that are created on the NonStop system Parameter Syntax SFTPMAXEXTENTS maxextents 112 e Configuring and Running SSH2 HP NonStop SSH Reference Manual Arguments maxextents Specifies the value to be used Considerations e The value can be overridden in put and get commands using the extended syntax described in SFTP Client Reference chapter in the section entitled Extend
540. t could be misinterpreted as part of the address 2001 0db8 1319 0 0 7344 4567 is a valid IPv6 address The representation for the unspecified address in IPv4 is 0 0 0 0 The unspecified address in IPv6 sequence of zero groups can be represented as or 0 0 other forms are valid as well The SSH2 process usually uses 0 0 as representation of the unspecified IPv6 address but accepts any other representation as well All the listed variants of IPv6 address representation are supported by SSH2 Usage of IPv6 Addresses Representations of IPv6 addresses are used for restricting the listening see SSH2 parameters INTERFACE for defining the local IP address when outgoing connections are established SSH2 parameter INTERFACEOUT ssh sftp client option oBindAddress Also IPv6 address representations can be used instead of host names mapping to IPv6 addresses when specifying the target host for ssh and sftp clients In addition IPv6 addresses are used in all places where only IPv4 addresses could occur in pre 0092 releases square brackets may be needed for IPv6 addresses if required This not only includes database entries SSHCOM commands output of SSHCOM commands but log messages and audit messages as well Database entities that can hold IPv6 addresses Entity USER fields e LAST IP ADDRESS e CI PROGRAM e g when configured with TELNET lt ip address gt lt port gt HP NonStop SSH Reference
541. t status gt Cumulative sessions lt a gt WINDOWs Configured lt b gt In session lt c gt Available lt d gt lt status gt STARTED or STOPPED lt a gt Total number of sessions ever connected to this service lt b gt Number of windows presently configured for this service lt c gt Number of currently open sessions for this service lt d gt For static services the number of windows with application opens ready for new sessions STATUS SESSION lt session name gt STATUS SESSION shows all active sessions even those that have not yet been attached to a window The output format for sessions created via SSH is as follows lt window gt lt state gt lt terminal info gt lt age gt lt window gt The window name associated with this session During session startup this can refer to a dynamic window that has not yet been created For static windows this name will be changed to the static window name lt terminal info gt TT Terminal Type for instance TN6530 8 M Mode for instance 6530 Line lt age gt The age of the session in seconds lt state gt Tracks the progress of a new session e NEGOT Telnet IAC negotiations are in process with an SSH 6530 client e NEGOT_LM 276 e STN Reference HP NonStop SSH Reference Manual For TN6530 sessions line mode has been established and the STN is waiting for TERMTYPE This state usually lasts for less than a second e NEGOT_TT For TN6530 se
542. t str1 gt lt str2 gt request rejected shell access not licensed lt str1 gt Session Name lt str2 gt Request type 20 lt str1 gt lt str2 gt request rejected shell access denied lt str1 gt Session Name lt str2 gt Request type 20 lt str1 gt lt str2 gt request rejected configured system user unknown lt str1 gt Session Name lt str2 gt Request type 20 lt str1 gt lt str2 gt process initialisation failed could not chdir or chroot to user s SFTP INITIAL DIRECTORY error lt int1l gt lt str1 gt Session Name lt str2 gt Program lt int1 gt Error detail 20 lt str1 gt lt str2 gt process initialisation failed error lt int1 gt during startup procedure lt str1 gt Session Name lt str2 gt Program lt int1 gt Error detail 20 lt str1 gt could not launch program lt str2 gt error lt int1 gt detail lt int2 gt lt str1 gt Session Name lt str2 gt Program lt int1 gt Error lt int2 gt Error detail 20 lt str1 gt could not spawn program lt str2 gt error lt int1 gt lt str1 gt Session Name lt str2 gt Program name of spawned process lt int1 gt Error 20 lt str1 gt pty request denied pseudo terminal access not licensed authentication dummy pty lt str2 gt lt str1 gt Session Name lt str2 gt Pseudo terminal name used for authentication 20 lt str1 gt pty request denied pseudo terminal access not licensed lt str1 gt Session Name 20 lt str1 gt pt
543. t time gt Connection to a resilient service where an existing window from a previous session has been reconnected to the current session STN70 application lt pname pid cpu pin gt lt program filename gt When reconnecting to a resilient window one line is displayed up to 12 lines for each process which had the window open For Guardian processes the program object file name and pname or cpu pin is edited for Posix processes the pid is displayed in hex STN70 Additional openers not listed When reconnecting to a resilient window one line is displayed up to 12 lines for each process which had the window open For Guardian processes the program object file name and pname or cpu pin is listed for Posix processes the pid is displayed in hex This message is displayed if there were more than 12 processes and the remainder had been discarded STN70 no application active on this window When reconnecting to a resilient window no application programs were open The window is effectively unusable 302 e STN Reference HP NonStop SSH Reference Manual STN71 Userid not allowed for this service The selected service included a USER parameter and the userid entered at the keyboard or automatically supplied does not match The session is terminated STN72 Using userid from SSH SYSTEM USER is being used instead of STN15 STN16 prompt STN73 Using SSH_Default_Svc CI PROGRAM MENU without anything following MENU and the
544. t to user s SFTP INITIAL DIRECTORY error lt error number gt lt error number gt Is the error number that was raised by the chdir or chroot operation Cause Chdir or chroot failed when setting the user s SFTP INITIAL DIRECTORY A possible reason is that the directory does not exist Effect The channel request for the SFTP subsystem is rejected Recovery Check the setting of SFTP INITIAL DIRECTORY for the relevant user lt session id gt could not launch program lt program name gt error lt error number gt detail lt detail error number gt lt program name gt Is the name of the program file that SSH2 tried to start lt error number gt Is the error number that was raised by the PROCESSCREATE function HP NonStop SSH Reference Manual Troubleshooting e 335 lt error number detail gt Is the detail error number that was raised by the PROCESSCREATE function Cause PROCESSCREATE failed with an error Effect The channel request e g subsystem SFTP fails which the process e g SFTPSERV should be created for Recovery Check the NonStop server documentation for PROCESSCREATE error descriptions If SFTPSERV could not be started make sure the program is located in the same directory as SSH2 lt session id gt SFTPSERV process initialisation failed error lt error number gt during startup procedure lt error number gt Is the error number that was raised during the initialization of the SFTPSERV process
545. t to IPv6 or DUAL The default for this parameter is value IPV4 i e the SSH2 process does not automatically switch to IPv6 This is done because errors would occur when an SSH2 process starts in IPMODE IPv6 or DUAL against a TCP IP process not supporting IPv6 The object the TCP IP process is running may not support IPv6 at all SSYSTEM SYSnn TCPIP or the object may principally support IPv6 but is not configured for IPv6 As listed in section Usage of IPv6 Addresses various SSH database records can contain IPv6 addresses These fields are updated either when sessions are established USER field LAST IP ADDRESS name field of KNOWNHOST and PASSWORD entity ADDRESSES field of KNOWNHOST record or when the entities are modified via SSHCOM commands USER field CI PROGRAM when configured with TELNET lt ip address gt lt port gt and RESTRICTION PROFILE attributes It is recommended to make a copy of each RESTRICTION PROFILE record before adding any IPv6 addresses patterns to any of the RESTRICTION PROFILE records This can easily be done using SSHCOM command ADD RESTRICTION PROFILE with LIKE option e g ADD RESTRICTION PROFILE ABC_copy LIKE ABC This step allows a simple way of backing out the IPv6 related changes in case that is needed When multiple SSH2 processes access the same SSH database then all SSH2 processes should run the same SSH2 object i e either one that supports IPv6 or one that doesn t Reverting Back to Pre
546. t to home teminal lt filename gt If a disc file that does not exist it is created as file code 101 unstructured and is written as an edit 101 file If an existing unstructured disc file with code 101 it is erased and written as an edit 101 file If an existing disc file that is not unstructured or not code 101 or a non disc file then the file is opened and sent lines of output PROMPT lt text gt This command redefines the prompt sent to the terminal for new command input 164 e SSHCOM Command Reference HP NonStop SSH Reference Manual lt text gt may contain any displayable character except quote and may be 1 to 64 characters long Certain embedded commands case independent in lt text gt are replaced as follows e P the target process name e X the target expand node name e T target system LCT time in format HH MM e D target system LCT date in format yyyy mm dd Example PROMPT X P D T STN gt DEV STIN2 2010 08 06 23 59 STN gt PROMPT ST P gt 23 59 SSTN2 gt The default setting is PROMPT The PROMPT command remains in effect until SSHCOM terminates RESOLVE HOST NAME This command can be used to test the TCP IP host name resolving It has the following syntax RESOLVE HOST NAME lt host name gt The value for lt host name gt must be a name known to a DNS server or configured in a HOSTS file Output will look like OK host name hostv4 resolved to 10 20 0 210 or for
547. tasks or implement additional security measures SSH2 will retain commands given in the user s exec request in the SSH_ORIGINAL_COMMAND environment variable to allow a shell script to analyze and or execute the original command SHELL ENVIRONMENT The full OSS file name of a shell script preparing the shell environment for non login shells which are started without executing etc profile or profile The value will be used to set environment variable ENV see man pages of ksh for information on how the shell processes ENV The attribute value shell script can contain absolute paths but also pre defined values like HOME or HP NonStop SSH Reference Manual SSHCOM Command Reference e 181 Default for this parameter empty string i e no shell script will be executed that prepares the user environment for non login shells which do not execute the standard login scripts This is relevant for an SCP configuration where the SCP program must be in a directory that is listed in environment variable PATH for getting file transfers using SCP to work SHELL PROGRAM This attribute specifies the path to the shell program to be used to start a shell or execute a command Specify DEFAULT or SHELL PROGRAM without argument to make SSH2 use the default initial program configured for the assigned SYSTEM USER e g by the INITIAL PROGRAM attribute of a SAFEGUARD user If MENU is specified the non 6530 session will be connected to a service menu p
548. tch the public key stored for the KNOWNHOST in SSHCTL Important note THIS COULD BE CAUSED BY a man in the middle attack Effect The client access to the host is denied The client connection fails Recovery Check if the identity of the target host has really been changed If access to the host is desired use the SSHCOM ALTER KNOWNHOST command to alter the public key of the host lt session id gt client access to unknown host at lt host gt lt port gt denied Cause The public key of the host the SSH client e g SFTP tried to access does not match the public key stored for the KNOWNHOST in SSHCTL Important note THIS COULD BE CAUSED BY a man in the middle attack Effect The client access to the host is denied The client connection fails Recovery Check if the identity of the target host has really been changed If access to the host is desired use the SSHCOM ALTER KNOWNHOST command to alter the public key of the host lt session id gt exception during host verification lt error detail gt lt error detail gt Is a description of the error condition Cause An unexpected error occurred during the verification of the host the SSH client e g SFTP connected to For example this could be caused by a problem with accessing the SSHCTL database Effect The client access to the host is denied The client connection fails Recovery Any corrective action depends on error detail lt session id gt
549. te the standard login scripts This is relevant for an SCP configuration where the SCP program must be in a directory that is listed in environment variable PATH for getting file transfers using SCP to work SHELL PROGRAM This attribute specifies the path to the shell program that is to be used to start a shell or execute a command Specify DEFAULT or SHELL PROGRAM without argument to make SSH2 use the default initial program configured for the assigned SYSTEM USER e g by the INITIAL PROGRAM attribute of a SAFEGUARD user If MENU is specified the non 6530 session will be connected to a service menu provided by the STN PTYSERVER This resembles the functionality of TELSERV providing dynamic services as well as services connecting to static windows The services offered by the STN PTYSERVER process can be configured using STNCOM If MENU is followed by a service or window name the corresponding service or window is automatically selected If the service or window does not exist the STN menu will be displayed If the option FORCE is appended then the user is forced to use the pre configured STN service or window In this case the user will not see the STN menu even when the configured service or window does not exist Example for setting up and invoking a non login shell script non interactive to execute in a ksh shell A ksh shell will be started when the SSH client is invoked The second step is to ensure that the PATH variable i
550. termination of the process LISTOPENS Displays one line for each OPEN of the application by another process Example output lines 1 G0O83I process term cpu pin fnum userid programfile home backup 2 1 STCP1 W742 1 47 fn 6 id 20 33 SSYSTEM SYSTEM PATHTCP TERM4 bak 2 52 fn 6 3 2 CENTDIV 01 050 COMMAND COMMAND fn 3 id 255 255 SYSTEM SYSTEM STNCOM SOSP These three example output lines represent the following 1 Title line 2 Indicates that OTX open table index 1 Each opener has an entry in the open table The named process TCP1 cpu pin 1 47 has opened the application with a terminal name of W742 as file number 6 TCPI s process access ID is group user 20 33 TCPI1 s object program file name is s YSTEM SYSTEM PATHTCP TCPI1 s home terminal is TERM4 TCPI1 s backup process cpu pin 2 52 has checkopened the application with file number 6 3 Indicates that 270 e STN Reference HP NonStop SSH Reference Manual OTX open table index 2 Each opener has an entry in the open table The unnamed process running on node CENTDIV with cpu pin 1 50 has opened the application with terminal name COMMAND COMMAND as file number 3 The COMMAND COMMAND terminal name indicates a STNCOM requester The program is running under group user 255 255 SUPER SUPER from object program file name S YSTEM SYSTEM STNCOM with home terminal OSP Note the LISTOPENS command can generate a very long response MAX_OPENERS lt n gt
551. ters to indicate the end of a record relevant for edit files and structured files then the result of a file transfer will not be as expected For details on these parameters please see description in section SSH2 Parameter Reference in chapter Configuring and Running SSH2 The following table shows which parameter can be used in the client environment when sending or receiving files HP NonStop SSH Reference Manual SSH and SFTP Client Reference e 219 Parameter Used when Used when Dependency on SFTP Server Sending Receiving RECORDDELIMITER Yes Yes Yes The SFTP client prompt command ASCII can be used to achieve the same configuration SFTPEDITLINEMODE Yes No Only relevant when files are written locally SFTPEDITLINENUMBERDECIMALINCR Yes No Only relevant when files are written locally SFTPEDITLINESTARTDECIMALINCR Yes No Only relevant when files are written locally SFTPENHANCEDERRORREPORTING Yes Yes Details about remote NonStop SFTP server depend on SFTPENHANCEDERRORREPORTING setting for SSH2 on remote NonStop system SFTPEXCLUSIONMODEREAD Yes No Only relevant when files are read locally SFTPMAXEXTENTS Yes No Only relevant when files are written locally SFTPPRIMARYEXTENTSIZE Yes No Only relevant when files are written locally SFTPSECONDARYEXTENTSIZE Yes No Only relevant when files are written locally SFTPUPSHIFTGUARDIANFILENAMES No Yes No Only relevant when files are written locally SSH Clie
552. the Guardian file system see chapter SFTP Client Reference section Specifying Filenames on the NonStop System e The attributes of files created on the NonStop system can be specified using an extended syntax in the get or put commands see chapter SFTP client reference section Extended syntax for creation of new Guardian files Version 1 3 Describes changes in SSH2 release 0038 This release has the following new features e An SFTP client to run under Guardian is supplied see chapter SFTP Client Reference e The new property SFTP GUARDIAN FILESET has been added to the USER property of the daemon mode database see chapter SSHCOM Reference e New commands FREEZE KEY THAW KEY and EXPORT SSHCTL have been added to SSHCOM see chapter SSHCOM Reference HP NonStop SSH Reference Manual Preface e 23 Version 1 2a e Some general improvements in layout have been implemented e The heading structure has been slightly revised in various places e Two parameters ALLOWIP and DENYIP have been deleted Version 1 2 Describes changes in SSH2 release 0036 Starting with this release SecurFTP also supports running as an SFTP client under OSS Documenting this new capability resulted in changes throughout the manual Version 1 1 Describes changes in SSH2 release 0025 e One user now can have multiple public keys see SSHCOM e New SSH2 configuration parameter COMPRESSION e USERBASE and USERBASEAUDIT parameters have been renamed
553. the Guardian name e A guardian user can display add and manipulate entries for the Guardian user e Depending on the rules explained in the section about OBJECTTYPE USER records a group manager can add change or delete client mode records stored under a Guardian name e A user with full access can add manipulate all entries unless an OBJECTTYPE USER record says otherwise Miscellaneous commands in SSHCOM The following commands are independent of the mode set with the mode command MODE As described earlier the MODE command will work in both run modes of SSHCOM If entered without specifying a mode the command will show the current mode under which SSHCOM is operating SQAHPSSH TO801ABK 29 gt run sshcom ssh01 SSHCOM T0801H01_22JAN2014_ABK 2014 01 24 14 42 45 368 OPEN ssh01 mode Mode current mode is CLIENT x The command has the following syntax MODE CLIENT DAEMON SERVER The individual attributes have the following meaning and syntax CLIENT Switches to CLIENT mode DAEMON Switches to DAEMON mode SERVER SERVER is a synonym for DAEMON and therefore switches to DAEMON mode as well 160 e SSHCOM Command Reference HP NonStop SSH Reference Manual SET The SET command allows you to change some configuration parameters during runtime Currently the following parameters are supported Parameter Meaning AUDITCONSOLE Determines whether audit messages are written to the co
554. the NonStop Server type to your NonStop system alter the file code and run the installation program 1 Using your favorite file transfer program transfer the SSH installation archive SSHINST 100 or SSHINST 800 in binary mode to your NonStop system Copy the file to the subvolume on which you want to install the components Alter the installation archive file code On G series FUP ALTER SSHINST CODE 100 32 e Installation amp Quick Start HP NonStop SSH Reference Manual On H and J Series FUP ALTER SSHINST CODE 800 3 Extract the archive by issuing the following command RUN SSHINST The SSH program files will now be copied to the assigned subvolume 4 For the Safeguard versions T9750GO7 4AFO T9750H04 AFJ and later set the PRIV LOGON bit for objects SSH2 SFTPSERV and STN if not already executed by DSM SCM e g SAFECOM ADD DISKFILE SYSTEM ZSSH SSH2 PRIV LOGON ON SAFECOM ADD DISKFILE S SYSTEM ZSSH SFTPSERV PRIV LOGON ON SAFECOM ADD DISKFILE SYSTEM ZSSH STN PRIV LOGON ON Note Note Macro SSH2INFO prints warning messages if the objects SSH2 SFTPSERV and STN do not have a Safeguard DISKFILE entry with PRIV LOGON set to ON The SSH2 process now also checks at startup if those objects have a Safeguard DISKFILE entry with PRIV LOGON set to ON If this is not the case then a warning will be logged Without PRIV LOGON ON the mentioned processes may not be able to impersonate other users correctly needed after aut
555. the configuration file Installation of SFTPAPI SFTPAPI is a separately licensed module offering a programmatic interface to SFTP similar to FTPAPI for FTP In June 2011 HP started to offer the SFTPAPI product which requires a special license It enables users to easily convert existing FTP scripts programs to switch over to SFTP The minimum SPR supporting this feature is TO8014AAQ for H J series and TO801 AAT for G series The HP NonStop SFTP API Reference Manual part number 659755 nnn describes the API in detail Support for it is built into the SFTP client which must be placed together with the license into a dedicated subvolume Currently it is not possible to use the SSH home subvolume SYSTEM ZSSH because of conflicts in the license naming and license checking To simplify the installation process starting with TCF TO801 AAY H J series and TO801 AAZ G series the SFTP client will be distributed in YSTEM SYSnn as before and in 5 YSTEM ZSFTPAPI The user needs to place the SFTPAPI license named LICENSE into the SYSTEM ZSFTPAPI subvolume where the additional copy of the SFTP object is located In the program that makes the FTP API calls the variable FTPPGM pointing to the FTP client must be modified to point to the SFTP client S YSTEM ZSFTPAPI SFTP Quick Start and Guided Tour This section offers a brief example illustrating how to start SSH2 In addition we will provide a guided tour that illustrates how to perform v
556. the default disables the timeout Sessions will not be terminated due to inactivity INPUT_TIMEOUT lt minutes gt can specify a time in the range 3 14400 3 minutes to 10 days When the terminal is inactive for the specified length of time the session is terminated The timer is always reset by terminal input keyboard activity Note that for 6530 terminals which usually operate in line mode or in full screen block mode simply typing a single character may not result in any transmission To reset the timer it may be necessary to use ENTER or a 6530 function key The timer can also be set by output activity from the application If OUTPUT_RESET is set to Y then application output will reset the timer the same as keyboard input For example an application that displays periodic output like an EMS console would never timeout as long as it performed output at least once every INPUT_TIMEOUT minutes If OUTPUT_RESET is set to N then application output does not reset the timer and keyboard input is required before INPUT_TIMEOUT expires HP NonStop SSH Reference Manual STN Reference e 269 If IDLE_WARNING is set to a non zero value then a warning message will be displayed once a minute when the terminal is idle and fewer than IDLE_WARNING minutes remain until INPUT_TIMEOUT expires The following message appears STN35 WARNING Terminal will be disconnected if it stays idle If terminal activity occurs after this warning the timer
557. the following filenames e SSH e SFTP The programs are simply started from TACL using the RUN command A typical command to establish an SSH session with a remote SSH daemon will look as follows SMH SSH 23 gt RUN ssh comf mh 10 0 0 198 ls 1 SSH client version T9999H06_22Jan2014_comForte_SSH_0097 Server did not accept any of your private keys in the key store Trying password authentication Enter comf mh 10 0 0 198 s password Add password for comf mh 10 0 0 198 to the password store yes no no total 955646 rw r r 1 COMF MH COMF 1000 Jan 18 11 28 al1000 rw r r 1 COMF MH COMF 10000 Sep 22 2004 al10000 rw r r 1 COMF MH COMF 1000000 Sep 22 2004 a1000000 SMH SSH 24 gt Example with IPv6 address SDATA1L TEST 23 gt gt run ssh comf us fe80 a00 8eff fe00 d14e ls 1 G us temp SSH client version T9999H06_22Jan2014_comForte_SSH_0097 GSSAPI authentication disabled You have no private keys in the key store Trying password authentication Enter comf us fe80 a00 8eff fe00 d1l4e s password Add password for comf us fe80 a00 8eff fe00 d1l4e 54022 to the password store yes no no total 21933 rwxr Xr X L zi SUPER 38662 Apr 16 14 22 abc rwxr Xr X L z SUPER 2222 Nov 23 2010 c rwxr xr x L E SUPER 11183778 Jan 20 09 24 crypto rwxr xXYr xX L A SUPER 2286 Sep 30 2011 test rwxr xr x L SUPER 2284 Sep 30 2011 test1 SDATA1 TEST 24 gt HP NonStop SSH Reference Manual SSH and SFTP Client Re
558. the name cannot be modified or removed using an SSH2 version without IPv6 support but an SSH2 process that supports IPv6 started in ADMIN mode can be used to do that if required A pre IPv6 SSH2 process builds the key name of PASSWORD entry using an IPv4 address and will therefore not find any entries containing IPv6 addresses that is no change is required when reverting to a pre IPv6 SSH2 release Such HP NonStop SSH Reference Manual Configuring and Running SSH2 e 141 PASSWORD entries cannot be modified or deleted using an SSH2 release without IPv6 support But again an SSH2 process that supports IPv6 started in ADMIN mode can be used to do that if needed Multiple IP Process Multiple IP Address Considerations Multiple IP Process Configuration If the define TCPIPSPROCESS NAME is used to specify the TCP IP process SSH2 should use then it is not possible to configure multiple IP processes Instead of this define it is required to use parameter SUBNET and the define must be deleted from the TACL environment before starting the SSH2 process as the define has precedence over parameter SUBNET Parameter SUBNET can be a list of IP process names e g ZTCO ZTC1 ZSAM1 ZSAM2 Assuming that parameters INTERFACE and INTERFACEOUT are not set defaulting to the ANY address SSH2 will start a listener for each of the configured IP processes on the ANY address on the configured port Such a configuration can be helpful to simplify the SS
559. the window name and option and optionally a new block of names 284 e STN Reference HP NonStop SSH Reference Manual This command always displays current information e GWN File name or blank e Blocksize e Next window name e Last window name allocated same as next if no GWN File e Maximum window number If ALLOC is specified a new block of session names is allocated from GWN FILE Since allocation is normally done automatically ALLOC is intended for development use only Any window names reserved by a previous GWN FILE allocation but not yet used are discarded The next session will begin with the number just allocated GWN Related EMS Events EMS events are generated at GWN initialization whenever allocations are made from GWN FILE and whenever any errors occur Refer to the section on EMS events SCF and SPI STN provides limited support for SCF and SPI SCF may not be used to configure STN all configuration and control is done using STNCOM The subset of SPI commands used by NonStop ASAP is supported INFO STATUS STATS PROC INFO STATUS STATS LISTOPENS WINDOW lt window gt Only single window may be specified for all windows is not supported Starting with B08 SPI INFO WIN returns an additional token ZSTN TKN SSH PROC 1005 see ZSTNDDL which contains the SSH process name for PTY sessions STATS SERVICE lt service gt Only single service may be specified for all services is
560. thentication Only use LOGON NONE when the application performs its own logon authentication PARAM param text Default is no parameter string Allows the specification of a parameter string corresponding to the TACL command RUN program file name NAME Spname param text Param text is enclosed in double quotes text it may be up to 100 characters long and it may contain the following special characters nu e Two consecutive double quotes e Wor wis replaced by the window name e g STN ZWN0001 e Bor b is replaced with the backup CPU number which is the buddy of the CPU finally used for the dynamic application The buddy of an even numbered CPU is the next higher odd numbered CPU and the buddy of an odd numbered CPU is the next lower even numbered CPU represent a single double quote e lIor 1 is replaced with IP address of the client workstation e S or s is replaced by the security string returned by SSH or PLAIN if the session is not secure e G is replaced with a single at IPRANGE iprange name iprange name refers to a name of an IPRANGE see ADD IPRANGE Default None 254 e STN Reference HP NonStop SSH Reference Manual If no IPRANGE parameter is specified then the service does not perform any checking on the IP address of the remote workstation attempting to connect to the service If IPRANGE is defined for the service then the IP address of the remote workstation must match
561. tication to work SSH2 requires a Kerberos package to be installed and properly configured on the same NonStop server The GSSAUTH server process which is part of the Kerberos installation must be running to allow SSH to interface with GSSAPI Kerberos functionality On the remote side an SSH client or daemon that supports Kerberos authentication via GSSAPI is required Available options include comForte s MR Win6530 or J6530 terminal emulator packages CrystalPoint s Outside View Cail s CTT SSH Tectia OpenSSH or a Kerberos compliant version of PuTTY Configuration of the GSSAPI Interface Process To enable GSSAPI authentication SSH2 must be configured to locate the GSS API authentication interface process GSSAUTH of the Kerberos installation This can be done by specifying the GSSAUTH parameter in the SSH2 startup configuration for example RUN SSH2 NAME SSSHO1 ALL GSSAUTH S GSS Make sure that the GSSAUTH parameter specifies the same process name as that configured for the GSSAUTH process in your Kerberos installation 130 e Configuring and Running SSH2 HP NonStop SSH Reference Manual Enabling GSSAPI Authentication for a User Account As any other authentication method GSSAPI authentication can be enabled or disabled on a per user basis The following SSHCOM command illustrates how GSSAPI authentication can be added to the list of allowed authentication methods for a user gt RUN SSHCOM SSHO1 SSHCOM T0801H01_2
562. ting HP NonStop SSH Reference Manual lt target port gt Is the port number the SSH client requested to forward the connection to lt error detail gt Describes the error that occurred Cause An error occurred when trying to forward a connection Effect The forwarding request fails Recovery Any corrective action depends on lt error detail gt A typical error is a failure to connect to the target host and port The SSH client may need to correct its port forwarding configuration lt session id gt listen request on lt interface gt lt port gt denied lt interface gt Is the IP address of the local interface the SSH client tries to establish a listen for lt port gt Is the port number SSH client tries to listen on Cause The SSH client tried to establish a remote port forwarding with the SSH2 server However this has been administratively prohibited e g by setting the ALLOWTCPFORWARDING parameter to FALSE Effect The forwarding request is rejected Recovery If forwarding is desired check the setting of ALLOWTCPFORWARDING lt session id gt remote forwarding request failed server could not listen on lt interface gt lt port gt lt error detail gt lt interface gt Is the IP address of the local interface SSH client tries to establish a listen for lt port gt Is the port number SSH client tries to listen on lt error detail gt Describes the error that occurred Cause An error occurred when t
563. ting as SSH client the public key of the remote host is configured by the KNOWNHOST entity of the user database Client logon The client can also use a key pair to authenticate against the server in this case the server will use that information instead of a password supplied by the client The SSH protocol supports authentication of the client through various means e By providing a username and a password HP NonStop SSH Reference Manual SSH Protocol Reference e 243 e By providing a username and a public key e By other means such as Kerberos or X 509 certificates When operating as a daemon SSH2 currently supports the following authentication methods e password RFC 4252 The password sent by the client is verified against the SYSTEM USER s password contained in the NonStop system user base e Publickey RFC 4252 e keyboard interactive RFC 4256 The client is prompted for a password which is verified against the SYSTEM USER s password contained in the NonStop system user base e gssapi with mic gssapi keyex RFC 4462 These methods are used for Kerberos authentication The same authentication methods are also supported when SSH2 is operating as a client The following sections provide an overview of the publickey user authentication method Publickey client logon when operating as daemon KEYPAIR2 The public key of the client is configured in the user database with the PUBLICKEY FILE or PUBLICKEY FINGERPRINT p
564. tion eesseseeestersseseststertereesrstserrrersesrsreerees 144 Enhanced EXEC Processing sciopera ei arepo aea a O EEE EEEE S 144 Default configuration sss erenn E E E E AE E E E 144 Configuration with Subsystem TACL not Allowed s ssseesesesesessseesseserreerersrsrsrsrrersesesrrerers 145 The SSH User Database 147 Overview of SSH Operation Modes sissen toeea erorri aara EEEE EAE a E O Ea Eea EE EEE ESS 147 D tabas f r Daemon Mod ren ea eaa Aera eE aaae aE a o E E E aE EEEE ESEE t EOE EEE 148 D tabas f r Clhe t M dena eare prasie eae Aeae vonsdessste sa EE E a aE EEE E Ee oar 150 Creating and Accessing the Database 0 0 0 0 cc eeccssesesssceseeeceseceeesecaeeseesecseesecnaesecsaeenesaecaseecsaecateseeneaes 152 Exporting the Database s s i 35 5sevcecicshabichcotedstestasesahiaticsbensscustesd sess EEEa EEE ERES NEEESE E E ETIESE 152 Copying the Database snti aroe ora a Aeee Erara i eE E E A REE ER ASE EEEE EAE ESFERA 152 SSHCOM Command Reference 153 SSHCOM Overview eiriaa e E E E E E ean e E E Rien 153 Standard NonStop Commands and Features sseesseeeeseeeseseeeeresesreresreerrseesesresresreereseeees 154 Startup Values for the MODE and ASSUME USER Commands ee eeeseesseseeeeeeeseeeeees 155 Security within SSHCOM re eeke raiar EEE eu anes tits 155 Ownership and Management of Client Mode Entities 00 0 0 cee ceeesecseereeseceeeeceeeecaeeeseeees 157 Miscellaneous commands in SSHCOM u eceeeccsssscc
565. tion zstn evt application loop value is 1018 lt 1 gt STN Application lt 2 gt is looping on window lt 3 gt lt 2 gt name of application lt 3 gt STN window name e CAUSE An application has repeatedly attempted to perform output to a terminated session See STNCOM command REPLY_MAX_DELAY The application process name and STN window name are displayed This message is displayed once per session e EFFECT None e RECOVERY Review the application for proper error handling zstn evt auditcoll start value is 1020 lt l gt AUDITCOLL started to collector lt 2 gt version lt 3 gt lt 2 gt name of AUDITCOLL collector lt 3 gt STN version and release date e CAUSE STNCOM command AUDITCOLL was used to open an EMS collector This event is written to the specified collector not to the standard 0 EMS event collector e EFFECT Audit type events will be written to the specified collector e RECOVERY None informational only zstn evt auditcoll stop value is 1021 286 e STN Reference HP NonStop SSH Reference Manual lt 1 gt AUDITCOLL stopped CAUSE STNCOM command AUDITCOLL OFF was used This event is written to the specified AUDITCOLL collector not to the standard 0 EMS event collector EFFECT Events are no longer written to the audit collector Normal EMS event processing to 0 continues RECOVERY None informational only zstn evt auditcoll ssimiscerr value is 1022 lt 1 gt AUDITCOLL sslmiscerr lt 2 gt lt
566. tion for details e If multiple SSH2 processes started from the same subvolume but used for different purposes then not only separate SSH database files configured via SSHCTL but separate host key files configured via HOSTKEY should be configured Example SSH for maintenance and public network Default If omitted SSH2 will use a file name of SSHCTL Example SSHCTL SYSTEM SSH2 USERDB1 See also e CUSTOMER SSHCTLAUDIT Use this parameter to specify whether a newly created user database will be set up as an audited file Parameter Syntax SSHCTLAUDIT TRUE FALSE Arguments TRUE FALSE Specifies whether a new user data base file will be set up as an audited file Following are the possible arguments o TRUE file will be created as audited file 120 e Configuring and Running SSH2 HP NonStop SSH Reference Manual o FALSE file will not be created as audited file Considerations e See parameter SSHCTL for details about the user data base Default If omitted SSH2 will use a value of TRUE Example SSHCTLAUDIT FALSE SSHKEEPALIVETIME Use this parameter to control the frequency of SSH keepalive messages Parameter Syntax SSHKEEPALIVETIME seconds Arguments seconds Defines the idle time in seconds after which an SSH_MSG_IGNORE message is sent to the remote client A value of 0 disables sending SSH_MSG_IGNORE messages Default The default is 60 1 minute Considerations e SSHKEEPALIVETIME control
567. tion of SSH USER records o If AUTOADDSYSTEMUSERS is FALSE then the other two parameters will not be looked at i e no SSH USER record added automatically o If AUTOADDSYSTEMUSERS is TRUE and AUTOADDS YSTEMUSERSLIKE is not set then parameter USETEMPLATES YSTEMUSER is not looked at Assuming a client command like ssh lt ssh user gt host the value of lt ssh user gt is taken as SYSTEM USER and a system user lt ssh user gt must exist in order to successfully add the SSH USER entry automatically All but SSH USER attributes user name and SYSTEM USER are set to default values ALLOWED AUTHENTICATIONS attribute is taken from parameter ALLOWEDAUTHENTICATIONS if that is defined o If AUTOADDSYSTEMUSERS is TRUE and AUTOADDS YSTEMUSERSLIKE is set then parameter USETEMPLATES YSTEMUSER is checked If parameter USETEMPLATES YSTEMUSER is FALSE then the value of lt ssh user gt is taken as SYSTEM USER and a system user lt ssh user gt must exist in order to successfully add the SSH USER entry automatically All USER attributes but the SSH USER name and the SYSTEM USER attribute are taken from the template user entry in this case If parameter USETEMPLATES YSTEMUSER is TRUE then all USER attributes but the SSH USER name are taken from the template user entry i e including the SYSTEM USER attribute Default If omitted AUTOADDS YSTEMUSERS is set to FALSE Example HP NonStop SSH Reference Manual Configuring and Running SS
568. to SSHTCL and SSHCTLAUDIT e INFO USER command in SSHCOM now supports brief and DETAILED version of the command Version 1 0 This is the first version of this documentation 24 e Preface HP NonStop SSH Reference Manual Introduction The SSH2 Solution SSHz2 is a set of programs delivered when the customer purchases one of the following products e HP NonStop SSH HP NonStop SSH is a comprehensive enterprise Secure Shell solution for HP NonStop servers In the fall of 2010 it became available from HP with the purchase of the NonStop Operating System Kernel for H Series and J Series NonStop platforms For G Series releases HP NonStop SSH continues to be available from HP as an RVU for which a license is required to obtain full functionality For details on licensing and availability please contact your HP Sales representative e comForte SecurSH SecurSH is identical with HP NonStop SSH It includes a remote shell and SFTP client and a Shell server with full pseudo terminal support It also offers SFTP TCP and FTP port forwarding capabilities The complete functionality is delivered by SSH2 programs e comForte SecurFTP SecurFTP provides secure file transfer for HP NonStop systems To protect data confidentiality across the network it supports FTP session encryption either via the SSL TLS protocol SecurFTP SSL or via the SSH SFTP protocol SecurFTP SSH For SecurFTP SSH SSH2 delivers the SFTP functionality which is a subset of th
569. to enter additional configuration parameters and check settings HP NonStop SSH Reference Manual STN Reference e 247 Running STN as Persistent Process STN can be started as kernel persistent process from SCF The IN field of the RUN STN command is used to convey PARAM and STNCOM configuration information as shown in the following example ADD PROCESS STN1 NAME STN1 PROGRAM SSYSTEM STN STN SSYSTEM STN STN1IKIN SYSTEM or APPLICATION SUPER SUPER INFILE STARTMODE USERID The INFILE STNIKIN in this example contains STNCOM commands to configure WINDOWs and SERVICEs and also may contain PARAM commands as described above but should always include the following PARAM GFTCOM OBJECT SSYSTEM STN STNCOM PARAM GFTCOM IN SYSTEM STN STNIKIN PARAM GFICOM OUT ZHOME BANNER SSYSTEM SIN BANNER1 STNCOM STNCOM is the system operator interface to STN STNCOM provides for configuration status and maintenance requests You can store your STNCOM commands in an EDIT format disk file or enter them conversationally You can direct your output to a terminal printer disk file or spooler Standard OBEY and FC commands are provided A built in HELP command is used you can easily change the HELP dictionary or extend it to conform to local requirements by modifying the supplied STNCHELP EDIT file When STNCOM is run an implied OPEN STN command is issued prior to prompting for input STNCOM commands can be continued over multiple lines Wh
570. to show the overall functioning of such processes as startup normal operation and error conditions Log messages can be written to a file to a console device or an event collector process e Audit messages are intended to provide a view of operations executed from an auditor s perspective Therefore audit messages only deal with specific events on specific objects with specific outcomes Audit messages can be written to a file or to a console device This chapter will describe the configuration and interpretation of both kinds of messages Additionally the status of the SSH2 process of sessions channels and openers can be helpful for monitoring the operation of the SSH2 process see STATUS commands in chapter SSHCOM Command Reference Log Messages Content of Log Messages SSH2 writes log messages either to a terminal or to a file The following example shows the log messages it creates during startup SUS SSH87A 20 gt RUN SSH2 name SSH42 ALL SUBNET ZTC1 PORT 42022 PTYSERVER SSSH42 Dec09 20 00 17 54 Dec09 20 00 17 54 Dec09 20 00 17 55 Dec09 20 00 17 56 Dec09 20 00 17 56 NNNNNNNNN ND HP NonStop SSH Reference Manual 20 10 10 20 20 comForte SSH2 version _01Dec2009_comForte_SSH2_0087 config file none object filename is NPNSO1 SUS SSH87A SSH2 object subvolume is NPNSO1 US SSH87A priority is dumping configuration SSH config database SSHCTL opened parameter SUBN
571. to the NonStop system when the partner system is acting as daemon KNOWNHOST entity of user database in client mode o KEYPAIR4 A key pair used to log on a NonStop user on the partner system when the NonStop system acts as client KEY entity of user database in client mode In the NonStop SSH2 implemention the local host key KEYPAIR1 above is of format DSA 1024 bit the remote host keys KEYPAIR3 above can be DSA or RSA keys and the local or remote user keys KEYPAIR4 and KEYPAIR2 above respectively can be DSA or RSA keys Assuring Host Authenticity For every encryption protocol it is important for the client to check the servers authenticity Not doing so enables the so called man in the middle attack which allows deciphering of the network traffic even though it is encrypted In the SSH protocol authentication of the server is done by using public key authentication The server generates a key pair the private key of which he keeps to himself while sending the public key over to the client during connection setup The client then verifies the public key and in order to be able to the proper public key has to be configured at the client once Within the comForte implementation e KEYPAIR1 When acting as SSH daemon the host key pair for the SSH2 daemon process is created during startup of the SSH2 process It can be controlled with the HOSTKEY parameter described in chapter Configuring And Running SSH2 e KEYPAIR3 When ac
572. toric commands are displayed when the HISTORY command is entered e g history ds KE get file678 put report89 cd Sdisk subvol cd Sdatal reports pwd A maximum of 50 commands are saved If only a smaller number of commands in the history list is of interest a numeric parameter can be used to specify the number of commands e g history 4 Ts ed ikR get file678 put report89 cd disk subvol A string can be specified after the history command that controls the selection of historic lines Only those lines of the history list are displayed that contain the supplied string for example sftp gt history t8 3 gt put report89 sftp gt History Mode There are two different modes that can be set to manage the history list The mode must be set via PARAM environment variable HISTORYMODE before starting the SFTP OSS client i e in the process environment of the SFTP OSS client 236 e SSH and SFTP Client Reference HP NonStop SSH Reference Manual Possible values for HISTOR YMODE are SFTP the default value and TACL If HISTORYMODE is set to TACL the history list behaves like the one in TACL The following table explains the differences between HISTOR YMODE SFTP and TACL FC HISTORY differences depending on HISTORYMODE setting HISTORYMODE SFTP HISTORYMODE TACL Commands added to the history list Default count for history command display Handling of duplicate commands Command number chang
573. tter gt SECURITY displays and modifies the application s security setting This setting is initially established by the PARAM SECURITY command with a default of O If the parameter is omitted the current setting is displayed The value O is the default The letter entered sets the associated level of security Users can choose from NACGUO selections which are based on standard Guardian file security interpretation These letters assign access as follows e N Any local or remote user e A Any local user e G A group member or owner e C A member of the owner s community local or remote user with the same group ID as the owner e O The owner only e U A member of the owner s user class local or remote user with the same user ID as the owner The SECURITY letter controls access to sensitive commands by STNCOM users Sensitive commands are defined as commands that alter the STN configuration or operation Sensitive commands can only be performed by STNCOM users with a user ID matching the SECURITY setting Non sensitive commands such as STATUS INFO and LISTOPENS can be performed by any user ID SHUTDOWN SHUTDOWN initiates an STN process termination which takes about three seconds All active sessions are terminated There are no parameters You can also use the TACL STOP STN process name command but this can result in some warning messages SPI Y N This command can be used to disable SPI support Default Y is
574. tus and EMS for any error messages Note For productive use of the STN component we recommend that you install the EMS template file named ZSTNTMPL using standard installation procedures This will ensure that STN EMS messages will be displayed correctly Enabling 6530 Terminal Access The STN PTY server also supports 6530 pseudo terminals This enables products such as comForte s MR Win6530 to create fully functional 6530 terminal sessions with clients over the SSH protocol 6530 block mode applications such as ViewPT and Tedit are also supported 6530 client access can be controlled by setting following attributes of the USER entity of the SSHCTL database e ALLOW CI e CI PROGRAM e CI COMMAND By default SSH2 will start a TACL process on the 6530 PTY device The TACL will be logged in under the SYSTEM USER configured for the USER entity The following sections explain how to configure an alternate command interpreter and how to enable a service menu similar to TELSERV Note Basic 6530 PTY access requires STN A66 or later 126 e Configuring and Running SSH2 HP NonStop SSH Reference Manual Configuring an Alternate Command Interpreter TACL is the default command interpreter that SSH2 starts on a 6530 pseudo terminal You can use the CI PROGRAM and CI COMMAND attributes to assign a different program as the 6530 command interpreter For example you can use PATHCOM to run a PATHWAY PROGRAM directly on the pseudo 6530 terminal
575. uardian releases UAIPADDR Y includes the IP address on all USER_AUTHENTICATE_ calls without regard for the Guardian version Safeguard records will include the IP address If UAIPADDR Y is used on Guardian releases earlier than H06 26 or J06 15 STN will abend Notes e On Guardian Gxx releases S Series hardware STN never includes the IP address on USER_AUTHENTICATE_ calls regardless of UAIPADDR setting e STN only calls USER_AUTHENTICATE_ for a SSH sessions configured with MENU and b Telnet sessions using a SERVICE with LOGON REQ VERSION VERSION displays the process name and cpu pin revision number and revision date of STN There are no parameters Starting with SPR TO801 ABE the following items are displayed Version Vproc Link gmt build timestamp Program object file name and type Node name Process name and cpu pin process start time Time running Backup cpu pin Time of last backup takeover and number of takeovers WELCOME lt filename gt OFF LIST Displays the contents of an edit file to be displayed at session startup before the STNO2 Services menu lt filename gt Loads specified edit 101 file as welcome text Text is limited to displayable ascii characters hex 20 7e 79 columns per line and 50 lines The text is saved in STN memory and the file is closed OFF Turns off welcome LIST Displays current welcome text INFO STN will show the status of WELCOME but not the text WELCOME_SEQ BE
576. uction HP NonStop SSH Reference Manual SSH2 Running as SSH Client The following figure shows how the components of SSH2 work together to implement an SSH client running on the NonStop platform NonStop Partner System SSH client SFTP client SS SFTPAPI amp SSHAPI A 1 Standard SSH application a SSH2 daemon FTP FTPSERV Any socket A_____1 client or server ae SSHCOM admin SSS SS SS SSS SSS lt Figure 2 SSH2 running as SSH client SSH2 can interface with a range of client components including SSH SFTP or the equivalent OSS programs such as SSHOSS or SFTPOSS With SSH2 a client component opens the SSH2 component and forwards the user commands and the startup configuration Applications can establish outgoing SSH or SFTP sessions using SFTPAPI or SSHAPI see section Controlling SSH and SFTP Clients on NonStop via an API The SSH2 component connects to the remote system via TCP IP and does the setup of the SSH session The client component and the SSH2 component keep exchanging messages via RECEIVE until the client is terminated by the user Additionally a client can establish port forwarding to forward TCP IP or FTP connections from local socket programs to the remote SSH server or vice versa The SSHCOM component is used to maintain the key store containing the local system user s key pairs remote passwords a
577. ues from 1 300 1 second to 5 minutes and defaults to 30 seconds Note that AUTODEL_WAIT formerly performed this function but has been changed as described If no application opens the window after OPENER_WAIT seconds the screen will be erased for 6530 terminals and the following message appears STN38 No application program active on this terminal for nnn seconds Session terminated This message will be displayed for several seconds then the session will be terminated OPENER_WAIT now also applies to dynamic window sessions which before release A83 had a fixed wait time of 60 seconds For this case the existing error message STN41 is used OUT lt filename gt STOP STOP Output to home teminal lt filename gt If a disc file that does not exist it is created as file code 101 unstructured and is written as an edit 101 file If an existing unstructured disc file with code 101 it is erased and written as an edit 101 file If an existing disc file that is not unstructured or not code 101 or a non disc file then the file is opened and sent lines of output OUTPUT_RESET Y N Determines if INPUT_TIMEOUT applies to sessions that have ongoing output even if there is no keyboard input When OUTPUT_RESET Y any application output to a terminal resets the timer just as if input was received from the terminal This means that a terminal that regularly updates the display such as an EMS or console log may never time out When OUTPUT_
578. uint4 gt minor status lt uint5 gt lt uint6 gt lt uint7 gt lt uint8 gt lt uintl gt GSSAPI major status lt uint2 gt Value of highest byte of GSSAPI major status lt uint3 gt Value of second highest byte of GSSAPI major status lt uint4 gt GSSAPI major status lt uint5 gt GSSAPI minor status lt uint6 gt Value of highest byte of GSSAPI minor status lt uint7 gt Value of second highest byte of GSSAPI minor status lt uint8 gt Value of lowest 16Bit of GSSAPI minor status 10 failed to acquire service creadentials major status lt uint1 gt lt uint2 gt lt uint3 gt lt uint4 gt minor status lt uint5 gt lt uint6 gt lt uint7 gt lt uint8 gt lt uintl gt GSSAPI major status lt uint2 gt Value of highest byte of GSSAPI major status lt uint3 gt Value of second highest byte of GSSAPI major status lt uint4 gt GSSAPI major status lt uint5 gt GSSAPI minor status lt uint6 gt Value of highest byte of GSSAPI minor status lt uint7 gt Value of second highest byte of GSSAPI minor status lt uint8 gt Value of lowest 16Bit of GSSAPI minor status 10 lt str1 gt GSS calls completed with errors major status lt uint1 gt lt uint2 gt lt uint3 gt lt uint4 gt minor status lt uint5 gt lt uint6 gt lt uint7 gt lt uint8 gt lt str1 gt Session Name lt uintl gt GSSAPI major status lt uint2 gt Value of highest byte of GSSAPI major status HP NonStop
579. ured to automatically transmit the service name or may interfere with emulator scripts CHOICE_TEXT lt text gt Command CHOICE_TEXT can be used to redefine the Enter Choice gt prompt which follows the STN02 Services menu lt text gt may contain any displayable ascii characters including space but excluding double quote and may be from zero to 64 bytes long lt text gt may contain N or n which will function as carriage return line feed Backslash followed by any other character will ignore the backslash and generate only the following character The default is notice the space at the end CHOICE_TEXT nEnter Choice gt The setting is displayed by INFO PROCESS CONN CLR SSHY N CONN_CLR_SSH controls clearing of the screen at connect time for SSH 6530 sessions The clear occurs immediately before the STNOO message which is after SSH BANNER and before STN WELCOME displays Default is N which is recommended with SSH BANNER Y and is different from STN A91 and earlier The current setting is displayed by INFO STN HP NonStop SSH Reference Manual STN Reference e 263 DELETE IPRANGE lt iprange name gt Deletes a specific IPRANGE or all IPRANGEs The IPRANGE is immediately deleted If any SERVICEs refer to this IPRANGE then those services will reject any new connection attempts until a subsequent ADD IPRANGE is done In this case a warning is displayed in response to the DELETE IPRANGE command IPRANGE lt
580. ured with underlying Guardian user identifier grp1 usr1 If alias al stored a password for remote host h1 and remote user ul in the client mode database under grp1 usr1 then alias a2 can connect to host h1 specifying remote user ul using the stored password entry i e alias a2 gets access to remote host h1 without knowing the password of remote user ul In order to resolve this problem a new parameter CLIENTMODEOWNERPOLICY was introduced in release 89 defining the policy how to set the owner of an entry Defined values are LOGINNAME GUARDIANNAME and BOTH The differences are explained in the following sections Guardian Users in the Context of SSH Access Policy Explained In the SSH access policy context we used a variety of terms for users and access The following text will explain the definitions of these terms and its origin An example of a TACL STATUS DETAIL command shows for a process Userid 255 255 SUPER SUPER Login name root ssh Every process consists of a Userid and Login name The value of Userid refers to Guardian user identifier or just guardian user id The Userid is used to do SSH policy access checks when the parameter option GUARDIANNAME is used In the example above this is 255 255 The value of Login name can be a Guardian user id or an alias The Login name is used to do SSH policy access checks when the parameter option LOGINNAME is used In the example above an alias of root ssh was used In Safegu
581. uring startup connection phase and other data The following new parameters must be set in the client environment PARAM under TACL or environment variable under OSH Parameter Meaning SSHERRORPREFIX String that is printed as prefix for an error message SSHINFOPREFIX String that is printed as prefix for informational messages SSHQUERY PREFIX String that is printed as prefix for queries prompts For each of these parameters a corresponding option is supported by the clients as shown below Option Meaning H lt errorprefix gt String that is printed as prefix for an error message J lt infoprefix gt String that is printed as prefix for informational messages K lt queryprefix gt String that is printed as prefix for queries prompts FILE I O Parameters for SFTP SFTPOSS File operations executed on local disks can be influenced by setting specific parameters in the environment of SFTP and SFTPOSS clients Currently the parameters set for the SSH2 process are not propagated to the SFTP SFTPOSS clients i e without setting the parameters in the client environment the default values for these parameters are used Guardian file attributes can be exchanged between sftp client and sftp server But other settings must be configured independently on both the client and the server side This must happen in a non conflicting way For example If client and server are using different delimi
582. us client mode owner policy was to use the Guardian user id to store client mode records This corresponds to value GUARDIANNAME for new parameter CLIENTMODEOWNERPOLICY The default value for this parameter is BOTH i e in order to get the previous behavior the parameter CLIENTMODEOWNERPOLICY must be explicitly set to GUARDIANNAME With the introduction of parameter CLIENTMODEOWNERPOLICY it is no longer possible to execute SSHCOM GENERATE KEY for an alias if CLIENTMODEOWNERPOLICY is set to GUARDIANNAME In previous releases this was possible although such a key had never been used only those keys which were stored under the Guardian id underlying an alias Users that are frozen in Safeguard are no longer accepted per default new parameter ALLOWFROZENS YSTEMUSER has default value FALSE Previous releases allowed authentication and if that was successful methods none publickey and gssapi with mic the user was granted access The previous behavior can be re established by setting parameter ALLOWFROZENS YSTEMUSER to TRUE Auditing of executed SFTP commands for outgoing connections has been added Previously there was such support for incoming connections If an SFTP OSS client of release 89 or later connects via an SSH2 process of previous releases an exception occurs error 48 during audit initialization i e an SFTP OSS client of release 89 or later must be used with an SSH2 process of version 89 or later The AUDIT messages have been modif
583. uthentication methods currently supported by SSH2 e password Password authentication facilitating the NonStop system s password authentication mechanism The password is validated against the SYSTEM USER s password Local authentication with password now provides the remote client IP address to system procedure USER_AUTHENTICATE_ if the OS release supports this H06 26 or later and JO6 15 or later e publickey Public key authentication using the PUBLIC KEYs configured for a user e keyboard interactive Authentication according to RFC 4256 mapped to the standard GUARDIAN user authentication dialog verifying the SYSTEM USER s password as well as taking care of exceptions such as password expiry Local authentication with password now provides the remote client IP address to system procedure USER_AUTHENTICATE_ if the OS release supports this H06 26 or later and JO6 15 or later e none Grants access without authentication This is useful for users connecting to an application requiring its own authentication e g if you configure a PATHWAY PROGRAM as a CI PROGRAM HP NonStop SSH Reference Manual SSHCOM Command Reference e 169 CAUTION When specifying ALLOWED AUTHENTICATIONS none user access should be properly locked down to avoid security breaches that bypass any authentication e g by setting SYSTEM USER NONE ALLOWED SUBSYSTEMS This attribute is used to control access to specific subsystems lt subsystem gt is one of the follow
584. verify that the file is really an STN process Telserv will never respond with this string 208 P1 1 default When a Posix read is active signal characters like control C generate Guardian Break when break is enabled P1 0 generates the Posix signal 212 To control setting of Pending 140 flag on session termination Default is 1 which sets Pending 140 on session termination 212 0 means Pending 140 flag is never set Pending 140 controls the response to application I O requests when no session is active Pending 140 set Control 11 clears pending 140 and waits for a new session Control 12 is ignored All other requests are rejected with FESESSDOWN Pending 140 clear Setmodes are handled normally but any changes may be re initialized when a new session starts All other requests are handled the same as above for Pending 140 set 214 Used to override results of deviceinfo and related calls against a window Open a window and use setmode 214 with both P1 and P2 specified If P1 is nonzero then it overrides the device type and device subtype returned by deviceinfo The device type is taken from P1 lt 4 9 gt and the subtype from P1 lt 10 15 gt If P2 is nonzero then it overrides the record length returned by deviceinfo No range checking is done on either parameter Setmode 214 P1 and P2 both default to zero when a window is added and the value is not changed or reset by session termination or startup unless part of a
585. version is suppressed in the comment part of the ssh protocol version string exchanged between ssh client and ssh server Same effect as DEFINE TCPIPAHOST FILE Same effect as DEFINE TCPIPANODE FILE Same effect as DEFINE TCPIPARESOLVER NAME Allows using the same dummy Guardian user or NONE for automatically added users HP NonStop SSH Reference Manual Configuring and Running SSH2 e 53 ALLOWEDAUTHENTICATIONS Use this parameter to specify the authentication mechanisms that are allowed for system users that are automatically added to the SSHCTL database upon first login Parameter Syntax ALLOWEDAUTHENTICATIONS method method Arguments method Specifies an SSH authentication method to be allowed Valid values are o password Password for the NonStop system s authentication mechanism The password is validated against the SYSTEM USER s password o publickey Public key authentication using the PUBLIC KEYs configured for this user o keyboard interactive Authentication according to RFC 4256 mapped to the standard GUARDIAN user authentication dialog verifying the SYSTEM USER s password o gssapi with mic GSSAPI user authentication in accordance with the RFC 4462 standard Including this method will also enable gssapi keyex authentication if the initial key exchange was performed over GSSAPI See section Single Sign on with GSSAPI Authentication for further details Default If
586. w profile name gt are mandatory in the command no wild cards are allowed in either one If the restriction profile lt old profile name gt is in use that is if user entries have the RESTRICTION PROFILE attribute set to the specified lt old profile name gt the renaming of the restriction profile will be rejected HP NonStop SSH Reference Manual SSHCOM Command Reference e 189 Client Mode Commands Overview The SSH2 user base is maintained using the following commands e Commands operating on the KEY PASSWORD and KNOWNHOST entity O O ASSUME USER sets a default user for the following commands INFO SYSTEM USER Displays KEY PASSWORD KNOWNHOST information for a specified system user e Commands operating on the KEY entity O e O O O ALTER KEY changes properties of a key DELETE KEY deletes a key EXPORT KEY exports a key into a file The command supports exporting the public part only as well as exporting the full private key FREEZE KEY freezes a key rendering it inactive GENERATE KEY generates a new key and places it into the database IMPORT KEY imports a key from a file and places it into the database INFO KEY shows information about a key or a set of keys RENAME KEY renames a key THAW KEY thaws a key making it active again e Commands operating on the PASSWORD entity O O O O O O ADD PASSWORD adds a new password to the database ALTER PASSWORD changes
587. will be converted to lt group gt lt user gt before the value for SYSTEM USER is set DELETE USER The DELETE USER command deletes a user from the database and has the following syntax DELETE USER lt user name gt The lt user name gt is mandatory in the command and no wild cards are allowed in the user name Please see description of lt user name gt under the ADD USER command for unconventional names that must be put in double quotes FREEZE USER The FREEZE USER command freezes a user and has the following syntax FREEZE USER lt user name gt The lt user name gt is mandatory in the command and no wild cards are allowed in the user name A frozen user cannot log on from a remote system Please see description of lt user name gt under the ADD USER command for unconventional names that must be put in double quotes INFO USER The INFO USER command displays information about a single user or a set of users and has the following syntax INFO USER lt user name gt lt user name prefix gt DETAIL 182 e SSHCOM Command Reference HP NonStop SSH Reference Manual At least one of lt user name gt lt user name prefix gt or is mandatory in the command If lt user name prefix gt followed by an asterisk is specified the user records are displayed when the first part of the user name matches the specified prefix If a is used information for all users will be displayed Otherwise information for
588. window is automatically selected If the service or window does not exist the STN menu will be displayed If the option FORCE is appended then the user is forced to use the pre configured STN service or window In this case the user will not see the STN menu even when the configured service or window does not exist COMMENT Enables administrators to input free text that describes an entity or provides a short explanation of the intended use of the USER entity or when COMMENT is used for a PUBLICKEY for the user public key The entire comment must be enclosed in double quotes if the comment includes spaces The content will not be used for any processing CPU SET Defines a set of CPUs used when processes except SFTPSERV processes are invoked directly by SSH2 for SFTPSERV processes the attribute SFTP CPU SET is used instead CPUs are assigned via a round robin algorithm among all the configured CPUs that are available The value can be a CPU number e g 2 a range of CPUs e g 3 4 or a comma separated list of CPU numbers and CPU ranges enclosed in parentheses e g 2 5 7 9 The default is to start user processes in the same CPU in which the SSH2 process is running In this case the processing load is spread by using multiple SSH2 processes and starting these SSH2 processes in different CPUs If no value is specified the value will be reset to the default The default is to use the value of SSH2 parameter CPUSET to determine
589. wing log messages will show up in the SSH2 log file indicating that the session was indeed forwarded over the SSH session STBS79 08Ju108 08 07 29 37 50 NPNSO1 Z0DC forwarding FTP connection from P27 OO Me lIS9 te 127 7020 2 1 STBS79 08Ju108 08 07 38 85 50 NPNSO1 Z0DC forwarding direct tcpip connection from 127 0 0 1 1140 accepted on 127 0 0 1 4518 to remote STBS79 08Ju108 08 07 44 32 50 NPNSO1 Z0DC closed forwarded FTP connection from 1270 02 02 91139 to 127 0 0 1921 SFTP Client Command Reference The SFTP OSS Client is used to start interactive or batch file transfers from and to a remote system which are initiated from the NonStop system Command Line Reference The SFTP client allows you to specify some parameters on the command line Starting the client without any parameters provides a syntax summary gt sftposs SFTPOSS client version T9999H06_22Jan2014_comForte_SFTPOSS_0097 missing parameter error 1 1 usage SFTPOSS vCZ b batchfile o ssh2_option H error_prefix J info_prefix K query_prefix B buffer_size R num_requests S ssh2 process user host file file gt Note The syntax for specifying local file names files to be read or written on the NonStop system supports both Unix style and Guardian style Please see the section file name syntax for details Runtime options The following runtime options are supported b lt batchfile gt Starts the SFTP client in
590. wned process 50 lt str1 gt launched program lt str2 gt successfully lt str3 gt lt str1 gt Session Name lt str2 gt Program name of launched process lt str3 gt Name of launched process 50 lt str1 gt launched program lt str2 gt terminated with completion code lt int1 gt lt str1 gt Session Name lt str2 gt Program name of launched process lt int1 gt Completion code of launched process 40 lt str1 gt SSH session established lt str1 gt Session Name 50 lt str1 gt Sending banner message lt str1 gt Session Name 50 lt str1 gt Received Disconnect By Application from remote lt str2 gt lt str1 gt Session Name lt str2 gt Reason for disconnect 40 lt str1 gt SSH session terminated lt str1 gt Session Name 10 SSH2 Server listening on interface lt str1 gt port lt int1 gt lt str1 gt Interface the SSH2 process listens on lt int1 gt Port 50 lt str1 gt accepted connection from client lt str1 gt Session Name 362 e Appendix HP NonStop SSH Reference Manual LOG LEVEL EVENT TEXT Description Variable Parts 50 50 50 40 40 40 40 40 40 40 50 50 50 lt str1 gt auditing initiated lt str1 gt Process name lt str1 gt user lt str2 gt automatically added to SSHCTL upon first authentication request using default user lt str3 gt lt str1 gt Session Name lt str2 gt User name lt str3 gt Use
591. wnhost name gt The individual attributes have the following meaning and syntax lt system user name gt A valid GUARDIAN user who owns the known host entry in the user database If lt system user name gt is omitted either the user being set with a previously issued ASSUME USER command or the issuer of the FREEZE KNOWNHOST command will be used as the default If lt system user name gt is specified it MUST be followed by a to separate it from the known host name that follows Only the SUPER SUPER user unless explicitly denied in OBJECTTYPE USER record or those configured with full SSHCOM access can freeze a known host entry for other users lt knownhost name gt HP NonStop SSH Reference Manual SSHCOM Command Reference e 205 The name of the known host to be frozen INFO KNOWNHOST This command provides information about a single known host or a set of known hosts in the SSH2 key store It has the following syntax INFO KNOWNHOST lt system user name gt lt knownhost name gt DETAIL The individual attributes have the following meaning and syntax lt system user name gt A valid GUARDIAN user who owns the known host in the SSH key store If lt system user name gt is omitted either the user being set in a previously issued ASSUME USER command or the issuer of the ALTER KEY command will be used as the default If lt system user name gt is specified it MUST be followed by a to separate it from the know
592. word gt lt word gt F The individual attributes have the following meaning and syntax lt system user name gt A valid local GUARDIAN user who owns the password entry in the user database If lt system user name gt is omitted either the user being set with a previously issued ASSUME USER command or the issuer of the ADD PASSWORD command will be used as the default If lt system user name gt is specified it MUST be followed by a to separate it from the known host name that follows Only the SUPER SUPER user unless explicitly denied in OBJECTTYPE USER record or those configured with full SSHCOM access can add a password entry for other users lt remote user gt The user name to be used on the remote system lt target host gt The DNS name or IP address of the target system lt target port gt The listening port of the remote SSH server If this optional attribute is omitted the default of 22 is used lt word gt lt word gt is the password used to authenticate against the remote system If the password contains spaces it has to be enclosed in double quotes ALTER PASSWORD The ALTER PASSWORD command changes the comment attribute of an existing password and has the following syntax ALTER PASSWORD lt system user name gt lt remote user gt lt target host gt lt target port gt lt word gt lt word gt lt word gt The individual attributes are identical as in the ADD PASSWOR
593. x PTCPIPFILTERKEY password Arguments password A password that serves as a key to enable round robin filtering of multiple instances of SSH2 servers listening on the same port The password will override the value of the DEFINE PTCPIP FILTER KEY which may have been passed to SSH2 at startup No filter key will be set However any DEFINE PTCPIP FILTER KEY passed to SSH2 at startup will remain in effect Default The default for this parameter is Considerations e Use this parameter to enable round robin filtering for multiple SSH2 servers configured to run as generic processes This can also be achieved by adding the define PTCPIP FILTER KEY for the generic process possible since G06 28 H06 06 e Incase the define PTCPIP4FILTER KEY causes unwanted behaviour it is possible to disable the propagation of defines completely see parameter PROPAGATEDEFINES See also PROPAGATEDEFINES PTCPIPFILTERTCPPORTS Use this parameter to limit port sharing in case round robin filtering is enabled Parameter Syntax PTCPIPFILTERTCPPORTS Pstartport Pendport Arguments Pstartport Pendport 104 e Configuring and Running SSH2 HP NonStop SSH Reference Manual A port range from startport to endport that restricts shared ports to the configured port range The configuration is only effective if round robin is enabled i e if either the DEFINE PTCPIP FILTER KEY or the SSH2 parameter PTCPIPFILTERKEY is
594. y all Guardian edit files were written starting with line number 1 and increment 1 000 which allowed a maximum of 99999 lines This behavior is still the default e The default increment 1 000 is used for all lines less than the value of parameter SFTPEDITLINESTARTDECIMALINCR In order to get the same result as the NonStop FTP server the parameter SFTPEDITLINENUMBERDECIMALINCR must be set to 100 and the value of SFTPEDITLINESTARTDECIMALINCR to 40000000 e Setting SFTPEDITLINESTARTDECIMALINCR 0 and SFTPEDITLINENUMBERDECIMALINCR to 1 allows for the maximum possible number of lines in Guardian edit files e This parameter is only considered when a Guardian edit file is written i e either if a remote sftp client issues a put command to the SSH2 server on NonStop specifying a Guardian destination file with code 101 or if a sftp client on a NonStop server issues a get command specifying a local Guardian destination file with file code 101 e Ifa get command is executed by a sftp client on the NonStop server then the parameter must be set in the environment of the sftp client as PARAM for SFTP running in the Guardian environment or as environment variable for SFTPOSS running in the OSS environment See also SFTPEDITLINEMODE SFTPEDITLINENUMBERDECIMALINCR SFTPENHANCEDERRORREPORTING Use this parameter to control the amount of information displayed if an error occurs in an SFTP session Parameter Syntax SFTPENHANCEDERRORREPORTIN
595. y be exported by users with full SSHCOM access not even by the user COMF MH unless user COMF MH was given full SSHCOM access e Commands operating on client mode entities that are associated with a user other than the user starting SSHCOM e Commands operating on daemon mode entities Configuration of Users with Full SSHCOM Access There are two ways for allowing full SSHCOM access e Create a Safeguard OBJECTTYPE USER record or e Set parameter sets FULLSSHCOMACCESSUSER lt i gt and FULLSSHCOMACCESSGROUP lt j gt The existence of an OBJECTTYPE USER record overwrites any FULLSSHCOMACCESSUSER lt i gt and FULLSSHCOMACCESSGROUP lt j gt configuration Only super super user has full access to all SSHCOM commands if there is no thawed OBJECTTYPE USER record defined and none of the above mentioned parameter sets are defined User super super does not have full SSHCOM access only if explicitly denied Create authority in a thawed OBJECTTYPE USER record The following sections explain the SSHCOM access rights in more detail HP NonStop SSH Reference Manual SSHCOM Command Reference e 155 Dependency on Safeguard OBJECTTYPE USER Record Every administrator that configures an OBJECTTYPE USER record is highly aware of the importance and relevance of USER configuration on NonStop systems But some may not be fully aware that the SSH configuration is a highly critical security relevant task as well A user that is allowed to configure SSH
596. y denied in OBJECTTYPE USER record or those configured with full SSHCOM access or by the user who owns the key The command has the following syntax RENAME KEY lt old system user name gt lt old key name gt lt new system user name gt lt new key name gt The individual attributes have the following meaning and syntax lt old system user name gt A valid GUARDIAN user who owns the key entry in the user database before renaming it If lt user name gt is omitted either the user being set with a previously issued ASSUME USER command or the issuer of the RENAME KEY command will be used as the default If lt user name gt is specified it MUST be followed by a to separate it from the key name lt old key name gt Specifies the name of a key entry which must already exist in the user database before it is renamed 198 e SSHCOM Command Reference HP NonStop SSH Reference Manual lt new system user name gt A valid GUARDIAN user who will own the key entry in the SSHCTL database after the rename Only SUPER SUPER users unless explicitly denied in OBJECTTYPE USER record or those configured with full SSHCOM access can issue a RENAME command where lt new system user name gt is different from lt old system user name gt If lt old system user name gt and or lt new system user name gt is omitted either the user being set with a previously issued ASSUME USER command or the issuer of the RENAME KEY command will be used
597. y request denied pseudo terminal access not allowed for user lt str2 gt authentication dummy pty lt str3 gt lt str1 gt Session Name lt str2 gt User name 354 e Appendix HP NonStop SSH Reference Manual LOG LEVEL EVENT TEXT Description Variable Parts lt str3 gt Pseudo terminal name used for authentication 20 lt str1 gt pty request denied pseudo terminal access not allowed for user lt str2 gt lt str1 gt Session Name lt str2 gt User name 20 lt str1 gt Could not allocate PTY lt str2 gt authentication dummy pty lt str3 gt lt str1 gt Session Name lt str2 gt Exception text lt str3 gt Pseudo terminal name used for authentication 20 lt str1 gt Could not allocate PTY lt str2 gt lt str1 gt Session Name lt str2 gt Exception text 20 lt str1 gt forwarding from lt str2 gt to lt str3 gt denied port forwarding not licensed lt str1 gt Session Name lt str2 gt Normalized originator host address and port lt str3 gt Normalized target host address and port 20 lt str1 gt forwarding from lt str2 gt to lt str3 gt denied ALLOWTCPFORWARDING or ALLOW TCP FORWARDING for USER lt str4 gt is FALSE lt str1 gt Session Name lt str2 gt Normalized originator host address and port lt str3 gt Normalized target host address and port lt str4 gt User name 20 lt str1 gt forwarding from lt str2 gt to lt str3 gt denied only port 21 target or
598. y tected ecto each E a AA A S 116 SOCK TCPMINRXIMED sce cceiieat cescnreuiss sootoecr cubated Aeaeeihe utenti acs etecb Gaul r ASER 117 SOCKTCPMAXRXM T osoo scits Sov E E E R E A a E ARa a S RAR 117 SOCKTCPRXM TON a a a e a E A A R E SESS 118 SOCKTCPTOTRXMTVA Din p a a aaan E E Ao a ANE REEE 118 SSHAUTOKEXBY TES m a a aE a iaae a e K E EE EEE REEERE 119 SSHAUTOKEXTIME penean tae e aS E E E ETE E EAA E E ATE EE RE 119 SSHO TU rtira aorar ei e AEE aE EE EE EEE E E E EERE EE noe 119 SSHCTLAUDIT re eaa niin AEE E E E E a e a aE AA Ee 120 SSHKEEPALIVETIME venena Oea E ioe Anion EE E E a E GER EE e e 121 STOREDPASSWORDSONLY ea aeaa eE ae E EETA E EAE AEE E REER E en 121 STRICTHOSTKEYCHECKING e a a e EE E E E EEEE E 122 SUBNET ana r e E A E A E EE e EEA E EE a E ETRE E 122 SUPPRESSCOMMENTINSSHVERSION sessssesesesrerereeseseseseeeeresesreseroseeresereesesteereessssesiseee 123 TCPIPHOS THID E rra e aa aoras e KE E Er E e AAE Ea EE S E A 123 LCPIPNODEFIEB m ee e E a a ea A R R R EER ER E R E TR RARE e 124 TCPIPRESOLVERNAME oertein nonea E a eaer EE E ET TREE R 125 USETEMPLATES YSTEMUSER c ccecessescesstseesssssesonssonseconsnetsssonssansesseenodonssesessensesseenes 125 Enabling Full TEY Accesso unra eer aeaa AE e EE EEES aol deli anno aha E ERNE i 126 Enabling 6530 Terminal ACCESS niie veie rgi arep E KEE EEKE E AEREE ANE KT REER 126 Configuring an Alternate Command Interpreter esseeeeseseeseseseseeessststrrerreterstsreesrsesesreerees 12
599. ze depends on the host key type For type RSA key sizes 1024 and 2048 are supported for type DSA only 1024 is supported e Key types RSA and DSA have always been supported as remote host key types The parameter HOSTKEYTYPE is only relevant for local host keys Example HOSTKEYTYPE RSA See also HOSTKEY HOSTKEYBITS HP NonStop SSH Reference Manual Configuring and Running SSH2 e 83 INTERFACE Use this parameter to specify the local IP address es SSH2 should listen on for incoming SSH connections Parameter Syntax INTERFACE ip address ip address Arguments ip address IP address or host name SSH2 should listen on Default If omitted SSH2 will listen on all local IP addresses of the configured TCPIP process es SUBNET which corresponds to INTERFACE value 0 0 0 0 or in case of IPv6 0 0 Examples INTERFACE 10 0 0 196 INTERFACE fe80 a00 8eff fe00 d14e INTERFACE FFFF 222 1 41 90 INTERFACE nonstopl Considerations e The value must be set consistent with the value of parameter IPMODE e Ifa host name is resolved to multiple IP addresses then only those IP addresses are used that occur in the subnet configuration of the configured TCP IP processes parameter SUBNET e Ifthe any address 0 0 0 0 or 0 0 is listed in INTERFACE then the ANY address is used only for those IP processes that aren t configured with any of the other listed non ANY addresses See section Multiple IP Process Multiple IP Address Consi
Download Pdf Manuals
Related Search