manualshive.com logo in svg

HP NonStop SSH 544701-014, Reference Manual

Share
Download
HP NonStop SSH 544701-014 Reference Manual Download Page 118

118  

  Configuring and Running SSH2 

HP NonStop SSH Reference Manual  

Explicit Authorization 

Explicit authorization involves defining an access control list containing specific Kerberos principals authorized to 
access an account. The access control list can be defined using the SSHCOM USER PRINCIPAL attribute. 

For example, if the NonStop host is configured as [email protected], a user [email protected] 
can be explicitly authorized to logon as SUPER.OPERATOR as follows: 

% ALTER USER SUPER.OPERATOR, PRINCIPAL [email protected]  
OK, user SUPER.OPERATOR altered. 

 

Note

: You can authorize multiple Kerberos principals to logon as a specific NonStop user by specifying multiple 

PRINCIPAL attributes in one or more ALTER USER commands. HP does not currently offer a Kerberos solution, but 
such a solution can be purchased from an HP NonStop partner and applied to your system. 

 

Restricting Incoming and Outgoing Connections 

Port forwarding on a global level is determined by the SSH2 parameter ALLOWTCPFORWARDING. The user attribute 
ALLOW-TCP-FORWARDING is used to grant or deny port forwarding on a user level. 

Sometimes a finer granularity is needed to restrict forwarding to specific hosts. The RESTRICTION-PROFILE objects 
and the user attribute ALLOW-GATEWAY-PORTS can be used to configure forwarding restrictions with more 
granularity. 

Rejecting Gateway Ports 

If a user specifies the "–g" SSH2 option when initiating a port forwarding request, the listening on the local port will not 
occur on the loopback IP address 127.0.0.1 (localhost) but on all subnets defined for the TCP/IP process. Such a port is 
called a gateway port as the host can be used as a gateway to a third host. A port forwarding request will be denied if the 
value of the user attribute ALLOW-GATEWAY-PORTS is set to FALSE. The user can still open non-gateway ports 
listening on 127.0.0.1. 

Restricting External Access to SSH2 Process 

The restriction profile attribute CONNECT-FROM can be used in environments in which some remote hosts should not 
be allowed to connect to a specific SSH2 instance running on a NonStop server. The value is a list of host names and IP 
addresses or patterns that are allowed to connect to the port SSH2 is listening to for SSH requests (default: 22). 

The SSH user specified in the incoming SSH request is checked against the corresponding user record in SSHCTL. The 
user attribute RESTRICTION-PROFILE is used to access the RESTRICTION-PROFILE object, which contains the 
setting for CONNECT-FROM. If a RESTRICTION-PROFILE object and a CONNECT-FROM value is configured, the 
host/IP address of the incoming SSH connection request will be checked against the list of hosts/IP addresses defined in 
CONNECT-FROM. The incoming SSH2 request is accepted only if a match is found, otherwise it is rejected. 

Restricting Internal Access to Remote SSH2 Hosts 

If a user should not be allowed to connect to all available remote SSH instances, the SSH2 user configuration can be 
used to restrict outgoing access via the RESTRICTION-PROFILE attribute CONNECT-TO. The CONNECT-TO 
attribute defines a list of host/port combinations that a user is allowed to reach via a specific SSH2 instance. No pattern 
matching is allowed but several hosts can be defined and several ports can be specified per host. 

Summary of Contents for NonStop SSH 544701-014

Page 1: ...14 Published February 2013 Edition HP NonStop SSH 4 1 G06 21 and subsequent G series RVUs H06 07 and subsequent H series RVUs J06 03 and subsequent J series RVUs Hewlett Packard Company 3000 Hanover Street Palo Alto CA 94304 1185 2013 HP All rights reserved ...

Page 2: ...trademarks of the Open Software Foundation Inc OSF MAKES NO WARRANTY OF ANY KIND WITH REGARD TO THE OSF MATERIAL PROVIDED HEREIN INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE OSF shall not be liable for errors contained herein or for incidental consequential damages in connection with the furnishing performance or use of this material 1...

Page 3: ... 29 Installation Quick Start 31 System Requirements 31 Acquiring the Product Archives 31 Installation on the NonStop Server 32 Installing the SSH Components on the NonStop System 32 Unlocking the Product with a License File 33 SSH2 License and Version Information 34 Updating to a new version of the SSH2 file set 34 Download of the object file set 34 Installation of the new version 34 Where configu...

Page 4: ...AUDITMAXFILELENGTH 61 AUTOADDSYSTEMUSERS 61 AUTOADDSYSTEMUSERSLIKE 62 BACKUPCPU 63 BANNER 63 CIPHERS 64 CLIENTALLOWEDAUTHENTICATIONS 65 COMPRESSION 65 CONFIG 66 CONFIG2 66 CPUSET 66 CUSTOMER 67 DISCONNECTIFUSERUNKNOWN 68 ENABLESTATISTICSATSTARTUP 68 FULLSSHCOMACCESSGROUP j 69 FULLSSHCOMACCESSUSER i 69 GSSAUTH 70 GSSGEXKEX 71 GSSKEX 71 GUARDIANATTRIBUTESEPARATOR 72 HOSTKEY 72 INTERFACE 73 INTERFACE...

Page 5: ...5 SFTPALLOWGUARDIANCD 95 SFTPCPUSET 96 SFTPDISPLAYGUARDIAN 96 SFTPEDITLINEMODE 97 SFTPEDITLINENUMBERDECIMALINCR 97 SFTPEDITLINESTARTDECIMALINCR 98 SFTPEXCLUSIONMODEREAD 99 SFTPIDLETIMEOUT 100 SFTPMAXEXTENTS 100 SFTPPRIMARYEXTENTSIZE 100 SFTPSECONDARYEXTENTSIZE 101 SFTPUPSHIFTGUARDIANFILENAMES 101 SOCKETKEEPALIVE 102 SOCKETRCVBUF 102 SOCKETSNDBUF 103 SOCKTCPMINRXMT 103 SOCKTCPMAXRXMT 103 SOCKTCPRXM...

Page 6: ...s Ports for Port Forwarding 119 Restricting access to forwarding tunnels 119 Load Balancing 119 Load Balancing Outbound SSH Sessions 119 Load Balancing Inbound SSH Sessions 120 Fault Tolerance 120 Configuring SSH2 as a NonStop Process Pair 120 Configuring SSH2 as a Generic Process 121 Choosing a Persistence Mechanism 121 Processing of DEFINEs 122 Setting of Environment Variables 122 TCP IPv6 Confi...

Page 7: ...ILE 164 DELETE RESTRICTION PROFILE 166 INFO RESTRICTION PROFILE 166 RENAME RESTRICTION PROFILE 166 Client Mode Commands Overview 167 ASSUME USER 168 INFO SYSTEM USER 168 Client Mode Commands Operating on the KEY Entity 169 ALTER KEY 169 DELETE KEY 170 EXPORT KEY 170 FREEZE KEY 171 GENERATE KEY 171 IMPORT KEY 172 INFO KEY 173 RENAME KEY 175 THAW KEY 176 Client Mode Commands Operating on the PASSWOR...

Page 8: ...lient to create a port forwarding daemon 201 Using the SSH client to create an FTP port forwarding daemon 202 SFTP Client Command Reference 203 Command Line Reference 203 SFTP Commands 206 Transfer Progress Meter 208 Controlling Transfer Summary 208 Specifying File Names on the NonStop System 209 Extended Syntax for Creation of New Guardian Files 209 Transfer Modes for Structured Guardian Files 21...

Page 9: ...UFFER_SIZE 235 CHOICE_PROMPT Y N 235 CHOICE_TEXT text 235 CONN_CLR_SSH Y N 235 DELETE IPRANGE iprange name 235 DELETE SCRIPT script name 235 DELETE SERVICE service name 236 DELETE WIN DOW window name 236 DEV_SUBTYPE B05COMP WINDOW nn 236 DYNAMIC_PRI nnn 236 DYN_CPU cpu cpu 236 DYN_WIN_MAX nnn 236 EXIT 237 FC 237 FESESSDOWN error code 237 FRAGSIZE n 237 GWN ALLOC 237 HELP 238 IDLE_WARNING n 238 INF...

Page 10: ... text 250 STOP SERVICE service name 250 STOP SESSION session name 250 STOP WINDOW window name 250 TIME 250 TRACE 250 VERSION 251 WELCOME_SEQ BEFORE AFTER BOTH 251 WELCOME filename OFF LIST 251 WIN_AVAIL_ALWAYS Y N 252 WIN_AVAIL_C11 Y N 252 WSINFO NONE QUERY REQUIRED MATCH 252 WINSCRIPT_FIRST Y N 252 Session and Window Naming 253 GWN Related STNCOM Commands 254 GWN Related EMS Events 255 EMS Events...

Page 11: ...300 SFTPSERV Performance of ls Command with Wildcards 300 Performance When Running as SSH Client 301 Summary 301 Troubleshooting 303 Introduction 303 Information Needed By Support 303 General SSH2 Error Messages 304 Session Related SSH2 Errors 305 Session Related Error Messages of SSH2 Daemon 305 Session Related Messages of SSH2 in Client Mode 309 Client Error Messages 312 Appendix 315 Event Summa...

Page 12: ...xii Contents HP NonStop SSH Reference Manual ...

Page 13: ... for the other products that come with the SSH2 package For HP NonStop SSH T0801 SOFTDOC README or Support Notes as appropriate For SecurFTP SecurFTP Quick Start Guide The following reading is seen as prerequisite documentation for administrators installing HP NonStop SSH or comForte SecurSH and SecurFTP SSH HP NonStop documentation Guardian User s Guide HP NonStop documentation Open System Servic...

Page 14: ...also serve as a starting point for SSH related information http tools ietf org html rfc4251 http tools ietf org html draft ietf secsh filexfer 02 http en wikipedia org wiki Secure_Shell http wiki filezilla project org SFTP_specifications http www openssh org The Kerberos GSSAPI related links shown below are of interest if Single Sign on will be configured see section Single Sign on with GSSAPI Aut...

Page 15: ...ents for session window naming have been added Setmode 212 and 214 have been added in the setmode table Changes in SSH2 release 93 that are incompatible with previous releases The STN AUTO_ADD_WIN configuration parameter is no longer supported All openers of STN must refer to an existing window name The SSHCOM STATUS SESSION brief output no longer contains the SESSION LOG ID field It also now uses...

Page 16: ...escription for parameters AUDITEMS AUDITFORMATCONSOLE AUDITFORMATEMS AUDITFORMATFILE Enhanced description of SET command in section Miscellaneous commands in SSHCOM Added description for new SFTP SFTPOSS commands FC and HISTORY Added new sections Checking SSH2 Installation SSH2 License and Version Information and Installation of SFTPAPI Added description of SSHCOM command ABORT SESSION in new sect...

Page 17: ...ddress configured via INTERFACEOUT is used or if that is not set the value of parameter INTERFACE determines the local IP address selected for outgoing connections The previous behavior can be activated by setting the new parameter INTERFACEOUT to value 0 0 0 0 The output of SSHCOM command INFO KEY has changed The brief information contains the life cycle state header LIFE CYCLE instead of the LAS...

Page 18: ...an SFTP OSS client of release 89 or later must be used with an SSH2 process of version 89 or later The AUDIT messages have been modified to include the SESSION LOG ID to be able to relate AUDIT messages to LOG messages and STATUS SESSION output A different behavior has been implemented if an OBJECTTYPE USER record exists in Safeguard parameter sets FULLSSHCOMACCESSGROUP j and FULLSSHCOMACCESSUSER ...

Page 19: ...FTPEDITLINENUMBERDECIMALINCR and SFTPEDITLINEMODE enhancing the control over Guardian edit lines written to NonStop line numbers handling of edit lines that are too long Added description for parameter SFTPUPSHIFTGUARDIANFILENAMES SSH2 parameter STOREDPASSWORDSONLY has been described Version 3 3 Describes changes in SSH2 release 0086 Documentation for the following new features has been added Supp...

Page 20: ...EMPLATESYSTEMUSER Version 2 9 Describes changes in SSH2 release 0082 Documentation for the following new features has been added Newly supported scp server functionality Propagation of defines from SSH2 to shell TACL processes started by SSH2 New define SSH2 PROCESS NAME added to shell TACL processes started by SSH2 New parameter service after MENU property of USER attribute SHELL PROGRAM New USER...

Page 21: ...ersion 2 4 The documentation now reflects that SSH2 is also delivered with the HP NonStop H series release version updates RVU for HP Integrity NonStop servers beginning with H06 11 under the product name HP NonStop SSH Version 2 3 Describes changes in SSH2 release 0070 Added section Enabling 6530 Terminal Access in chapter Configuring and Running SSH2 Updated Guardian SSH description in section S...

Page 22: ...IPHOSTFILE sets TCPIP HOST FILE TCPIPNODEFILE sets TCPIP NODE FILE TCPIPRESOLVERNAME sets TCPIP RESOLVER NAME Version 1 5 Added documentation for the PTCPIPFILTERKEY parameter Version 1 4 Describes changes in SSH2 release 0040 This release has the following new features OSS is no longer required to run the SSH2 process New SSH2 configuration parameters SFTPPRIMARYEXTENTSIZE SFTPSECONDARYEXTENTSIZE...

Page 23: ...e SecurFTP also supports running as an SFTP client under OSS Documenting this new capability resulted in changes throughout the manual Version 1 1 Describes changes in SSH2 release 0025 One user now can have multiple public keys see SSHCOM New SSH2 configuration parameter COMPRESSION USERBASE and USERBASEAUDIT parameters have been renamed to SSHTCL and SSHCTLAUDIT INFO USER command in SSHCOM now s...

Page 24: ...24 Preface HP NonStop SSH Reference Manual ...

Page 25: ...upports FTP session encryption either via the SSL TLS protocol SecurFTP SSL or via the SSH SFTP protocol SecurFTP SSH For SecurFTP SSH SSH2 delivers the SFTP functionality which is a subset of the comForte SecurSH functionality Fully Compliant with the SSH Protocol Specification SSH2 is fully compliant with version 2 of the SSH Secure Shell protocol standard as described in various Internet draft ...

Page 26: ...ecure tunneling of Telnet sessions as well as other connections SSH2 also tunnels FTP sessions securing existing FTP procedures with minimal changes Both local and remote forwarding are supported Single Sign on SecurSH now supports user authentication and key exchange based on the GSSAPI Kerberos 5 standards RFC 4462 When used with a Kerberos software package on the NonStop server this enables int...

Page 27: ...ing under OSS to connect to a remote SSH daemon It provides Secure Shell sessions as well as TCP and FTP port forwarding capabilities The SSH component implements a Secure Shell client running under Guardian to connect to a remote SSH daemon It provides Secure Shell sessions as well as TCP and FTP port forwarding capabilities The SFTPSERV component is started by SSH2 for each SFTP client that conn...

Page 28: ...on UNIX Figure 1 SSH2 running as SSH daemon The SSH2 component accepts the incoming TCP IP session and authenticates the remote user against the user database optionally verifying user passwords with the PAUTH process Upon request it spawns an OSS shell TACL or SFTPSERV process allocates a PTY a pseudo terminal by communicating to an STN process acting as a PTY server forwards TCP IP or FTP connec...

Page 29: ...e SSH2 component and forwards the user commands and the startup configuration The SSH2 component connects to the remote system via TCP IP and does the setup of the SSH session The client component and the SSH2 component keep exchanging messages via RECEIVE until the client is terminated by the user Additionally a client can establish port forwarding to forward TCP IP or FTP connections from local ...

Page 30: ...30 Introduction HP NonStop SSH Reference Manual ...

Page 31: ... RVU H06 11 and later or the J series RVU J06 03 and later A license file is no longer required for H06 21 and later or J06 10 and later These releases correspond to SPR T0801AAQ and later For G06 32 and G06 32 based Time Critical Fix releases TCFs NonStop SSH is only licensed for use with MR Win6530 on the NonStop System Console NSC for secure communications with the default IP maintenance stacks...

Page 32: ...SSHCFG SSHMCFG must be changed to point to the correct locations Therefore it is recommended to keep the production installation always in SYSTEM ZSSH The executables SSH2 SSH server and STN pseudo TTY reside in this subvolume as well they are not placed in SYSTEM SYSnn however the executables SSHCOM SSH and SFTP are installed in SYSTEM SYSnn The startup parameter for processes ZSSP0 and ZSSP1 has...

Page 33: ...op SSH with the NonStop Operating System Kernel for H Series and J Series NonStop platforms you will need a license file to use SSH components The license file is tied to your system number The license file should be called LICENSE which is the default name if not otherwise specified using the license parameter and should reside on the same subvolume as the SSH2 component If you need to put the li...

Page 34: ...o reside in subvolume SYSTEM ZSSH after the standard HP installation process The retrieved vprocs are then used to execute a consistency check A warning will be issued if an object exists in both locations SYSTEM ZSSH and SYSTEM SYSnn and the vproc information differs Updating to a new version of the SSH2 file set The following describes how to upgrade to a new version of SSH2 and its related obje...

Page 35: ...he SFTPAPI product which requires a special license It enables users to easily convert existing FTP scripts programs to switch over to SFTP The minimum SPR supporting this feature is T0801 AAQ for H J series and T0801 AAT for G series The HP NonStop SFTP API Reference Manual part number 659755 nnn describes the API in detail Support for it is built into the SFTP client which must be placed togethe...

Page 36: ...EAR ALL PARAM RUN SSH2 NAME SSH01 CPU 1 ALL PORT 22 AUTOADDSYSTEMUSERS true ALLOWTCPFORWARDING true STRICTHOSTKEYCHECKING false Following are details on these instructions SSH01 is the process name of the SSH2 process Setting the process name to SSHnn with nn being the number of the CPU in which SSH2 is started will allow the NonStop SSH and SFTP clients to automatically find the SSH2 process hand...

Page 37: ... 56 10 config file none SSH55 26Mar12 21 01 54 56 20 object filename is NPNS01 US SSH92DI SSH2 SSH55 26Mar12 21 01 54 56 20 object subvolume is NPNS01 US SSH92DI priority is 11 SSH55 26Mar12 21 01 54 70 20 dumping configuration def ALLOWEDAUTHENTICATIONS keyboard interactive password publickey def ALLOWEDSUBSYSTEMS sftp tacl def ALLOWFROZENSYSTEMUSER FALSE def ALLOWINFOSSH2 ALL def ALLOWPASSWORDST...

Page 38: ...CESS NAME was set to NPNS01 ZTC1 SSH55 26Mar12 21 01 54 85 20 TCP IP process is ZTC1 SSH55 26Mar12 21 01 55 04 20 DEFINE SSH2 PROCESS NAME was set to NPNS01 SSH55 SSH55 26Mar12 21 01 55 04 10 Initializing SSH2 ADMIN run mode SSH55 26Mar12 21 01 55 05 10 Initializing SSH2 CLIENT run mode SSH55 26Mar12 21 01 55 05 10 Initializing SSH2 DAEMON run mode SSH55 26Mar12 21 01 55 22 10 Loading private key ...

Page 39: ... mh 10 0 0 199 tacl comf mh 10 0 0 199 s password TACL T9205D46 19OCT2004 Operating System G06 Release G06 25 00 C 1985 Tandem C 2004 Hewlett Packard Development Company L P CPU 1 process has no backup February 10 2006 13 09 41 Invoking SYSTEM SYSTEM TACLLOCL Invoking DATA1 MHHOME TACLCSTM Current volume is DATA1 MHHOME 1 Note Standard SSH clients will only support line mode interaction You will n...

Page 40: ...have no private keys in the key store Trying password authentication Enter m horst 10 0 0 201 s password Add password for m horst 10 0 0 201 to the password store yes no no m horst SYSTEM ZSSH 287 To Establish a Port Forwarding Tunnel with the NonStop SSH Client Forwarding Local Port to Remote Port You can create port forwarding channels for both the OSS SSH client SSHOSS and the Guardian SSH clie...

Page 41: ...ish a telnet session over the SSH tunnel as follows testusr linux dev telnet 127 0 0 1 5021 TELNET Client T9558G06 11JUL03 IPMAAE Copyright Tandem Computers Incorporated 1992 1997 Trying Connected to 127 0 0 1 Escape character is WELCOME TO npns01 PORT ZTC1 23 WINDOW ZTN0 PTYSYNS TELSERV T9553H01 25SEP2009 IPMAEP Available Services OSS TACL EXIT Enter Choice In this example the remote telnet clien...

Page 42: ...example illustrates this using the Guardian SSH client Run SSH as follows DATA1 MHSSH 5 run ssh N L ftp 5021 localhost 21 m horst 10 0 0 201 comForte SSH client version T9999G06_27Jan2006_comForte_SSH_A01_0060 You have no private keys in the key store Trying password authentication Enter m horst 10 0 0 201 s password Add password for m horst 10 0 0 201 to the password store yes no no The N option ...

Page 43: ...priately This can be achieved e g by altering the user as follows etc profile is just an example and often not a good choice ALTER USER test us SHELL ENVIRONMENT etc profile Ensure that shell scripts executed via ENV do not produce any output on stdout After the preparation is done you can connect with an SCP client on a remote system to SSH2 listening on the NonStop server as follows test np dev0...

Page 44: ...now retry the step To connect to a remote SSH daemon with the NonStop SSH client You will not be prompted for the NonStop user s password Instead SSH2 will authenticate the user with the public key configured for the remote user Using Public Keys to Logon to Remote Systems This section explains the steps required to use public keys to authenticate to the remote system with a NonStop SSH or SFTP cl...

Page 45: ... each user A file named authorized keys is located in the ssh directory that contains the public key of each trusted key of a remote system In order to add the public key contained in the file created in the prior step the UNIX command cat can be used to add the content to the existing content in the file The following commands are again executed on the remote system this time using normal user lo...

Page 46: ...46 Installation Quick Start HP NonStop SSH Reference Manual ...

Page 47: ...the startup command line In this case SSH2 will process parameters with the following precedence highest to lowest 1 PARAM parameter 2 Parameter from configuration file 2 CONFIG2 3 Parameter from configuration file 1 CONFIG 4 Startup line parameter This means that a parameter given in the configuration file will override the value given for the same parameter on the startup line Likewise a paramet...

Page 48: ...me of host key file HOSTKEY hostkey file name of user database file SSHCTL SSHCTL log configuration set the level LOGLEVEL 50 enable console logging to 0 LOGCONSOLE 0 additionally log to file LOGFILE data1 ssh2 ssh2log PARAM Commands The following PARAM command can be used to set SSH2 configuration parameters PARAM parameter name parameter value If the parameter value contains one or more commas i...

Page 49: ...lowing syntax RUN SSH2 runoptions mode paramname paramvalue Following is a description of each aspect runoptions are the standard Guardian RUN options such as IN CPU or TERM mode defines the run mode of the SSH2 process The so called run mode defines which functionality that instance will allow The following run modes are defined DAEMON runs a daemon process that provides the SFTP service to remot...

Page 50: ...T Controls the format of the audit messages that are written AUDITFORMATCONSOLE Controls the format of the audit messages that are written to the console AUDITFORMATEMS Controls the format of the audit messages that are written to EMS AUDITFORMATFILE Controls the format of the audit messages that are written to a file AUDITMAXFILELENGTH Controls the maximum size of the audit file AUTOADDSYSTEMUSER...

Page 51: ...l log cache is written to the log file in case of process aborting LOGCACHESIZE Determines the size of the internal log cache LOGCONSOLE Determines whether log messages are written to a console LOGEMS Determines whether log messages are written to EMS LOGEMSKEEPCOLLECTOROPENED Controls opening closing of the EMS collector LOGFILE Determines whether log messages are written to a file LOGFILERETENTI...

Page 52: ...at all Guardian file names are to be treated all upper or all lower case SOCKETKEEPALIVE Specifies whether keep alive messages are enabled for TCP IP sockets SOCKETRCVBUF For setting the receive buffer size socket option SOCKETSNDBUF Allows setting the send buffer size socket option SOCKTCPMAXRXMT Allows setting maximum time for TCP retransmission timeout socket option SOCKTCPMINRXMT Allows settin...

Page 53: ... 4256 mapped to the standard GUARDIAN user authentication dialog verifying the SYSTEM USER s password o gssapi with mic GSSAPI user authentication in accordance with the RFC 4462 standard Including this method will also enable gssapi keyex authentication if the initial key exchange was performed over GSSAPI See section Single Sign on with GSSAPI Authentication for further details Default If omitte...

Page 54: ...nt a user from starting a TACL If parameter ALLOWEDSUBSYSTEM does not include subsystem tacl then any request for a TACL is prevented even when ALLOW CI is set to TRUE If in this case CI PROGRAM is configured as MENU or telnet i e a TACL is not directly started then the telnet service menu or the telnet forwarding is processed as configured Example ALLOWEDSUBSYSTEMS sftp ALLOWFROZENSYSTEMUSER This...

Page 55: ...O SSH2 o FULLSSHCOMACCESS Only users having full SSHCOM access are allowed to execute SSHCOM command INFO SSH2 Default If omitted ALLOWINFOSSH2 will be set to ALL This is compatible with the behavior before introduction of the parameter i e prior to version 0092 Considerations Example FULLSSHCOMACCESSUSER i FULLSSHCOMACCESSGROUP j PARTIALSSHCOMACCESSUSER k PARTIALSSHCOMACCESSGROUP n ALLOWPASSWORDS...

Page 56: ...rwarding or not Valid values are o TRUE port forwarding will be allowed unless user attribute ALLOW TCP FORWARDING is set to NO for a specific user o FALSE port forwarding will be generally denied independent of the value of user attribute ALLOW TCP FORWARDING Default If omitted SSH2 will reject port forwarding Considerations This SSH2 parameter specifies on a global scope whether TCP port forward...

Page 57: ...TEMS Use this parameter to define whether SSH2 audit messages are written to EMS Parameter Syntax AUDITEMS collector Arguments Means that no audit messages are written to EMS collector Specifies the name of the collector to which audit messages are written Default By default no audit messages are written to EMS Considerations The AUDITFORMATEMS parameter controls the log message format The paramet...

Page 58: ...ENGTH Audit Messages in chapter Monitoring and Auditing AUDITFILERETENTION Use this parameter to control how many audit files SSH2 keeps when logfile rollover occurs Parameter Syntax AUDITFILERETENTION n Arguments n Specifies the number of audit files to keep Default By default 10 files are kept Considerations Setting the parameter to a value 0 disables log file retention If log file retention is ...

Page 59: ...decimal 8 Milliseconds bit 5 decimal 16 Process name bit 7 decimal 64 Log level of message Default The default audit log format is 21 date time process name Example Display date time and milliseconds only AUDITFORMAT 13 Display date and time only AUDITFORMAT 5 See also AUDITCONSOLE AUDITEMS AUDITFILE AUDITFORMATCONSOLE AUDITFORMATEMS AUDITFORMATFILE Audit Messages in the chapter entitled Monitorin...

Page 60: ...ormat Arguments format A number is used to represent a bit mask that controls the format Following are the values and their corresponding format Bit 1 decimal 1 Date Bit 2 decimal 2 Header log messages a pre fixed with log Bit 3 decimal 4 Time Bit 4 decimal 8 Milliseconds Bit 5 decimal 16 Process ID name or PIN Bit 7 decimal 64 Log level of message Default The default audit format for EMS is 0 non...

Page 61: ...ITMAXFILELENGTH length Arguments length A number representing the maximum log file length in kilobytes Values must fall within the following constraints Maximum 40 000 or 40 MB Minimum 100 KB Default The default length is 20000 KB Considerations Once a current audit file reaches the maximum size a log rollover will occur The current file will be closed and a new file will be opened The new file wi...

Page 62: ...ues ALLOWED AUTHENTICATIONS attribute is taken from parameter ALLOWEDAUTHENTICATIONS if that is defined o If AUTOADDSYSTEMUSERS is TRUE and AUTOADDSYSTEMUSERSLIKE is set then parameter USETEMPLATESYSTEMUSER is checked If parameter USETEMPLATESYSTEMUSER is FALSE then the value of ssh user is taken as SYSTEM USER and a system user ssh user must exist in order to successfully add the SSH USER entry a...

Page 63: ... run as a NonStop process pair Parameter Syntax BACKUPCPU NONE ANY cpu Arguments NONE SSH2 will not run as a process pair ANY SSH2 will run as a nonstop process pair and will automatically select an available CPU for the backup process cpu A number value that represents a CPU on your system SSH2 will run as a nonstop process pair and will start the backup process in the specified CPU Consideration...

Page 64: ...cipher suites are supported by SSH2 o aes256 cbc AES Rijndael in CBC mode with 256 bit key o aes128 cbc AES with 128 bit key o twofish256 cbc Twofish in CBC mode with 256 bit key o twofish128 cbc Twofish with 128 bit key o twofish cbc alias for twofish256 cbc Note this is being retained for historical reasons o blowfish cbc Blowfish in CBC mode o 3des cbc three key 3DES in CBC mode o arcfour the A...

Page 65: ...he client side option AllowedAuthentications as well as in the value of SSH2 parameter CLIENTALLOWEDAUTHENTICATIONS Default The default value is to allow all methods that are supported Examples CLIENTALLOWEDAUTHENTICATIONS password keyboard interactive CLIENTALLOWEDAUTHENTICATIONS publickey See also Ssh clients option AllowedAuthentications see section SSH and SFTP Client Reference General Runtime...

Page 66: ...ne settings CONFIG2 Use this parameter to specify a second configuration file for an SSH2 process Parameter Syntax CONFIG2 file2 Arguments file2 Specifies the name of the second configuration file Default If omitted SSH2 will not use a second configuration file Example CONFIG2 DATA1 SSH2 SSHCONF2 Considerations The second configuration file has precedence over the first one This parameter can only...

Page 67: ...f the parameter value contains one or more commas or spaces it must be included in double quotes Example CUSTOMER comForte 21 GmbH Considerations The parameter CUSTOMER has precedence over the customer name in the license file When you plan to duplicate the host key and user database onto other NonStop systems such as a disaster recovery system you need to make sure the parameter CUSTOMER or the l...

Page 68: ...ent back this avoids returning the information that the user does not exist Default The default for this parameter is FALSE Example DISCONNECTIFUSERUNKNOWN TRUE Considerations RFC 4252 allows both ways of processing requests of unknown users If the parameter is not specified or is set to FALSE the behavior is the same as before the parameter was introduced ENABLESTATISTICSATSTARTUP This Boolean pa...

Page 69: ...of the privileged commands in SSHCOM are critical to the security of the system Therefore granting access to other user accounts than super super must be carefully considered The parameters must be set contiguously i e if one parameter FULLSSHCOMACCESSGROUP k is not defined the checking of FULLSSHCOMACCESSGROUP i parameters stops This parameter set is disabled if a thawed OBJECTTYPE USER record ex...

Page 70: ...rameters must be set contiguously i e if one parameter FULLSSHCOMACCESSUSER k is not defined the checking of FULLSSHCOMACCESSUSER i parameters stops This parameter set is disabled if a thawed OBJECTTYPE USER record exists in Safeguard i e any FULLSSHCOMACCESSUSER i parameter configuration is ignored in this case See also FULLSSHCOMACCESSGROUP j See table in SSHCOM Access Summary in section SSHCOM ...

Page 71: ...sabled or GSSKEX is set to FALSE disabled Enabling GSSGEXKEX may cause problems with an SSH client if there is a faulty implementation of GSS key exchange with group exchange See also GSSAUTH GSSKEX ALLOWEDAUTHENTICATIONS Section Single Sign on with GSSAPI Authentication GSSKEX Use this parameter to enable GSSAPI key exchange in accordance with RFC 4462 Parameter Syntax GSSKEX TRUE FALSE Arguments...

Page 72: ...xamples GUARDIANATTRIBUTESEPARATOR GUARDIANATTRIBUTESEPARATOR HOSTKEY Use this parameter to specify the filename of the host key file Parameter Syntax HOSTKEY filename Arguments filename Specifies the name of the host key file Considerations The host key is the private key that is used to authenticate the host against the clients The fingerprint of the host key will need to be configured on the re...

Page 73: ...host key is displayed on startup The public key part of the host key can be exported using the SSHCOM daemon mode command EXPORT HOST KEY If multiple SSH2 processes started from the same subvolume but used for different purposes then not only separate SSH database files configured via SSHCTL but separate host key files configured via HOSTKEY should be configured Example SSH for maintenance and pub...

Page 74: ...cess SUBNET will be used selected by the TCPIP process Considerations The value must be set consistent with the value of parameter IPMODE If IPMODE parameter is set to DUAL then an IPv6 address must be used IPv4 mapped IPv6 address for IPv4 addresses Both values for INTERFACE and INTERFACEOUT must exist in the same TCP IP process configured via parameter SUBNET or define TCPIP PROCESS NAME Example...

Page 75: ...abase entity USER It determines the length of the interval a user public key stays in state LIVE Parameter Syntax INTERVALLIVEPPUBLICUSERKEY number of days Arguments number of days The number of days a user public key will be in state LIVE after leaving state PENDING and before reaching state EXPIRED Default The default value for this parameter is 730 i e 2 years Example INTERVALLIVEPUBLICUSERKEY ...

Page 76: ...e configured via ALTER KEY command specifying the LIVE DATE and EXPIRE DATE command options Parameter value is ignored if life cycle for user private keys is disabled i e if LIFECYCLEPOLICYPRIVATEUSERKEY is set to DISABLED Parameter value is ignored if KEY attributes LIVE DATE and EXPIRE DATE are specified in GENERATE KEY and IMPORT KEY commands if a user is allowed to specify these attributes acc...

Page 77: ...KEY IPMODE This parameter is used to set the IP mode the SSH2 process is running in Depending on this parameter the SSH2 process supports IPv4 only IPv6 only or both Parameter Syntax IPMODE ip mode Arguments ip mode The IP mode the SSH2 process will be running in The following IP modes are supported o IPV4 TCP IP version 4 is supported only o IPV6 TCP IP version 6 is supported only o DUAL Both TCP...

Page 78: ...he life cycle of user generated private keys If enabled a not valid before date and a not valid after date can be defined for each individual key This can be achieved by setting the dates explicitly via entity KEY attributes LIVE DATE and EXPIRE DATE or implicitly via globally defined length of the key pending time period after key generation and length of the period a key is in LIVE state Only a ...

Page 79: ...hentication of the user configured with the key Parameter Syntax LIFECYCLEPOLICYPUBLICUSERKEY DISABLED FIXED VARIABLE Arguments DISABLED Life cycle control for user public keys will not be enabled When a public key is added it is immediately in state LIVE and it will never expire FIXED Users without full SSHCOM access cannot set or alter KEY attributes LIVE DATE and EXPIRE DATE Both dates will be ...

Page 80: ...scarded on process abort Default The default for this parameter is FALSE Considerations The log cache content can be written to the log file at any time via SSHCOM command FLUSH LOGCACHE See also LOGCACHESIZE LOGLEVELCACHE LOGFILE Log Messages in the Monitoring and Auditing chapter Commands FLUSH LOGCACHE and CLEAR LOGCACHE in the SSHCOM Command Reference chapter LOGCACHESIZE Use this parameter to...

Page 81: ... Specifies that log messages are written to a given device e g DEV SUBDEV Considerations The LOGLEVELCONSOLE parameter controls what messages are produced by SSH2 Log messages are automatically cut by the collector when using value 0 for LOGCONSOLE Please use LOGEMS to enable logging to an EMS collector Default By default log messages are written to the home terminal See also LOGEMS LOGFILE LOGLEV...

Page 82: ...he configured EMS collector see LOGEMS will be opened and closed for every log message Parameter Syntax LOGEMSKEEPCOLLECTOROPENED TRUE FALSE Arguments TRUE The EMS collector will be opened once and re opened after errors only FALSE The EMS collector will be opened and closed for each log message written to the EMS collector configured via parameter LOGEMS Default The default for this parameter is ...

Page 83: ...ERETENTION Use this parameter to control how many log files SSH2 keeps when log file rollover occurs Parameter Syntax LOGFILERETENTION n Arguments n Specifies the number of log files to keep Default By default 10 files are kept Considerations Setting the parameter to a value 0 disables log file retention If log file retention is enabled a minimum of 10 is enforced by this parameter See section Log...

Page 84: ...ined for downward compatibility only and has been replaced by the parameters LOGFORMATCONSOLE and LOGFORMATFILE If no value is set for the parameters LOGFORMATCONSOLE or LOGFORMATFILE they will inherit their value from the parameter LOGFORMAT If both LOGFORMATCONSOLE and LOGFORMATFILE are set with a value the parameter of LOGFORMAT becomes meaningless See also LOGFORMATCONSOLE LOGFORMATEMS LOGFORM...

Page 85: ...essages that are written to EMS Parameter Syntax LOGFORMATEMS format Arguments format A number is used to represent a bit mask that controls the format Following are the values and their corresponding format bit 1 decimal 1 Date bit 2 decimal 2 Header log messages a pre fixed with log bit 3 decimal 4 Time bit 4 decimal 8 Milliseconds bit 5 decimal 16 Process ID name or PIN bit 7 decimal 64 Log lev...

Page 86: ...econds process ID and log level Example Display date time and milliseconds only LOGFORMATFILE 13 Display date and time only LOGFORMATFILE 5 See also LOGFORMATCONSOLE LOGFORMATEMS LOGLEVEL Use this parameter to control the level of detail of messages that are written to the console or log file Parameter Syntax LOGLEVEL detail Arguments detail A number is used to represent the level of detail desire...

Page 87: ...pecifying the detail level Default A default of 50 is used Considerations Using the LOGLEVELCACHE parameter allows users to set a different log level for the log messages written to the log cache than for the output written to LOGFILE Writing log messages to the log cache and writing the current content to the log file sporadically as required can reduce the number of disk operations needed for lo...

Page 88: ...lt log level is taken from the LOGLEVEL parameter if present Otherwise a default of 50 is used Considerations Different log levels can be used for the outputs to LOGCONSOLE LOGEMS and LOGFILE Using the SSHCOM command interpreter you can change parameters without having to restart SSH2 See also LOGEMS LOGLEVELCONSOLE LOGLEVELFILE LOGFORMATEMS LOGLEVELFILE Use this parameter to control which message...

Page 89: ...renamed by appending a number to its name A new file with the LOGFILE name will be created for subsequent log output See also LOGFILE LOGLEVELFILE LOGFILERETENTION Log Messages in the Monitoring and Auditing chapter LOGMEMORY Use this parameter to include SSH2 memory usage statistics in the log output at regular intervals Parameter Syntax LOGMEMORY number_of_ios Arguments number_of_ios A number th...

Page 90: ...his parameter set allows granting limited administrative SSHCOM command privileges to groups rather than just super super Admin groups with limited SSHCOM access are defined via the parameter set PARTIALSSHCOMACCESSGROUP n where n is a number between 1 and 99 Limited administrative SSHCOM access includes viewing and altering USER records i e execution of daemon mode commands INFO USER and ALTER US...

Page 91: ...TIALSSHCOMACCESSUSER k This parameter set allows granting limited administrative SSHCOM command privileges to users other than super super Admin users with limited SSHCOM access are defined via the parameter set PARTIALSSHCOMACCESSUSER k where k is a number between 1 and 99 Limited administrative SSHCOM access includes viewing and altering USER records i e execution of daemon mode commands INFO US...

Page 92: ...POLICYPUBLICUSERKEY See table in SSHCOM Access Summary in section SSHCOM Command Reference PORT Use this parameter to specify the port number a SSH2 server should listen on for incoming connections Parameter Syntax PORT number Arguments number Refers to the decimal number of a TCP IP port Default The default for this parameter is 22 Considerations The ICANN manages a list of well known port number...

Page 93: ...s shared ports to the configured port range The configuration is only effective if round robin is enabled i e if either the DEFINE PTCPIP FILTER KEY or the SSH2 parameter PTCPIPFILTERKEY is set Shared ports will not be limited However any DEFINE PTCPIP FILTER TCP PORTS passed to SSH2 at startup will remain in effect Default The default for this parameter is Considerations Use this parameter to lim...

Page 94: ...apter SFTP Client Command Reference allowing setting the accepted end of record delimiter ASCII MAC corresponds to CR ASCII DOS to CRLF and ASCII UNIX to LF That is for the SFTP client the setting of parameter RECORDDELIMITER is just the default setting which can be overwritten using the SFTP client command ASCII The characters LF and CR cannot occur inside the record data if the value of RECORDDE...

Page 95: ...Series and H Series RVU prior to H06 11 do not support PRIV logon of a Safeguard ALIAS Hence SSH2 can only impersonate an ALIAS if a password is provided If this parameter is set to TRUE SSH2 will always request that users mapped to an ALIAS perform password authentication even after a successful public key authentication Do not set this parameter for H06 11 RVU or later Default If omitted the def...

Page 96: ...CPUs the SSH2 process starts SFTPSERV user processes in Parameter Syntax SFTPCPUSET cpu set Arguments cpu set A comma separated list of CPU numbers or CPU number ranges defining allowed CPUs Default If omitted SSH2 will start all SFTPSERV processes in the CPU the SSH2 process is running in unless the USER record specifies a different CPU set for a specific user via attribute SFTP CPU SET Example S...

Page 97: ...ARTDECIMALINCR is set to a number between 0 and 9999999 This parameter is only considered when a Guardian edit file is written i e either if a remote sftp client issues a put command to the SSH2 server on Nonstop specifying a Guardian destination file with code 101 or if a sftp client on a NonStop server issues a get command specifying a local Guardian destination file with file code 101 If a get ...

Page 98: ...er the parameter SFTPEDITLINENUMBERDECIMALINCR must be set to 100 and the value of SFTPEDITLINESTARTDECIMALINCR to 40000000 This parameter is only considered when a Guardian edit file is written i e either if a remote sftp client issues a put command to the SSH2 server on Nonstop specifying a Guardian destination file with code 101 or if a sftp client on a NonStop server issues a get command speci...

Page 99: ...ith code 101 or if a sftp client on a NonStop server issues a get command specifying a local Guardian destination file with file code 101 If a get command is executed by a sftp client on the NonStop server then the parameter must be set in the environment of the sftp client as PARAM for SFTP running in the Guardian environment or as environment variable for SFTPOSS running in the OSS environment S...

Page 100: ... SFTP commands Default If omitted there is no SFTP idle timeout The SFTPSERV will be running until the STP client ends the session Example SFTPIDLETIMEOUT 180 SFTPMAXEXTENTS Use this parameter to specify the MAXEXTENTS value for files that are created on the NonStop system Parameter Syntax SFTPMAXEXTENTS maxextents Arguments maxextents Specifies the value to be used Considerations The value can be...

Page 101: ...onStop system Parameter Syntax SFTPSECONDARYEXTENTSIZE extsize Arguments extsize Specifies the value to be used Considerations The value can be overridden in put and get commands using the extended syntax described in Extended Syntax for Creation of New Guardian Files section of the SFTP Client Reference chapter Default If omitted SSH2 will use a value of 100 Example SFTPSECONDARYEXTENTSIZE 200 SF...

Page 102: ...nsist of upper case characters Otherwise an error file not found will be returned SOCKETKEEPALIVE Use this parameter to specify whether keep alive messages should be sent to the TCP IP sockets of established links Parameter Syntax SOCKETKEEPALIVE mode Arguments mode 1 on for sending keep alive messages 0 off no messages are sent Default By default keep alive messages are sent 1 SOCKETRCVBUF Use th...

Page 103: ...arameter is used on socket level Parameter Syntax SOCKTCPMINRXMT time Arguments time A number representing the minimum time for TCP retransmission timeout A value of 0 means the minimum time for TCP retransmission timeout configured in the TCP IP monitor process is used Considerations Normally the value configured on TCP IP monitor process level TCP MIN REXMIT TIMEOUT should be sufficient i e the ...

Page 104: ...meter to a non zero value the specified parameter is used on socket level Parameter Syntax SOCKTCPRXMTCNT count Arguments count A number representing the maximum number of continuous retransmissions prior to dropping a TCP connection A value of 0 means the maximum number of continuous retransmissions prior to dropping a TCP connection configured in the TCP IP monitor process is used Considerations...

Page 105: ...KTCPTOTRXMTVAL if CIP is involved See document HP NonStop TCP IPv6 Configuration and Management Manual for details Default The default is 0 SSHAUTOKEXBYTES Use this parameter to control the frequency of automatic key re exchange in SSH sessions Parameter Syntax SSHAUTOKEXBYTES bytes Arguments bytes Provides a number representing the amount of bytes after which a key re exchange should be initiated...

Page 106: ... a new HOSTKEY and SSHCTL file will be created using either the value of parameter CUSTOMER or if that does not exist the customer name from the license file Although a license file is no longer required for NonStop SSH on H and J operating systems any existing HOSTKEY and SSHCTL file requires the customer name that was used to create the file If a license file exists the customer name will be ext...

Page 107: ...o control the frequency of SSH keepalive messages Parameter Syntax SSHKEEPALIVETIME seconds Arguments seconds Defines the idle time in seconds after which an SSH_MSG_IGNORE message is sent to the remote client A value of 0 disables sending SSH_MSG_IGNORE messages Default The default is 60 1 minute Considerations SSHKEEPALIVETIME controls keepalive messages on the secure shell protocol level while ...

Page 108: ...ion is a requirement the password prompt does not make sense STRICTHOSTKEYCHECKING This option controls whether to restrict client access to remote systems to only those cases in which the host s public key is explicitly configured as a KNOWNHOST entity in the SSHCTL Parameter Syntax STRICTHOSTKEYCHECKING TRUE FALSE Arguments TRUE FALSE Specifies whether host key of remote hosts must be preconfigu...

Page 109: ...n is defined in RFC 4253 The comments field is defined as optional Parameter Syntax SUPPRESSCOMMENTINSSHVERSION TRUE FALSE Arguments TRUE FALSE Specifies whether comment part in the ssh protocol version is suppressed or not o TRUE Comment part will be suppressed o FALSE Comment part will not be suppressed Default If omitted the SSH2 process will include the comment part as done in the previous rel...

Page 110: ...using CLIMCMD due to unresolved DNS lookups Although this is a problem with the DNS configuration the above workaround has been put into place to prevent these delays Name resolution delays are now detected during SSH2 startup and a warning message will be issued TCPIPNODEFILE Use this parameter as an alternative to setting a DEFINE TCPIP NODE FILE Parameter Syntax TCPIPNODEFILE filename Arguments...

Page 111: ... propagated to generic processes USETEMPLATESYSTEMUSER The SYSTEM USER of the template user is used for an automatically added user if the Boolean parameter USETEMPLATESYSTEMUSER is TRUE The value of USETEMPLATESYSTEMUSER is only relevant in case AUTOADDSYSTEMUSERS is set to TRUE and AUTOADDSYSTEMUSERSLIKE is configured defining the template USER record This allows the addition of users with the s...

Page 112: ...ue the following commands CLEAR ALL PARAM PARAM BACKUPCPU ANY RUN STN NAME PTY NOWAIT 2 Verify if the process started successfully by checking its status and EMS for any error messages Note For productive use of the STN component we recommend that you install the EMS template file named ZSTNTMPL using standard installation procedures This will ensure that STN EMS messages will be displayed correct...

Page 113: ...R USER SERVICE USER SHELL PROGRAM MENU OK user SERVICE USER altered Unless configured otherwise STN will present TACL as the only available service Additional services can be added with STNCOM using the ADD SERVICE and ADD WINDOW commands Please refer to the STNCOM Commands section for further details Configuring an STN Service or Window A user can be enforced to use a pre configured STN service o...

Page 114: ...sr host gtacl c fileinfo or the command tacl with options c like ssh usr host tacl c fileinfo A program can be started in the TACL environment using option p e g ssh usr host tacl p fup A way to force a user to connect to a TACL is to define an STN service and configure the SSH USER record to use this service Assuming a service TACL1 is defined via STNCOM like ADD SERVICE TACL1 TYPE DYNAMIC PROG s...

Page 115: ...ted protecting any passwords and data transmitted during the service s execution CAUTION When granting unauthenticated SSH access to a resource that performs its own authentication the user s privileges should be properly locked to prevent unauthorized access to any other resources For access without authentication the SSH2 SERVER can be configured so the authentication method none is an ALLOWED A...

Page 116: ...articipating in Kerberos single sign on can also be accessed without additional authentication SSH2 also supports the RFC 4462 standard for GSSAPI key exchange with Kerberos as the security mechanism This includes the server authentication of the SSH2 daemon via GSSAPI Kerberos rather than using its public key which eliminates the need to manage SSH host public keys on the client side Prerequisite...

Page 117: ...or explicitly as described in the following sections Implicit Authorization Implicit authorization takes advantage of the Kerberos default authorization rule If host H is in the realm R the Kerberos principal u R is allowed access to the account u H This rule means that a Kerberos principal can access an SSH user account if the user name exactly matches the user portion of the Kerberos principal n...

Page 118: ...but on all subnets defined for the TCP IP process Such a port is called a gateway port as the host can be used as a gateway to a third host A port forwarding request will be denied if the value of the user attribute ALLOW GATEWAY PORTS is set to FALSE The user can still open non gateway ports listening on 127 0 0 1 Restricting External Access to SSH2 Process The restriction profile attribute CONNE...

Page 119: ...ng tunnels In scenarios in which a user is allowed to create a forwarding tunnel administrators can require the definition of which hosts have access to the tunnel Using the RESTRICTION PROFILE attribute FORWARD FROM a list of hosts IP addresses patterns can be defined that identify those hosts that are allowed to use a tunnel created by a specific user In this case the list of allowed hosts is de...

Page 120: ...his distribution of client processes can either be achieved manually or by using any standard load distributor tool available on your system Load Balancing Inbound SSH Sessions For incoming sessions SSH2 can facilitate the round robin filtering feature of TCPIPv6 In addition parallel round robin filtering allows you to start multiple SSH2 listening processes in different processors that share the ...

Page 121: ...ameters to configure TCPIP settings which are usually passed as DEFINEs Please refer to the SCF Reference Manual for the Kernel Subsystem in the HP NonStop documentation set for further details Choosing a Persistence Mechanism Determining whether it is more effective to configure SSH2 as a NonStop process pair or as a generic process depends on your system environment and the expected SSH transfer...

Page 122: ...opagated to newly started TACL and shell processes A new define SSH2 PROCESS NAME will be created and propagated It contains the name of the SSH2 process which started the TACL or shell process The SSH clients objects SSH SSHOSS SFTP and SFTPOSS make use of this define to look up the SSH2 server process before the CPU dependent lookup using SSH2PREFIX is tried Those SSH clients running within a sh...

Page 123: ...v4 standard in many ways The TCP IP configuration for IPv4 and IPv6 on NonStop servers is different in several aspects as well see documents and links listed in section Related Reading But from NonStop SSH and comForte SecurSH SecurFTP product s standpoint the differences are mainly related to the new address formats of IPv6 new defines and different modes the NonStop TCP IP processes with IPv6 su...

Page 124: ... the port could be misinterpreted as part of the address 2001 0db8 1319 0 0 7344 4567 is a valid IPv6 address The representation for the unspecified address in IPv4 is 0 0 0 0 The unspecified address in IPv6 sequence of zero groups can be represented as or 0 0 other forms are valid as well The SSH2 process usually uses 0 0 as representation of the unspecified IPv6 address but accepts any other rep...

Page 125: ...fault for this parameter is value IPv4 i e the SSH2 process does not automatically switch to IPv6 This is done because errors would occur when an SSH2 process starts in IPMODE IPv6 or DUAL against a TCP IP process not supporting IPv6 The object the TCP IP process is running may not support IPv6 at all SYSTEM SYSnn TCPIP or the object may principally support IPv6 but is not configured for IPv6 As l...

Page 126: ...addresses patterns then these do not represent a problem these IPv6 addresses patterns would just not match when checked against IPv4 addresses being processed by an SSH2 process without IPv6 support IPv6 addresses stored in the ADDRESSES field of KNOWNHOST entities will be ignored by SSH2 processes without IPv6 support A KNOWNHOST entry with an IPv6 address as part of the name cannot be modified ...

Page 127: ...he SSH2 process allows remote SFTP clients to connect to the NonStop system The database therefore contains remote user credentials as well as public keys of remote systems See the next section for a detailed description of the database content in daemon mode In client mode the SSH2 process will connect to remote systems and authenticate NonStop users on the remote system To do so the SSH2 process...

Page 128: ...sh user is allowed to request a shell SHELL PROGRAM OSS path of the shell executed when the ssh user requests a shell or configuration of a telnet service connected to when the ssh user requests a shell SHELL COMMAND Enforced shell command executed when the ssh user requests a shell SHELL ENVIRONMENT Pathname of a script that will be executed when a shell is invoked ALLOW CI Indicating if the ssh ...

Page 129: ...ou to enter a descriptive comment COMMENT a free text field allowing you to enter a descriptive comment MD5 The MD5 fingerprint of the public key BABBLE The bubble babble fingerprint of the public key CREATION DATE the time the key was added to the USER record A key is in state PENDING if LIVE DATE has not been reached yet LIVE DATE the time the key changes or has changed to state LIVE If the attr...

Page 130: ...me of the local Guardian user the public key was generated for The KEY entity has the following additional properties COMMENT a free text field allowing you to enter a descriptive comment TYPE The type of the key supported key types are RSA and DSA BITS The number of bits of the key PUBLICKEY FINGERPRINT The fingerprints of the public key associated with that private key STATUS whether the key is ...

Page 131: ...e comment ADDRESSES the IP addresses or DNS names of the hosts using this public key PORT the port number of the SSH daemons running on the remote host ALGORITHM the algorithm used for host authentication Valid algorithms are SSH RSA and SSH DSS PUBLICKEY FINGERPRINT The MD5 and bubble babble fingerprints of the public key STATUS whether the knownhost is frozen or thawed The database also contains...

Page 132: ...132 The SSH User Database HP NonStop SSH Reference Manual ...

Page 133: ...d to incoming connections SSHCOM is started with a simple TACL command After switching to the proper mode see Overview of SSH Operation Modes in the chapter The SSH User Database the HELP command will give you a brief overview of the supported commands Note that the HELP command will result in a different output in the two modes The following example shows the output in client mode US SSH92 31 run...

Page 134: ...E ROLLOVER SET STATISTICS STATUS Miscellaneous Commands EXIT EXPORT MODE OBEY PAUSE PROMPT TIME SSH2 Modes CLIENT DAEMON Use HELP MODE to find out about modes Standard NonStop Commands and Features The following NonStop Guardian standard commands and features are supported in SSHCOM FC command to modify the last command used OBEY command to obey a set of commands contained in an EDIT file Processi...

Page 135: ... for instance COMF MH can only be exported by users with full SSHCOM access not even by the user COMF MH unless user COMF MH was given full SSHCOM access Commands operating on client mode entities that are associated with a user other than the user starting SSHCOM Commands operating on daemon mode entities Configuration of Users with Full SSHCOM Access There are two ways for allowing full SSHCOM a...

Page 136: ...super can execute any client mode command for any user The parameter sets FULLSSHCOMACCESSUSER i and FULLSSHCOMACCESSGROUP j are evaluated and configured users and groups are granted full access to all client mode commands for any user If a person that is not logged on as super super and not configured in parameter sets FULLSSHCOMACCESSUSER i and FULLSSHCOMACCESSGROUP j wants to execute an SSHCOM ...

Page 137: ...lease 89 a finer granularity for access and administration of mode client records was introduced In previous releases client mode records were owned by a Guardian user identifier Even when logged on as alias the underlying Guardian identifier was used to add and retrieve KEY PASSWORD and KNOWNHOST records The philosophy behind this assumed that one person used a specific Guardian user identifier a...

Page 138: ... for this guardian user are solely used by one person and client mode records are to be stored under Guardian user identifier as well as alias names Note The default value for CLIENTMODEOWNERPOLICY is BOTH Please be aware that the default client mode policy changed from GUARDIANNAME to BOTH with release 89 This change of the policy should not cause problems with existing records as records had bee...

Page 139: ...es have the following meaning and syntax CLIENT Switches to CLIENT mode DAEMON Switches to DAEMON mode SERVER SERVER is a synonym for DAEMON and therefore switches to DAEMON mode as well SET The SET command allows you to change some configuration parameters during runtime Currently the following parameters are supported Parameter Meaning AUDITCONSOLE Determines whether audit messages are written t...

Page 140: ...elfile 70 set loglevelfile 70 OK LOGLEVELFILE set to 70 INFO SSH2 The INFO SSH2 command will display the startup configuration as well as the current settings of all parameters that can be changed using the SET command The following screenshot shows the output of the INFO SSH2 command after changing the LOGLEVELFILE with the command shown above example info ssh2 info ssh2 SSH2 version T9999H06_13M...

Page 141: ... LOGFORMATEMS 16 def LOGFORMATFILE 93 def LOGLEVELCACHE 50 def LOGLEVELCONSOLE 50 def LOGLEVELEMS 20 def LOGLEVELFILE 50 def LOGMAXFILELENGTH 20000 def LOGMEMORYDETAILED 0 def MACS hmac sha1 hmac md5 hmac sha1 96 hmac md5 96 def PARTIALSSHCOMACCESSGROUP1 def PARTIALSSHCOMACCESSUSER1 def PORT 22 def PTCPIPFILTERKEY def PTCPIPFILTERTCPPORTS def PTYSERVER PTY def RECORDDELIMITER LF def RESTRICTIONCHE...

Page 142: ...00 AUDITFILERETENTION 10 CLEAR LOGCACHE If a log cache is written see parameters LOGLEVELCACHE LOGCACHESIZE the command CLEAR LOGCACHE can be used to clear the cache It has the following syntax CLEAR LOGCACHE The original content of the log cache is lost when executing this command FLUSH LOGCACHE If a log cache is written see parameters LOGLEVELCACHE LOGCACHESIZE the command FLUSH LOGCACHE can be ...

Page 143: ...ct until SSHCOM terminates RESOLVE HOST NAME This command can be used to test the TCP IP host name resolving It has the following syntax RESOLVE HOST NAME host name The value for host name must be a name known to a DNS server or configured in a HOSTS file Output will look like OK host name hostv4 resolved to 10 20 0 210 or for IPv6 address OK host name hostv6 resolved to fe80 250 56ff fea7 4bdc fo...

Page 144: ...ubvolume specified by the SUBVOL attribute Starting with SPR T0801 ABE an OSS directory may be specified If a Guardian subvolume is specified then Guardian edit files are created and long lines will be wrapped Files exported to a directory will not be wrapped unless option WIDTH is specified Specifying OSS paths referring to a Guardian namespace like G system ssh2exp leads to code 180 files and no...

Page 145: ... a remote system EXPORT HOST KEY The EXPORT HOST KEY command will export the public key part of the host key that is stored in the HOSTKEY file The command has the following syntax EXPORT HOST KEY FILE GUARDIAN file name OSS file name OSS file name The individual attributes have the following meaning and syntax FILE GUARDIAN file name OSS file name OSS file name The name of the Guardian or OSS fil...

Page 146: ... database o ALTER RESTRICTION PROFILE changes parameters for an existing restriction profile o DELETE RESTRICTION PROFILE deletes an existing restriction profile o INFO RESTRICTION PROFILE shows information about a restriction profile or a set of restriction profiles o RENAME RESTRICTION PROFILE renames a restriction profile Daemon Mode Commands Operating on the USER Entity ADD USER The ADD USER c...

Page 147: ...ferent from the system user name for instance ADD USER super super test system user super super when double quotes are used ALLOW CI This attribute controls whether a TACL or a specific command interpreter given by CI PROGRAM should be started upon a shell request of a client that allocated a 6530 pseudo TTY such as 6530 SSH clients MR Win6530 and J6530 ALLOW GATEWAY PORTS This attribute is used t...

Page 148: ...ame time CI COMMAND This attribute specifies the startup string to be passed to CI PROGRAM Specify CI COMMAND without command to reset the attribute to its default an empty startup string CI COMMAND is ignored if CI PROGRAM is set to MENU CI PROGRAM Sets the command interpreter to be started on a 6530 pseudo TTY after this user is authenticated The filename is the name of the command interpreter s...

Page 149: ...E then every user with partial SSHCOM access can change field EXPIRE DATE FROZEN If the FROZEN attribute is set the user is added in the frozen state If omitted the user will be added in the thawed state LIKE When specified the new user record is first initialized with the values taken from the existing user name user record Then the new user name and any other attributes specified in the ADD USER...

Page 150: ...ty as specified via the SFTP PRIORITY attribute PUBLICKEY This attribute is used to assign one or more public key s to a user Each public key must be given a key name which is unique among all public keys assigned to the current user The key name will also be displayed in the audit log and thus can be used to determine which public key has been used for logon at a given time To add multiple public...

Page 151: ...a wildcard for one single character SFTP INITIAL DIRECTORY This attribute specifies the initial server side directory the user will access after establishing the SFTP session The default value for the initial directory is either the value taken from INITIAL DIRECTORY when defined in Safeguard or from the Guardian default subvolume of the SYSTEM USER If the option LOCKED is used a user will not be ...

Page 152: ...e shell program that is to be used to start a shell or execute a command Specify DEFAULT or SHELL PROGRAM without argument to make SSH2 use the default initial program configured for the assigned SYSTEM USER e g by the INITIAL PROGRAM attribute of a SAFEGUARD user If MENU is specified the non 6530 session will be connected to a service menu provided by the STN PTYSERVER This resembles the function...

Page 153: ...R NONE is used and CI PROGRAM or SHELL PROGRAM are MENU and TACL or OSH can be selected from the STN menu then a logon for TACL or OSS is required It is possible to specify the logon id e g 11 23 in double quotes The logon id will be converted to group user before the value for SYSTEM USER is set ALTER USER The ALTER USER command changes one or more attributes of an existing user and has the follo...

Page 154: ... PTY This attribute is used to grant or deny the ability to allocate a pseudo TTY for a session The pseudo TTY enables the user to execute full screen interactive applications such as Emacs or vi ALLOW SHELL This attribute is used to grant or deny shell access to the user ALLOW TCP FORWARDING This attribute is used to grant or deny port forwarding for a user The value of this user attribute is ign...

Page 155: ...SERV as Service Provider Please note Specifying startup parameters in addition to the program file name requires double quotes around the CI PROGRAM attribute value for example ALTER USER CI PROGRAM TELNET ip addr port If MENU is specified 6530 shell will be connected to the service menu provided by the STN PTYSERVER This resembles the functionality of TELSERV which provides dynamic services as we...

Page 156: ...er only unless explicitly denied in OBJECTTYPE USER record or those configured with full SSHCOM access In case the SSH2 parameter LIFECYCLEPOLICYPUBLICUSERKEY is set to VARIABLE then every user with partial SSHCOM access can change field EXPIRE DATE LIVE DATE This optional attribute of an ssh user s PUBLICKEY entry is used to set the LIVE DATE not valid before date for the public key This attribut...

Page 157: ...EY This attribute is used to add or alter a public key with the provided key name For details on the syntax of that attribute please see the ADD USER command To delete a specific public key for a user use the DELETE PUBLICKEY key name attribute syntax To delete all public keys for a user use the DELETE PUBLICKEY attribute syntax Both the PUBLICKEY and the DELETE PUBLICKEY attributes can be repeate...

Page 158: ...ue taken from INITIAL DIRECTORY when defined in Safeguard or from the Guardian default subvolume of the SYSTEM USER If the option LOCKED is used a user will not be allowed to leave that path by issuing a cd command For example if a value of home jdoe is used only access to directories below is allowed Access to upper level directories such as home or usr or will not be allowed Specifying option LO...

Page 159: ...fied the non 6530 session will be connected to a service menu provided by the STN PTYSERVER This resembles the functionality of TELSERV providing dynamic services as well as services connecting to static windows The services offered by the STN PTYSERVER process can be configured using STNCOM If MENU is followed by a service or window name the corresponding service or window is automatically select...

Page 160: ...for a single user will be displayed For unconventional user names which must be put in in double quotes please see the user name description under ADD USER If used without the DETAIL modifier INFO USER will provide a brief summary for each user displayed The following is an example of the output of INFO USER info user us1 info user us1 USER KEYS SYSTEM USER LAST MODIFIED LAST LOGON STATUS us1 2 ul...

Page 161: ...SFUL ATTEMPT NONE LAST AUTH METHOD publickey LAST PUBLICKEY testkey3 LAST IP ADDRESS fe80 a00 8eff fe00 d14e LAST MODIFIED 20Apr12 16 07 STATUS THAWED Following are the specific fields output by INFO USER and their meaning STATUS Displays whether the user is in a FROZEN or THAWED state PUBLICKEY This field displays fingerprints of the public keys associated with a specific user For each public key...

Page 162: ...ands Operating on the RESTRICTION PROFILE Entity ADD RESTRICTION PROFILE The ADD RESTRICTION PROFILE command adds a new restriction profile to the database and has the following syntax ADD RESTRICTON PROFILE profile name LIKE existing restriction profile name COMMENT comment comment containing spaces CONNECT FROM host pattern host pattern host pattern CONNECT TO host ports host ports host ports PE...

Page 163: ...tandem1 120 10 20 120 10 20 7 CONNECT TO The CONNECT TO attribute restricts user access allowing user initiated outgoing connections only to the configured host port combinations The CONNECT TO restrictions are applied whenever the user tries to connect via SSH2 using the SSH SSHOSS SFTP and SFTPOSS clients The value for this attribute can be one host port range or a list of host port ranges A com...

Page 164: ...NNECT TO attribute section The format of values for PERMIT OPEN and CONNECT TO is the same The values are just interpreted differently ALTER RESTRICTON PROFILE The ALTER RESTRICTON PROFILE command changes one or more attributes of an existing restriction profile and has the following syntax ALTER RESTRICTON PROFILE profile name COMMENT comment comment containing spaces CONNECT FROM host pattern ho...

Page 165: ...restrictions are applied whenever the user tries to connect via SSH2 using SSH SSHOSS SFTP and SFTPOSS clients The value for this attribute can be one host port range or a list of host port ranges A comma separated list must be enclosed in parentheses Each host port range is a pair of host and port ranges separated by a colon as follows host port range A port range can be a single port a single po...

Page 166: ...ON PROFILE profile name The profile name is mandatory in the command and no wild cards are allowed in the profile name INFO RESTRICTION PROFILE The INFO RESTRICTION PROFILE command displays information about a single restriction profile or a set of restriction profiles and has the following syntax INFO RESTRICTION PROFILE profile name profile name prefix DETAIL At least one of profile name profile...

Page 167: ...eys o RENAME KEY renames a key o THAW KEY thaws a key making it active again Commands operating on the PASSWORD entity o ADD PASSWORD adds a new password to the database o ALTER PASSWORD changes a password o DELETE PASSWORD deletes a password o FREEZE PASSWORD freezes a password rendering it inactive o INFO PASSWORD shows information about a key or a set of keys o THAW PASSWORD thaws a password ma...

Page 168: ...KEY ALTER KNOWNHOST and FREEZE PASSWORD The INFO SYSTEM USER lists all KEY KNOWNHOST and PASSWORD records assigned owned by a specific local Guardian system user Both the KEY and the KNOWNHOST entity are associated with a single Guardian system user Besides providing an overview of the system user related client mode records the INFO SYSTEM USER lists additionally the remote ssh user names that ar...

Page 169: ...used to associate additional textual information with the key LIVE DATE This optional attribute is used to set the LIVE DATE not valid before date for the key This attribute can only be set if the life cycle policy for User Private Keys is enabled determined by SSH2 parameter LIFECYCLEPOLICYPRIVATEUSERKEY If SSH2 parameter LIFECYCLEPOLICYPRIVATEUSERKEY is set to FIXED then field LIVE DATE can be m...

Page 170: ...system user name key name FILE GUARDIAN file name OSS file name OSS file name PASSPHRASE passphrase FORMAT OPENSSH SSH2 PRIVATE The individual attributes have the following meaning and syntax system user name This refers to a valid GUARDIAN user who owns the key in the SSH key store If system user name is omitted either the user being set in a previously issued ASSUME USER command or the issuer of...

Page 171: ...mmand will be used as the default If system user name is specified it MUST be followed by a to separate it from the known host name that follows Only the SUPER SUPER user unless explicitly denied in OBJECTTYPE USER record or those configured with full SSHCOM access can freeze a key entry for other users key name The name of the key to be frozen GENERATE KEY This command is used to generate a priva...

Page 172: ...IRE DATE This optional attribute is used to set the EXPIRE DATE not valid after date for the key This attribute can only be set if the life cycle policy for User Private Keys is enabled determined by SSH2 parameter LIFECYCLEPOLICYPRIVATEUSERKEY If SSH2 parameter LIFECYCLEPOLICYPRIVATEUSERKEY is set to FIXED then field EXPIRE DATE can be modified by the SUPER SUPER user only unless explicitly denie...

Page 173: ...ccess In case the SSH2 parameter LIFECYCLEPOLICYPRIVATEUSERKEY is set to VARIABLE then every user can change field LIVE DATE for those keys the user owns EXPIRE DATE This optional attribute is used to set the EXPIRE DATE not valid after date for the key This attribute can only be set if the life cycle policy for User Private Keys is enabled determined by SSH2 parameter LIFECYCLEPOLICYPRIVATEUSERKE...

Page 174: ...modifier INFO KEY will provide some detailed information about each key displayed The following is an example of the output of INFO KEY DETAIL info key new1 detail info key new1 detail KEY TYPE USER LIFE CYCLE LAST USE STATUS new1 RSA super super LIVE 08Jul11 18 22 THAWED KEY new1 COMMENT USER super super TYPE RSA BITS 1024 PUBLICKEY FINGERPRINT MD5 e1 96 56 e2 d3 f1 96 3a c6 00 78 6e 8f 4a 76 37 ...

Page 175: ... ALTER KEY command depending on the value set of SSH2 parameter LIFECYCLEPOLICYPRIVATEUSERKEY LIFE CYCLE STATE The value of field LIFE CYCLE STATE the shortcut LIFE CYCLE is used in the brief output of the INFO KEY command is not actually held in the KEY database record but is determined from CREATION DATE LIVE DATE and EXPIRE DATE The state LIFE is assumed for keys generated or imported before th...

Page 176: ...em user name is omitted either the user being set with a previously issued ASSUME USER command or the issuer of the THAW KEY command will be used as the default If system user name is specified it MUST be followed by a to separate it from the key name that follows Only the SUPER SUPER user unless explicitly denied in OBJECTTYPE USER record or those configured with full SSHCOM access can thaw a key...

Page 177: ... access can alter a password entry for other users DELETE PASSWORD The DELETE PASSWORD command deletes a password from the database and has the following syntax DELETE PASSWORD system user name remote user target host target port The individual attributes have the following meaning and syntax system user name A valid local GUARDIAN user who owns the password entry in the user database If system us...

Page 178: ...ill be interpreted as a wildcard character and information about all password names matching the wildcard character will be displayed OUTPUT Format of INFO PASSWORD Command If used without the DETAIL modifier INFO PASSWORD will provide a brief summary for each password displayed The following is an example of the output of INFO PASSWORD info password PASSWORD USER STATUS comf us 10 0 0 194 55022 s...

Page 179: ...ldtargetport newusername newremoteuser newtargethost newtargetport A password entry with the old password name identified by the sequence oldusername oldremoteuser oldtargethost oldtargetport must exist The entry with the new password name identified by newusername newremoteuser newtargethost newtargetport must not exist The individual attributes have the following meaning and syntax oldusername A...

Page 180: ... as in the DELETE PASSWORD command please see that section for details Only the SUPER SUPER user unless explicitly denied in OBJECTTYPE USER record or those configured with full SSHCOM access can thaw a password entry for other system users Client Mode Commands Operating on the KNOWNHOST Entity ADD KNOWNHOST The ADD KNOWNHOST command adds a new known host to the database and has the following synt...

Page 181: ...entry is thawed using the THAW KNOWNHOST command ALTER KNOWNHOST The ALTER KNOWNHOST command changes one or more attributes of an existing known host and has the following syntax ALTER KNOWNHOST system user name knownhost name ADDRESSES ip_or_dns ip_or_dns PORT portnr PUBLICKEY FINGERPRINT fingerprint FILE file name ALGORITHM SSH DSS SSH RSA COMMENT word word word The individual attributes are ide...

Page 182: ...igured with full SSHCOM access can freeze a known host entry for other users knownhost name The name of the known host to be frozen INFO KNOWNHOST This command provides information about a single known host or a set of known hosts in the SSH2 key store It has the following syntax INFO KNOWNHOST system user name knownhost name DETAIL The individual attributes have the following meaning and syntax s...

Page 183: ...nyt ripoc fygyr pobet kaxox LAST USE NONE LAST MODIFIED 23Apr12 10 32 STATUS FROZEN The fields of the output of INFO KNOWNHOST have the following meaning COMMENT A comment as entered when adding or altering the known host KNOWNBY The system user who is allowed to connect to the known host ADDRESSES Specifies a comma separated list of IP addresses or DNS names that identify the target host from whi...

Page 184: ...xplicitly denied in OBJECTTYPE USER record or those configured with full SSHCOM access can issue a RENAME command where new system user name is different from old system user name If old system user name and or new system user name is omitted either the user being set with a previously issued ASSUME USER command or the issuer of the RENAME KNOWNHOST command will be used as the default user If new ...

Page 185: ...DETAIL If the DETAIL flag is set detailed information is displayed WIDTH The number width is the maximum number of characters per output line If WIDTH is not specified the default value 80 is assumed In order to avoid a new line when the terminal is configured with line wrapping on the line will only be filled with one character less than the specified width RECURSIVE This attribute controls if th...

Page 186: ...nd will be displayed at the terminal the SSHCOM was started With LOG ONLY flag set the output will be written to the log file if logging to a file is enabled SELECT The SELECT option allows defining a specific set of attributes that will be displayed instead of the default attribute set there are two default sets one for detailed output and one for non detailed output An attribute name specified f...

Page 187: ...f logging to a file is enabled SELECT The SELECT option allows defining a specific set of attributes that will be displayed instead of the default attribute set there are two default sets one for detailed output and one for non detailed output An attribute name specified for attr must be one of the names displayed in the detailed status output WHERE The WHERE option can be used to filter channels ...

Page 188: ...e log file if logging to a file is enabled SELECT The SELECT option allows defining a specific set of attributes that will be displayed instead of the default attribute set there are two default sets one for detailed output and one for non detailed output An attribute name specified for attr must be one of the names displayed in the detailed status output WHERE The WHERE option can be used to filt...

Page 189: ...entifier positive integer of a session Alternatively the wild card character can be specified instead of a session id The individual options have the following meaning and syntax DETAIL If the DETAIL flag is set detailed information is displayed WIDTH The number width is the maximum number of characters per output line If WIDTH is not specified the default value 80 is assumed In order to avoid a n...

Page 190: ...p a session e g because a user process was started in the wrong CPU or is using too much CPU or causing an unexpected high data throughput Stopping a session can be achieved via the ABORT SESSION command The Syntax for the ABORT SESSION command is as follows ABORT SESSION session id session id The internally assigned identifier positive integer of a session Wild card character cannot be specified ...

Page 191: ...rte_SSH_0080 Server did not accept any of your private keys in the key store Trying password authentication Enter comf mh 10 0 0 198 s password Add password for comf mh 10 0 0 198 to the password store yes no no total 955646 rw r r 1 COMF MH COMF 1000 Jan 18 11 28 a1000 rw r r 1 COMF MH COMF 10000 Sep 22 2004 a10000 rw r r 1 COMF MH COMF 1000000 Sep 22 2004 a1000000 MH SSH 24 Example with IPv6 add...

Page 192: ...are required if INFORMAT is set to TACL otherwise the square brackets must be used without tilde Starting the OSS Client Programs The OSS object files of the SSH and SFTP client programs are delivered together with the other SSH implementation files Therefore the object files will initially be placed on the SSH2 installation subvolume The clients for OSS have the following filenames SSHOSS SFTPOSS...

Page 193: ...s usage sftposs vCZ b batchfile o ssh2_option H error_prefix J info_prefix K query_prefix B buffer_size R num_requests S ssh2 process user host file file Typical start of an SSH session from OSS to a remote system tmp sshoss u sauer linuxdevipv6 SSH client version T9999H06_17Apr2012_comForte_SSHOSS_0092 GSSAPI authentication disabled You have no private keys in the key store Trying password authen...

Page 194: ...sftposs S ssh1 burgt 10 0 0 201 Connecting to 10 0 0 201 sftp By setting an environment variable named SSH2PREFIX in the client environment you can activate a heuristic to pick an SSH2 process depending on the CPU number it is running in Please refer to Load Balancing Outbound SSH Sessions in the chapter Configuring and Running SSH2 for details By setting an environment variable SSH2_PROCESS_NAME ...

Page 195: ...ing that is printed as prefix for an error message SSHINFOPREFIX String that is printed as prefix for informational messages SSHQUERYPREFIX String that is printed as prefix for queries prompts For each of these parameters a corresponding option is supported by the clients as shown below Option Meaning H errorprefix String that is printed as prefix for an error message J infoprefix String that is p...

Page 196: ...is Reference Manual only provides an overview about some features for detailed information beyond this manual please refer to publications such as SSH the Secure Shell 2nd Edition by Daniel J Barrett Robert G Byrnes Richard E Silverman O Reilly The SSH OSS Client is used for the following purposes Start a SSH shell to control a remote system A shell is an encrypted communication channel between tw...

Page 197: ...Info 1 US SSH89 5 General Runtime options l user Specify the user to log in as on the remote machine V Display version number only then terminate Z The banner normally printed by the ssh client is suppressed line SSH client version T9999H06_23Dec2010_comForte_SSH_0089 in the above example The suppression of the client banner can also be achieved by specifying a PARAM environment variable SUPPRESSC...

Page 198: ...2 process is configured with the unspecified address 0 0 0 0 or 0 0 for parameter INTERFACEOUT the TCP IP process is configured with more than one subnet and a specific local address needs to be used e g due to firewall configuration restrictions IDENTITY keyname Use this option to select a specific KEY for authentication to the remote system By default all KEYs that you have generated using the S...

Page 199: ...host and port on the remote side This works by allocating a socket to listen to listen port on the local side Whenever a connection is made to this port the connection is forwarded over the secure channel and a connection is made to host and port from the remote machine Specifying the ftp prefix will enable dynamic port forwarding of FTP sessions forwarding both FTP control and data connections ov...

Page 200: ...the PARAM environment variable There is no specific query prefix defined as default Using the SSH client to create a shell controlling a remote system Creating a full shell The following example shows how to connect to a Linux system and execute some commands on that system using the SSH client from Guardian TB TBSSH79 7 run ssh S TBS79 burgt 10 0 0 12 comForte SSH client version T9999H06_16Apr200...

Page 201: ... following command will start a port forwarding daemon on the client system TB TBSSH79 13 run ssh S TBS79 N L 2323 127 0 0 1 23 comf tb 10 0 0 198 comForte SSH client version T9999H06_16Apr2008_comForte_SSH_0079 You have no private keys in the key store Trying password authentication Enter comf tb 10 0 0 198 s password The client will not be active before the password is given at the prompt The po...

Page 202: ... to use additional FTP forwarding logic Connecting to the port forwarding client with a FTP client The following command sequence will direct local FTP traffic to the port forwarding daemon and in effect create an encrypted FTP session between the two systems TB TBSSH79 2 ftp 127 0 0 1 2121 FTP Client T9552H02 16APR2008 COPYRIGHT TANDEM COMPUTERS INCORPORATED 2007 Connecting to 127 0 0 1 Establish...

Page 203: ...07 29 37 50 NPNS01 Z0DC forwarding FTP connection from 127 0 0 1 1139 to 127 0 0 1 21 TBS79 08Jul08 08 07 38 85 50 NPNS01 Z0DC forwarding direct tcpip connection from 127 0 0 1 1140 accepted on 127 0 0 1 4518 to remote TBS79 08Jul08 08 07 44 32 50 NPNS01 Z0DC closed forwarded FTP connection from 127 0 0 1 1139 to 127 0 0 1 21 SFTP Client Command Reference The SFTP OSS Client is used to start inter...

Page 204: ...SSHCOM GENERATE KEY command will be presented to the remote host for publickey authentication However some servers will deny authentication after a maximum number of inacceptable keys are presented which can create a problem if you have many keys To overcome this problem use the IDENTITY option to present only the key that has been advertised as authorized key to the target server PORT port The po...

Page 205: ...ARAM environment variable There is no specific error prefix defined as default J string Set specific string used as prefix for informational or warning messages displayed by the SFTP client during the connection phase Double quotes can be used to define strings containing a space or special characters The prefix for infos warnings can also be specified via PARAM environment variable SSHINFOPREFIX ...

Page 206: ...file lpwd Print local working directory ls path Display remote directory listing lumask umask Set local umask to umask mkdir path Create remote directory progress on off min Toggle display of progress meter on off or set to minimum value min or display current setting put local path remote path Upload local file pwd Display remote working directory quit Quit sftp rename oldpath newpath Rename remo...

Page 207: ...d to local file lcd path Change local directory to path ln oldpath newpath Symlink remote file lpwd Print local working directory ls path Display remote directory listing mkdir path Create remote directory progress on off min Toggle display of progress meter on off or set to minimum value min or display current setting put local path remote path Upload local file pwd Display remote working directo...

Page 208: ...l drwxr xr x 0 513 100 72 Feb 14 07 31 drwxr xr x 0 513 100 1200 Feb 11 15 10 rw r r 0 513 100 9900 Feb 14 07 31 a10000 sftp Leave the SFTP client sftp bye home tb Transfer Progress Meter SFTP SFTPOSS client displays a progress indicator during file transfers if enabled The progress meter can be enabled via command progress on and disabled via command progress off Entering the command progress wit...

Page 209: ...ied using the normal syntax such as cd data1 tbhome or cd mysubvol Note that a subvolume needs to be present in a cd command See the note below regarding Guardian file name notation o Using the Unix style notation for Guardian files For instance to specify the fully qualified file name data1 testvol myfile you can use the notation G data1 testvol myfile Note Unlike with HP NonStop FTP there is no ...

Page 210: ...se problems when being transferred in delimited record transfer mode as this character is used as end of record delimiter This problem does not occur in transparent transfer mode but this mode can effectively be used for transfers from one NonStop server to another only other SFTP implementations are not aware of the transparent mode implementation The unstructured transfer mode uses the Guardian ...

Page 211: ...by a CR r binary changes to binary transfer mode The following sample illustrates how ASCII files can exchanged with an SSH daemon on a Windows server sftp ascii dos Newline convention is now dos File transfermode is now ascii sftp put textfile textfile txt Uploading textfile to test textfile txt sftp get textfile txt editfile Fetching test textfile txt to editfile sftp In the above sample editfil...

Page 212: ...and TACL FC HISTORY differences depending on HISTORYMODE setting HISTORYMODE SFTP HISTORYMODE TACL Commands added to the history list All commands but help history fc and All commands but fc and Default count for history command display 20 10 Handling of duplicate commands Only the last of duplicate commands stays in list Duplicate commands are added Command number change Command numbers change wh...

Page 213: ...ubvol 5 cd data1 reports 6 get fil56789 7 get fl456789 8 cd data1 report1 9 pwd sftp fc 4 get fl456789 sftp The FC command without parameter causes the last command being retrieved for fix command processing A modified command is not executed i e ignored if the character sequence on the fix command line is as shown above The command n to execute a command in the history list is not implemented The...

Page 214: ...214 SSH and SFTP Client Reference HP NonStop SSH Reference Manual ...

Page 215: ...H key pairs can be found at http apps sourceforge net trac sourceforge wiki SSH 20keys A comprehensive book on SSH is SSH The Secure Shell Daniel J Barrett published by O Reilly Implementation Overview Supported Versions The SSH2 software package only supports version 2 of the SSH implementation Cipher Suites For a list of supported cipher suites and MACing algorithms please see the parameters CIP...

Page 216: ...to Public Key Authentication Terminology Public Key Authentication makes use of asymmetric cryptography Without going too much into details we explain and define some terms here A key pair consists of a public and a private key While it is possible to derive the public key from the private key the opposite is not possible The private key is normally kept secret and can only be accessed by the enti...

Page 217: ...KNOWNHOST entity of user database in client mode o KEYPAIR4 A key pair used to log on a NonStop user on the partner system when the NonStop system acts as client KEY entity of user database in client mode In the NonStop SSH2 implemention the local host key KEYPAIR1 above is of format DSA 1024 bit the remote host keys KEYPAIR3 above can be DSA or RSA keys and the local or remote user keys KEYPAIR4 ...

Page 218: ...BLICKEY FILE or PUBLICKEY FINGERPRINT property of a USER entity of the SSH user database please see chapter The SSH User Database for details To find out the fingerprint of an existing public key on a remote system please refer to the documentation of the sftp implementation you use The following example shows how to display the fingerprint with the ssh keygen and the l option utility in OpenSSH T...

Page 219: ...Y ZPTY Starting STN from TACL STN can be started using standard TACL commands It can also be configured as a generic process The example below shows how to start STN from scratch without a TACL routine 1 logon super super 2 volume system stn 3 clear all 4 param 5 run stn name PTY pri 180 nowait 6 run stncom ZPTY Following is a detailed explanation of each step 1 logon super super Like SSH2 the STN...

Page 220: ...buffers The default is 4194304 4meg A decimal number can be used to specify the parameter Users may also append the letter K kilowords to the number which multiplies by 1 024 or they can add the letter M megawords which multiplies by 1 048 576 POOL SIZE may need to be increased for larger configurations contact support for details PARAM SECURITY letter Defines the level of security access required...

Page 221: ...is not a disc file startup terminated and STN terminates abnormally If the IN parameter specifies a disc file that is not an edit 101 file the following EMS event zstn ems evt misc 9 is now generated IN file in is not a edit 101 file startup terminated and STN terminates abnormally STN does not use any parameters on the RUN command including the backup cpu number in the manner used by other produc...

Page 222: ...commands are limited to 1024 characters If STNCOM is prompting at a terminal for input the prompt for continuation lines will be the current prompt prefixed by ampersand ampersand space Continuations are allowed from terminals IN files and OBEY files To start STNCOM use the standard TACL RUN command as shown in the following examples 1 RUN stncom stn 2 stncom stn1 info stn e 3 stncom IN stnin4 OUT...

Page 223: ...ile a single exclamation mark in an IN or OBEY file is treated as comment line STNCOM Commands Note STN is also delivered as component of comForte s SecurTN product a fully functional secure Telnet server STN supports several commands and features related to the Telnet server functionality For clarity these commands and features are not part of this manual STNCOM supports the following abbreviated...

Page 224: ...h 192 255 255 255 192 7 matches only 192 7 0 0 through 192 7 255 255 161 114 87 matches only 161 114 87 0 through 161 114 87 255 a b c d e f g h This form defines two specific IP addresses the first must be numerically less than or equal to the second 192 1 2 3 192 1 2 6 192 1 0 0 192 21 255 255 ADD IPRANGE command may be done before or after ADD SERVICE commands referring to the IPRANGE ADD SCRIP...

Page 225: ...file name SWAP volume name USER groupnum usernum groupname username PARAM param text IPRANGE iprange name HOME home terminal name LIMIT max sessions RESILIENT YES NO DEBUGOPT OFF number LOGAUDIT YES NO LOGON REQ NONE SCRIPT script name The service name and the TYPE field are required all others are optional TYPE DYNAMIC STATIC CPU optional not allowed DEBUGOPT optional not allowed HOME optional no...

Page 226: ...n required No application pre configuration required Workstations can have identical configurations Unique window names are difficult to track and manage Application process creation slows window startup Can be awkward for Pathway and other applications that allocate CPU and other resources using their own algorithms TYPE STATIC The PROG CPU PRI LIB SWAP PARAM USER HOME LIMIT RESILIENT DEBUGOPT an...

Page 227: ...ervice name can still be entered by the remote user This parameter works in conjunction with the ADD LISTENER MENU parameter See the command BANNER which can disable menus and other messages LIB lib file name Default is no LIB file For dynamic sessions this parameter specifies the library object file name for PROG program object files that require a library SWAP volume name Default is no SWAP volu...

Page 228: ... session is terminated ten seconds after displaying the following message on the remote workstation STN51 Workstation IP address not in range for requested service Note that ADD SERVICE can be done before ADD IPRANGE however any attempt to connect to the service will be rejected until the ADD IPRANGE command is completed Similarly DELETE IPRANGE will result in rejection of any connection attempts ...

Page 229: ...ementation of RESILIENT is similar in general functionality to that of HP Telserv but with some key differences RESILIENT NO the default setting defines a traditional dynamic service Upon session disconnect file system errors are returned to the application and most applications like TACL will detect this and stop If KILL_DYNAMIC is set STN will stop the application on session disconnect When RESI...

Page 230: ...ly The window is not automatically deleted STN s implementation of RESILIENT differs from Telserv in the following ways SERVICE TYPE DYNAMIC No ADD WINDOW command Windows are dynamically created as needed STN does not restrict a RESILIENT service to a single window simplifying configuration 6530 Block mode applications EDIT XVS TEDIT Pathway are handled cleanly OSH Posix applications are handled c...

Page 231: ...e to use to exchange data with the remote terminal sessions Prior to SPR T0801 ABE ADD WINDOW was performed automatically for dynamic sessions when AUTO_ADD_WIN was enabled and an application open request was received for an undefined window The AUTO_ADD_WIN configuration parameter is no longer supported All openers of STN must refer to an existing window name ADD WINDOW window name TYPE DYNAMIC S...

Page 232: ...dow workstation mapping Unlike SU windows the workstation configurations are identical simplifying logistics TERM_TYPE TN6530 ANSI ANY STN does not presently use the window TERM_TYPE setting SERVICE service name Not allowed with TYPE DEDICATED or SU required with TYPE STATIC Also required with TYPE DYNAMIC but DYNAMIC windows are only internally created they should not be entered via STNCOM For TY...

Page 233: ...and ADD WIN WWW TYPE wintype SERVICE DDD In this case wintype is from AUTO_ADD_WIN and DDD is from DEFAULT SERVICE if DEFAULT SERVICE is NONE the open is rejected In either case the service should have been defined previously as follows ADD SERVICE DDD TYPE STATIC Note that the SERVICE is always TYPE STATIC regardless of the window type DYNAMIC windows are deleted after the opener closes STN STATI...

Page 234: ... BANNER command controls the display of menus on remote session initiation The default is BANNER Y When BANNER N is used to disable banners no welcome messages or menus are displayed when a remote workstation connects to STN BANNER_TIMEOUT minutes BANNER_TIMEOUT allows for automatic termination of sessions waiting at the STN02 Service menu for an extended time This releases resources used by idle ...

Page 235: ...parameter CHOICE_PROMPT Y N This command controls display of Enter Choice prompt after service name list This is independent of BANNER Y N CHOICE_TEXT text Allows changing the Enter Choice message CONN_CLR_SSH Y N CONN_CLR_SSH controls clearing of the screen at connect time for SSH 6530 sessions The clear occurs immediately before the STN00 message which is after SSH BANNER and before STN WELCOME ...

Page 236: ...ion active 6 0 6530 session active 6 4 non 6530 session 6 0 WINDOW response determined by ADD WINDOW configuration SUBTYPE nn 6 nn overrides TERM_TYPE SUBTYPE NONE and no session active response determined by TERM_TYPE TERM_TYPE 6530 6 4 TERM_TYPE other 6 0 When SUBTYPE is NONE and a session is active then B05COMP rules above are used nn always responds with type 6 and subtype nn DYNAMIC_PRI nnn S...

Page 237: ...ommand controls the file error code returned to application I O requests while a session is down Default is 140 femodemerr for compatibility with previous releases values 10 9999 are allowed Some applications expect error 66 fedevdown when a session is down FRAGSIZE n Adjusts the minimum memory pool fragment size allowed when splitting a large buffer to satisfy a new request Use only under directi...

Page 238: ...n is terminated with an STN36 message The default is 2 2 minutes INFO ALL INFO ALL is a combination of INFO STN INFO SCRIPT INFO LISTENER INFO SERVICE and INFO WIN Only configured Windows are included not Dynamic or PTY SSH windows This command is useful when documenting STN configuration for support calls See also SAVE_CFG INFO IPRANGE iprange name Displays configuration information for a specifi...

Page 239: ...3270_IN_SIZE These commands are not documented in this manual and should not be used by HP T0801 users Comments Config BWNS02 ZPTYE 075536 T0801H01_24JAN2013_ABE LG 04JAN2013_230358 Expand node name STN process name system serial number STN vproc and LINKGMT SSH vproc T9999H06_22Nov2010_comForte_SSH2_0089 This displays none until the first SSH session connects to STN thereafter the VPROC of the SS...

Page 240: ...00 00 client IP address 192 168 1 106 client IP port 3839 client channel 256 external user name SUPER SUPER system user SUPER SUPER auth method keyboard interactive cipher aes256 cbc mac hmac sha1 compression none executed program bin sh kerberos principal nam local IP address 192 168 1 145 local IP port 22 TCP IP process ZTCP5 The attributes have the following meaning TYPE The window type PTY is ...

Page 241: ...the timer it may be necessary to use ENTER or a 6530 function key The timer can also be set by output activity from the application If OUTPUT_RESET is set to Y then application output will reset the timer the same as keyboard input For example an application that displays periodic output like an EMS console would never timeout as long as it performed output at least once every INPUT_TIMEOUT minute...

Page 242: ...V 01 050 COMMAND COMMAND fn 3 id 255 255 SYSTEM SYSTEM STNCOM OSP These three example output lines represent the following 1 Title line 2 Indicates that The named process TCP1 cpu pin 1 47 has opened the STN window with a terminal name of W742 as file number 6 TCP1 s process access ID is group user 20 33 TCP1 s object program file name is SYSTEM SYSTEM PATHTCP TCP1 s home terminal is TERM4 TCP1 s ...

Page 243: ...ng for terminal emulator to send terminal type before terminating session seconds can be in the range from 1 to 120 Default is 20 OBEY edit file name OBEY processes STNCOM commands from an EDIT format file edit file name specifies the EDIT file in which the commands are listed Commands can be nested up to six levels deep OPEN STN process name OPEN opens the specified STN process for subsequent com...

Page 244: ...umber of requests that failed due to pool exhaustion or fragmentation TRIMS Shows the number of trims where a large buffer is allocated and the unneeded trailing portion is released while the front part is still used BUFS IN USE Shows number of buffers allocated not yet released HIGH specifies the highest value of BUFS IN USE RECEIVE msgs Shows total user data and system messages on RECEIVE BYTES ...

Page 245: ...oping on window ZWN0001 REPLY_DELAY_MAX defaults to 2 seconds and values from 1 to 60 are allowed REPLY_DELAY_MAX 0 disables the feature which means a looping application and STN can consume 100 of a cpu RESET SERVICE service name This command will reset the cumulative sessions counter to zero Note that this is the only counter affected by RESET Also note that RESET does not default to like INFO a...

Page 246: ...sers with a user ID matching the SECURITY setting Non sensitive commands such as STATUS INFO and LISTOPENS can be performed by any user ID SHUTDOWN SHUTDOWN initiates an STN process termination which takes about three seconds All active sessions are terminated There are no parameters You can also use the TACL STOP STN command but this can result in some warning messages SSH_DEFAULT_SVC service nam...

Page 247: ...a dynamic window that has not yet been created For static windows this name will be changed to the static window name ipaddr port IP address and port number of the remote client state Tracks the progress of a new session NEGOT Telnet IAC negotiations are in process with an SSH 6530 client NEGOT_LM For TN6530 sessions line mode has been established and the STN is waiting for TERMTYPE This state usu...

Page 248: ... but has not yet opened the STN window CONNECTED The session is connected to a window If a service is associated with the session its name is displayed PTY_INIT An SSH2 process has created the pseudo terminal PTY under its control Any application processes on the terminal are started by SSH2 STATUS WINDOW window name Displays current status information for the specified windows or for all windows ...

Page 249: ... STN process specified in RUN STNCOM process name If the STN process has STNCOM_PROMPT configured it will be used for the prompt This will stay in effect until another OPEN command or until a PROMPT command PROMPT Redefines the prompt for the current STNCOM process execution Takes effect immediately unless an STNCOM_PROMPT is in effect Does not affect other STNCOM users Must be entered every time ...

Page 250: ...e service name will not be displayed on menus and will be rejected if entered in response to the service prompt Use START SERVICE to resume the service Existing sessions will not be affected This command is not normally used STOP SESSION session name The specified session or all active sessions will be terminated STOP WINDOW window name The specified window or all configured windows will be stoppe...

Page 251: ...by the letter K kilobytes which multiplies by 1 024 or the letter M megabytes which multiplies by 1 048 576 The default is 100K The minimum is 12K and the maximum is 25M Warning Tracing can noticeably affect response time and CPU usage VERSION VERSION displays the process name and cpu pin revision number and revision date of STN There are no parameters Starting with SPR T0801 ABE the following ite...

Page 252: ...or at the equivalent time for TYPE DEDICATED windows STN will wait five seconds for a response The response is included in a new AUDIT event and is shown by STATUS SESS The session always continues regardless of the response of even if no response is received REQUIRED Like above but a response is required If none is received the session is terminated with the following message displayed on the Wor...

Page 253: ...fault of ZWN0001 is used which is compatible with STN B19 and earlier GWN TEMPLATE defines both the format of the name and the starting window name As sessions are started the numeric suffix is incremented until it reaches all nines then the next window name wraps back to all zeroes Using a short numeric suffix makes typing window names easier Using a longer numeric suffix allows for more sessions...

Page 254: ...o the numeric portion of the window name and rewrites with unlock GWN file 4 STN then uses the reserved window names for new sessions When the reserved list is exhausted another allocation is performed 5 If any error occurs reading or writing GWN FILE the file is closed and the default ZWN0001 is used for the duration of the STN process GWN BLOCKSIZE is automatically reduced if necessary so that i...

Page 255: ...ndard EMS files which provide additional details ZSTNTMPL template input source ZSTNDDL DDL for event names ZSTNTMPL template output file for EMSDIST It is recommended that ZSTNTMPL be installed using standard procedures zstn evt socket err value is 1000 STN process name Subnet 2 3 socket error 4 CAUSE An error occurred on TCP IP process 2 for operation 3 with error code 4 EFFECT For listener rela...

Page 256: ... is a description of the effect EFFECT The license applies only to telnet listeners which are generally not used with SecurSH SSH PTY sessions are unaffected ACTION Verify that the correct license file is available as a 101 EDIT file in the STN subvol If the problem persists contact support zstn evt max users value is 1005 STN process name User limit exceeded 2 time s CAUSE The number of simultane...

Page 257: ...the value of the auditing parameter in the LICENSE file STN may operate in limited mode ACTION STN will periodically retry audit initialization If the error persists contact support zstn evt audit write err value is 1010 STN process name Audit interface write error 2 3 CAUSE An audit event could not be recorded 2 is the Guardian file error code and 3 is a textual description EFFECT No audit events...

Page 258: ...informational only zstn evt license check stop value is 1015 STN process name STN LICENSE CHECK complete stopping now CAUSE STN was run with the LICENSE CHECK option and is terminating after checking the license Another message will indicate the result of the check EFFECT None informational only ACTION Restart STN without LICENSE CHECK for normal operation zstn evt license refreshed value is 1016 ...

Page 259: ...d to collector coll version stn version CAUSE STNCOM command AUDITCOLL was used to open an EMS collector This event is written to the specified collector not to the standard 0 EMS event collector EFFECT Audit type events will be written to the specified collector ACTION None informational only zstn evt auditcoll stop value is 1021 STN process name AUDITCOLL stopped CAUSE STNCOM command AUDITCOLL O...

Page 260: ...ll disconnect value is 1025 STN process name AUDITCOLL disconnect window IP address IP port CAUSE A session has terminated This event is written to the specified collector not to the standard 0 EMS event collector EFFECT None informational only ACTION None informational only zstn evt auditcoll wsinfo value is 1026 STN process name AUDITCOLL window IP address IP port wsinfo wsinfo Outcome 6 CAUSE W...

Page 261: ...al only to emphasize that PTY SSH sessions are still allowed regardless of the license exception zstn evt pool used value is 1033 pname STN Buffer pool used 2 3 used 4 kw size 5 kw Indicates STN memory pool usage goes above 80 or back down below 80 2 is OVER or UNDER 3 is the threshold percentage as sent by the POOL_WARNING command default 80 4 is the current amount of memory used unit 1024 words ...

Page 262: ...If other symptoms are noted such as hanging sessions include this EMS event when reporting the problem Recovery is automatic zstn evt gwn file err value is 1058 1 GWN File 2 error 3 on 4 1 STN process name 2 GWN file name 3 Guardian file error code 4 File operation where error occured Cause An error occured on the GWN file Effect STN will attempt to recover Additional related EMS event s will give...

Page 263: ...N process name 2 Number of session window names Cause STN encountered an error with GWN processing as detailed in a previous event This event also occurs once at STN startup when no PARAM GWN FILE is present Effect Future window names for this STN process use the traditional ZWNnnnn scheme If this error occurs for multiple STN processes then duplicate ZWN names can occur Action Correct the underly...

Page 264: ...or fragmented try freeing up some disk space or carefully reduce the PARAM POOL SIZE then restart STN If the problem persists contact support zstn evt starting value is 3 STN process name 2 program starting 3 CAUSE The STN process has started 2 is the program name and version information 3 is additional copyright information EFFECT None informational only ACTION None informational only zstn evt pa...

Page 265: ...N If backup operation is required make the backup CPU available or use the STNCOM command BACKUPCPU to select another backup CPU zstn evt backup start err value is 8 STN process name Backup create error 2 3 CAUSE STN could not create a backup process due to process_create_ error codes 2 3 EFFECT STN runs without a backup In some cases STN will automatically restart the backup process immediately o...

Page 266: ...ill give additional information EFFECT STN runs without a backup until a STNCOM command BACKUPCPU is entered ACTION Correct the problem causing the backup failures then use the STNCOM BACKUPCPU command zstn evt ckpt fe value is 12 STN process name Backup checkpoint16file err 2 CAUSE Unable to communicate with backup process due to error 2 EFFECT The backup is stopped STN will automatically restart...

Page 267: ...o longer used zstn evt takeover value is 18 STN process name Backup process takeover due to 2 CAUSE STN backup process takeover 2 specifies the reason such as primary CPU failure etc EFFECT Backup process resumes STN operation Any sessions active in the previous primary process are lost New sessions will be accepted immediately Depending on backup CPU availability a new backup process is automatic...

Page 268: ...erminated ACTION Restart STN zstn evt cpuswitch value is 23 STN process name Primary process stopping CPUSWITCH command CAUSE The STNCOM command CPUSWITCH was entered EFFECT A backup takeover occurs and the old primary becomes the new backup ACTION None informational only zstn evt enter debug value is 24 STN process name Process entering debug CAUSE The STNCOM command DEBUG was entered EFFECT The ...

Page 269: ...STN window in the form node process window This information can be useful for support purposes STN02 Services This message precedes the list of services displayed STN03 Terminal type ttype is not supported The TN6530 client terminal emulator sent a terminal type identifier unknown to STN Verify that the terminal emulator is properly set for TN6530 emulation STN04 Connected to Dedicated Window wind...

Page 270: ...ice was stopped by STNCOM STOP ABORT SERVICE command STN13 No Static Window available for this Service User entered a service name in response to the menu but the specified static service either has no windows configured or all configured windows are in use or STOPPED STN14 Connected to Static Window window User entered a service name in response to the menu and the session was successfully connec...

Page 271: ...fe on PROGRAM file PROCESS_CREATE_ error 1 File system status fe on PROGRAM file STN23 file error fe on LIB file PROCESS_CREATE_ error 3 File system status fe on LIB file STN24 file error fe on SWAP file PROCESS_CREATE_ error 5 or 6 File system status fe on SWAP file STN25 file error fe on HOME TERM file PROCESS_CREATE_ error 8 or 9 File system status fe on HOME file STN26 CPU s configured for thi...

Page 272: ...em operator used STNCOM command BLAST to send text to all terminals STN38 No application program active on this terminal for nnn seconds Session terminated At the beginning of a session OPENER_WAIT seconds have elapsed and no application has opened the window STN39 Session terminated application request control 12 time The application has disconnected the session via control 12 This is normal term...

Page 273: ...created application process p to pass the startup message but the write was rejected with file system error fe Contact the system administrator STN44 Application has connected to this window STN has detected an open from the application program The next message will be from the application e g TACL prompt STN45 Maximum number of users exceeded session will be terminated The number of simultaneous ...

Page 274: ...session timed out waiting for user logon response A session connected to a SERVICE with LOGON REQ but the user did not respond to the logon prompt STN57 This 6530 emulator does not support required WSINFO See STNCOM command WSINFO STN58 WSINFO address does not match network address See STNCOM command WSINFO STN59 Input discarded For an SSH session with no read active TACL PAUSE d etc a very large ...

Page 275: ...83 WSINFO User user IPaddr n n n n Host PC hostname For telnet sessions when WSINFO is set to QUERY or REQUIRED the information reported by the client workstation 6530 emulator STN84 Cannot create new session no dst available A session cannot be created for a new session because DYN_WIN_MAX windows are already active STN85 Starting Pathway Application TYPE PATHWAY service starting configured appli...

Page 276: ... is received to IAC DO TM output proceeds after the timeout 202 Only used with special terminals Enable baud rate detection from remote client using rfc 1079 Default P1 0 disables P1 0 enables P2 presently unused The baud rate detected can be retrieved by setmode 204 as a 32 bit integer or by setmode 22 which maps selected baud rates 75 19200 to values 1 15 using the traditional ATP coding for set...

Page 277: ...eviceinfo The device type is taken from P1 4 9 and the subtype from P1 10 15 If P2 is nonzero then it overrides the record length returned by deviceinfo No range checking is done on either parameter Setmode 214 P1 and P2 both default to zero when a window is added and the value is not changed or reset by session termination or startup unless part of a SCRIPT Setmode 214 may be used with ADD SCRIPT...

Page 278: ...278 STN Reference HP NonStop SSH Reference Manual ...

Page 279: ...log messages either to a terminal or to a file The following example shows the log messages it creates during startup US SSH87A 20 RUN SSH2 name SSH42 ALL SUBNET ZTC1 PORT 42022 PTYSERVER SSH42 SSH42 09Dec09 20 00 17 54 20 SSH42 09Dec09 20 00 17 54 10 comForte SSH2 version T9999H06_01Dec2009_comForte_SSH2_0087 SSH42 09Dec09 20 00 17 55 10 config file none SSH42 09Dec09 20 00 17 56 20 object filena...

Page 280: ...09 20 15 1 comf us Using the WHERE option with the STATUS SESSION command the session status can be filtered to display just the status for a given session log id while the session is still established status session where session log id 10 0 0 78 3133 status session where session log id 10 0 0 78 3133 SID SESSION LOG ID R USER NAME STRT TIM CHCNT AUTH USR 1 10 0 0 78 3133 S COMF US 09Dec09 20 15 ...

Page 281: ...l to raise the LOGLEVEL to 100 in that case LOGFILE LOGEMS LOGLEVELCONSOLE 100 LOGCONSOLE Log to EMS and only log startup and severe messages LOGFILE LOGCONSOLE LOGEMS 0 LOGLEVELEMS 30 Log normal operations to a file and startup and severe messages to EMS LOGCONSOLE LOGFILE vol subvol logfile LOGLEVELFILE 50 LOGEMS 0 LOGLEVELEMS 30 Log normal operations to a file and startup and severe messages to...

Page 282: ...rd password ok System user COMF US with the individual components as follows from left to right process name SSH49 timestamp 22Dec10 15 20 47 session identifier in SESSION LOG ID format 10 0 0 78 1218 if available local user id present only in some audit messages user and remote IP address comf us 10 0 0 78 a string describing the operation and the outcome authentication granted method password pa...

Page 283: ...parameter a collector configured with the AUDITEMS parameter By default the SSH2 component does not write audit messages at all It is possible to audit to one or more destinations at the same time Note that audit messages do not have a level as log messages have auditing is either turned on to a destination or it is not See the section Log File Audit File Rollover for information on how to assess ...

Page 284: ... reason 2 Authenticat ionEvent Authentication failed Method not publickey and not gssapi with mic sessionId user remoteAddress action outcome method method reason sessionId SESSION LOG ID user SSH username remoteAddress remote IP address action authentication outcome granted method authentication method reason reason Authentication failed Method publickey or gssi with mic sessionId user remoteAddr...

Page 285: ...SSION LOG ID user SSH username remoteAddress remote IP address action open object file name outcome granted mode file open mode read or write Failed error detail available sessionId user remoteAddress action object mode mode outcome error error sessionId SESSION LOG ID user SSH username remoteAddress remote IP address action open object file name mode file open mode read or write outcome denied or...

Page 286: ...ss action touch object file name outcome denied or failed mode file open mode read if file exists or write if file does not exist 7 SftpReadFi leEvent Successful sessionId user remoteAddress action object outcome sessionId SESSION LOG ID user SSH username remoteAddress remote IP address action read object file name outcome granted Failed error detail available sessionId user remoteAddress action o...

Page 287: ...n write remote error or read local file local error object file name outcome denied or failed 9 ftpCloseFil eEvent Successful sessionId user remoteAddress action object size size bytes_read bytes read bytes_written bytes written sessionId SESSION LOG ID user SSH username remoteAddress remote IP address action close object file name size file size bytes_read number of bytes read bytes_written numbe...

Page 288: ...error detail not available sessionId user remoteAddress action object outcome sessionId SESSION LOG ID user SSH username remoteAddress remote IP address action purge object file name outcome denied or failed 11 SftpRenam eEvent Successful sessionId user remoteAddress action object to newname outcome sessionId SESSION LOG ID user SSH username remoteAddress remote IP address action rename object old...

Page 289: ...il not available sessionId user remoteAddress action object outcome sessionId SESSION LOG ID user SSH username remoteAddress remote IP address action list object directory name outcome denied or failed 13 SftpMkDir Event Successful sessionId user remoteAddress action object outcome sessionId SESSION LOG ID user SSH username remoteAddress remote IP address action mkdir object directory name outcome...

Page 290: ...ON LOG ID user SSH username remoteAddress remote IP address action rmdir object directory name outcome denied or failed 15 SftpSymlin kEvent Successful sessionId user remoteAddress action object target link outcome sessionId SESSION LOG ID user SSH username remoteAddress remote IP address action symlink object file name link link name outcome granted Failed error detail available sessionId user re...

Page 291: ...s remote IP address action shell object shell program outcome granted denied or failed Forced command sessionId user remoteAddress action object outcome forced command forcedcommand sessionId SESSION LOG ID user SSH username remoteAddress remote IP address action shell object shell program outcome granted denied or failed forcedCommand forced command 18 ExecEvent No forced command sessionId user r...

Page 292: ... action forward object forward tcpip outcome granted or denied or failed fromAdd from address fromPort from port toAdd to address toPort to port 19 ListenEvent sessionId user remoteAddress action object outcome listen on interface port sessionId SESSION LOG ID user SSH username remoteAddress remote IP address action forward object tcpip forward outcome granted or denied or failed interface local b...

Page 293: ...see ROLLOVER AUDITFILE and ROLLOVER LOGFILE in chapter SSHCOM Command Reference SSH2 implements a log file round robin with at least 10 files The number of files can be configured using the LOGFILERETENTION or AUDITFILERETENTION parameter If the number of retention files is set to 0 LOGFILERETENTION or AUDITFILERETENTION then the content of file configured via LOGFILE or AUDITFILE will be purged a...

Page 294: ...terminal SHOWLOG logfile Display 1000 bytes starting at offset 10000 written to EDIT file logedit SHOWLOG logfile logedit 10000 1000 Starting at offset 200000 and display all bytes up to the end of the file SHOWLOG logfile 200000 Display messages in timeframe to home terminal SHOWLOG logfile 03Jan11 03 15 05Jan07 21 30 10 89 Write messages in timeframe to EDIT file logedit starting from specified ...

Page 295: ...ERKEY 730 def INTERVALPENDINGPRIVATEUSERKEY 0 def INTERVALPENDINGPUBLICUSERKEY 0 par IPMODE DUAL def LICENSE NPNS01 US SSH92 LICENSE par LIFECYCLEPOLICYPRIVATEUSERKEY FIXED par LIFECYCLEPOLICYPUBLICUSERKEY FIXED def LOGCACHEDUMPONABORT TRUE par LOGCACHESIZE 500000 def LOGCONSOLE run LOGEMS USLOG def LOGEMSKEEPCOLLECTOROPENED TRUE run LOGFILE SH54LOG def LOGFILERETENTION 10 def LOGFORMATCONSOLE 93 ...

Page 296: ... FILTER KEY was set to NPNS01 US SSH92 SSH48 SSH54 18Apr12 17 07 3 The second runtime argument can be used to create a new EDIT file containing the log file contents The following example shows how to convert the whole log file into an edit file note that this can take some time for large files 42 run showlog SSH2log logedit SHOWLOG log file converter Version T9999A05_16Apr2009_HP_SHOWLOG_0022 wri...

Page 297: ...default If there is no date part for the end timestamp then the day of the start timestamp is used as default for the end date It is now also possible to use a comma as delimiter between date and time part which allows dropping the double quotes that are necessary if space is used as delimiter SHOWLOG now accepts one digit hours and days as in 1Nov12 3 10 which is treated as 01Nov12 03 10 Viewing ...

Page 298: ...298 Monitoring and Auditing HP NonStop SSH Reference Manual ...

Page 299: ...RCFOUR based cipher suite For SFTP traffic o The throughput of the transmitted data How many files of which size are transmitted in which time o Type of data read structured or non structured files o The SFTP client used and the system it is run on o Speed of file listings depends on the way an SFTP client makes use of the file attributes received from the SFTP server So there is no general answer...

Page 300: ...hows the result of the measurement Partner system Direction of transfer Cipher Suite MAC algorithm Time elapsed s CPU time used s Through put KB s CPU ms MB transfer CPU usage Linux OpenSSH NonStop to Partner system AES 128 MD5 66 5 27 1 734 568 41 Linux OpenSSH Partner system to NonStop AES 128 MD5 242 26 6 202 557 11 Please bear in mind that the measured transfer rate does not only depend on the...

Page 301: ...NonStop system The following table shows the result of the measurement Partner system Direction of transfer Cipher Suite MAC algorithm Time elapsed s CPU time used s Through put KB s CPU ms MB transfer CPU usage Linux OpenSSH NonStop to Partner system AES 128 MD5 54 26 2 904 549 48 Linux OpenSSH Partner system to NonStop AES 128 MD5 238 28 0 205 586 12 Summary There is no answer to the seemingly s...

Page 302: ...302 Performance Considerations HP NonStop SSH Reference Manual ...

Page 303: ...SHCOM against a running instance of the SSH2 process execute the INFO SSH2 command and send the output o Clients Servers Which SSH SFTP clients and daemons are communicating with the NonStop platform via SecurFTP SSH Please provide platform information product names and version numbers Problem Description o Detailed description Please describe the problem expected versus observed behavior o Contex...

Page 304: ...write key file name Is the name of the private host key file as given by the HOSTKEY parameter Cause SSH2 could not create or write the private host key file Effect The SSH2 process continues processing with the generated private key As the key could not be stored the host key will change after restart of SSH2 SSH2 will generate a new key Recovery Check the HOSTKEY parameter if it refers to a vali...

Page 305: ...ion depends on error description session id Disconnect from remote disconnect reason disconnect reason Is a description received from the remote client to describe the reason for disconnecting Cause The SSH client gracefully terminated the SSH session Effect The SSH session is closed Recovery Any corrective action depends on disconnect reason It may be required on the remote SSH client side Contac...

Page 306: ...Effect The remote SSH user cannot be authenticated The session will be terminated Recovery Use correct credentials for the user with the SSH client session id password change for user user name failed error detail user name Name of the remote user error detail is a description of the error that made the password change fail Cause An error occurred when trying to change the user s password upon req...

Page 307: ...tings for this user in the SSH2 user base session id channel request for subsystem sftp denied Cause SFTP is administratively disallowed for this user Effect The channel request for the SFTP subsystem is rejected Recovery Have the SSH client not use SFTP or grant SFTP access by setting the SFTP SECURITY attribute for the user to a value other than NONE session id SFTPSERV process initialisation fa...

Page 308: ... if this problem persists session id forwarding from host port to target host target port denied host Is the IP address of the socket client the SSH client tries to forward a connection from port Is the IP address of the socket client the SSH client tries to forward a connection from target host Is the IP address the SSH client requested to forward the connection to target port Is the port number ...

Page 309: ...covery If forwarding is desired check the setting of ALLOWTCPFORWARDING session id remote forwarding request failed server could not listen on interface port error detail interface Is the IP address of the local interface SSH client tries to establish a listen for port Is the port number SSH client tries to listen on error detail Describes the error that occurred Cause An error occurred when tryin...

Page 310: ...ey of the host the SSH client e g SFTP tried to access does not match the public key stored for the KNOWNHOST in SSHCTL Important note THIS COULD BE CAUSED BY a man in the middle attack Effect The client access to the host is denied The client connection fails Recovery Check if the identity of the target host has really been changed If access to the host is desired use the SSHCOM ALTER KNOWNHOST c...

Page 311: ...reviously issued for the local SSH client For example the subsystem sftp channel request may have failed Effect The channel is not opened Recovery Check the remote SSH server installation session id error on channel error description error description Describes the error Cause An error occurred on the SSH channel Effect The SSH channel is closed Recovery Any corrective action depends on error desc...

Page 312: ...rocess terminates Recovery Any corrective action depends on error detail WARNING REMOTE HOST IDENTIFICATION UNKNOWN The host public key fingerprint is babble bubble babble MD5 md5 bubble babble Is the bubble babble fingerprint of the remote host s public key MD5 Is the bubble babble fingerprint of the remote host s public key Cause The client failed to open a suitable SSH2 server process Effect De...

Page 313: ... that the host key has just been changed The fingerprints for the key sent by the remote host are babble bubble babble MD5 md5 Offending key is keyname Please contact your system administrator bubble babble Is the bubble babble fingerprint of the remote host s public key MD5 Is the bubble babble fingerprint of the remote host s public key keyname Is the name of the KNOWNHOST object holding the rem...

Page 314: ... to thaw the newly added KNOWNHOST entry to establish a connection THAW KNOWNHOST hostname Couldn t read packet error detail Couldn t write packet error detail error detail Describes the error condition Cause The client failed to receive send a packet from to the SSH2 SFTP channel Typical causes are that the remote SSH server has terminated the SSH session of SFTP channel Effect The client process...

Page 315: ...r status uint7 Value of second highest byte of GSSAPI minor status uint8 Value of lowest 16Bit of GSSAPI minor status 10 failed to acquire service creadentials major status uint1 uint2 uint3 uint4 minor status uint5 uint6 uint7 uint8 uint1 GSSAPI major status uint2 Value of highest byte of GSSAPI major status uint3 Value of second highest byte of GSSAPI major status uint4 GSSAPI major status uint5...

Page 316: ...erberos installation 10 GSS Error major status uint1 uint2 uint3 uint4 str1 uint1 GSSAPI major status uint2 Value of highest byte of GSSAPI major status uint3 Value of second highest byte of GSSAPI major status uint4 GSSAPI major status str1 GSSAPI error description for major status 10 Kerberos Error minor status uint1 uint2 uint3 uint4 str1 uint1 GSSAPI minor status uint2 Highest byte of minor st...

Page 317: ...ecord indicator str2 Error description 10 Value int1 for SFTPEDITLINESTARTDECIMALINCR not in allowed range int1 Value configured for parameter SFTPEDITLINESTARTDECIMALINCR 10 Value int1 for SFTPEDITLINENUMBERDECIMALINCR not in allowed range int1 Value configured for parameter SFTPEDITLINENUMBERDECIMALINCR 10 Functionality is restricted to HP internal usage 10 Please contact License Manager hp com ...

Page 318: ...n and file access str1 Exception text 10 Connection timed out 10 Unexpected exception during initialization str1 str1 Exception text 10 Unexpected exception in main wait loop str1 str1 Exception text 10 str1 could not impersonate user str2 error int1 str1 Session name str2 System user name int1 Error 10 str1 user is mapped to a SAFEGUARD ALIAS str1 Session name 10 str1 If SAFEGUARD is configured w...

Page 319: ...listen on str2 terminated with error str3 str1 Session Name str2 Address and port to listen on str3 Error text 20 str1 forwarding str2 connection from str3 to str4 failed str5 str1 Session Name str2 Protocol str3 Normalized originator host address and port str4 Normalized target host address and port str5 Description 20 str1 forwarding str2 connection from str3 accepted on str4 to remote failed st...

Page 320: ...ssion Name 20 str1 Unexpected READ from SSH client str1 Session Name 20 str1 Unexpected WRITE from SSH client str1 Session Name 20 str1 cannot forward data because remote side has closed the channel ignoring data str1 Session Name 20 str1 client access to known host str2 denied known host entry known by local system user str3 is frozen str1 Session Name str2 Known host str3 Owner of known host ent...

Page 321: ...ation host address 20 str1 request rejected Forwarding error USER str2 is not permitted to listen on port int1 on host str3 str1 Session Name str2 Name of USER record int1 Source port str3 Normalized local host address 20 str1 failed to open channel reason str2 str1 Session Name str2 Description 20 str1 channel request failed str1 Session Name 20 str1 error on channel str2 str1 Session Name str2 E...

Page 322: ...and port str3 Normalized target host address and port str4 Guardian user name 20 str1 forwarding from str2 to str3 denied RESTRICTION PROFILE FORWARD FROM for USER str4 does not include originator host str1 Session Name str2 Normalized originator host address and port str3 Normalized target host address and port str4 User name 20 str1 listen request on str2 denied SSH2 parameter str3 set to false ...

Page 323: ... int1 Counter value 20 Insane Thread was killed 20 DEFINE str1 was set to str2 str1 Define name str2 File name 20 parameter SUBNET was evaluated 20 TCP IP process is str1 str1 Subnet Name 20 str1 remote str2 forwarding request failed server could not listen on str3 str4 str1 Session Name str2 Protocol str3 Normalized remote address and port str4 Description 20 str1 Error str2 str1 Session Name str...

Page 324: ...ssion Name str2 User name str3 System user name str4 ALLOWFROZENSYSTEMUSER 20 str1 Authentication denied SSH2 not licensed for general usage str1 Session Name 20 str1 str2 authentication for user str3 not allowed str1 Session Name str2 Last authentication method tried str3 User name 20 str1 Authentication of user str2 with method str3 failed str4 str1 Session Name str2 User name str3 Authenticatio...

Page 325: ...20 str1 channel request for subsystem sftp denied due to the SSH user s allowed subsystems settings str1 Session Name 20 str1 channel request for subsystem sftp denied due to the SSH2 process allowed subsystem settings str1 Session Name 20 str1 request for subsystem tacl rejected not licensed str1 Session Name 20 str1 channel request for subsystem tacl denied due to the SSH user s allowed subsyste...

Page 326: ...or detail 20 str1 could not launch program str2 error int1 detail int2 str1 Session Name str2 Program int1 Error int2 Error detail 20 str1 could not spawn program str2 error int1 str1 Session Name str2 Program name of spawned process int1 Error 20 str1 pty request denied pseudo terminal access not licensed authentication dummy pty str2 str1 Session Name str2 Pseudo terminal name used for authentic...

Page 327: ...ddress and port 20 str1 listen request on str2 denied port forwarding not licensed str1 Session Name str2 Normalized address and port to bind 20 str1 forwarding from str2 denied only port 20 originator allowed for FTP data connections str1 Session Name str2 Normalized originator host address and port 20 str1 request rejected user str2 is not mapped to a SYSTEM USER str1 Session Name str2 User name...

Page 328: ...lue str2 is not a valid CPU list str3 Using default value str4 instead str1 Parameter name str2 Configured value str3 Reason for CPU set being invalid str4 Default value 20 Setting file security on str1 from oct1 to oct2 failed error int1 str1 SSH database file name oct1 Current file security oct2 Expected file security int1 Error 20 Disabling incorrectly configured DNS resolving Please correct DN...

Page 329: ...port 20 str1 SSH user authentication failed disconnecting str1 Session Name 20 str1 SSH user authentication o k str1 Session Name 20 str1 failed to create SSH tunnel to FTP server at str2 str3 disconnecting SSH session str1 Session Name str2 Normalized target host address and port str3 Description 20 Cannot forward data because remote side has closed the channel ignoring data 20 Configuration erro...

Page 330: ... system user name supplied user credential cache will not be created str1 Session Name 50 No system user name supplied user credential cache will not be created 50 str1 processing GSSAUTH_INIT_SECURITY_CONTEXT_REQUEST for user str2 str1 Session Name str2 User initiating GSSAPI authentication 50 str1 processing GSSAUTH_ACCEPT_SECURITY_CONTEXT_REQUEST str1 Session Name 50 str1 security context was f...

Page 331: ...ized target host address and port str5 Reason 50 str1 remote str2 forwarding request o k server listens on str3 forwarding to str4 str1 Session Name str2 Protocol str3 Remote address and port str4 Normalized target host address and port 50 str1 remote str2 forwarding canceled server listen on str3 terminated str1 Session Name str2 Protocol str3 Remote address and port 50 str1 forwarding request o ...

Page 332: ...ct License Manager hp com for a full license 50 str1 added host as KNOWNHOST str2 to database upon user request str1 Session Name str2 Known host 50 str1 local system user str2 aborted connection to unknown host disconnecting because remote host key not verified str1 Session Name str2 Login name 50 str1 connection failed error str2 str1 Session Name str2 Exception text 50 str1 client session close...

Page 333: ...t forwarding error str2 str1 Session Name str2 Exception text 50 str1 requesting a pseudo terminal str1 Session Name 50 str1 sending subsystem request for subsytstem sftp str1 Session Name 50 str1 sending shell request str1 Session Name 50 str1 sending exec request for command str2 str1 Session Name str2 EXEC request command 50 str1 remote process terminated with exit code int1 str1 Session Name i...

Page 334: ...s int1 Completion code of launched process 40 str1 SSH session established str1 Session Name 50 str1 Sending banner message str1 Session Name 50 str1 Received Disconnect By Application from remote str2 str1 Session Name str2 Reason for disconnect 40 str1 SSH session terminated str1 Session Name 10 SSH2 Server listening on interface str1 port int1 str1 Interface the SSH2 process listens on int1 Por...

Page 335: ...o local user str3 system user str4 str1 Session Name str2 Client principal name str3 User name str4 System user name 40 str1 gssapi mic ok authentication of str2 successful str1 Session Name str2 User name 50 str1 channel request for subsystem sftp launching sftp server str1 Session Name 50 str1 client version string str2 str1 Session Name str2 SSH client software version 50 str1 channel request f...

Page 336: ...hentication 50 str1 Allocated PTY str2 str1 Session Name str2 Pseudo terminal name 50 str1 routing connection to target ftp port int1 str1 Session Name int1 Target port 10 No valid license found restricting functionality to HP internal usage 10 CRYPTOPP version str1 str1 Crypto library version 10 Invalid value specified for parameter str1 str2 Using default value str3 str1 ALLOWINFOSSH2 str2 Param...

Page 337: ...Session Name 50 str1 user str2 connects via SSH host at str3 to FTP server on port str4 str1 Session Name str2 User name str3 Normalized target host address and port str4 Normalized FTP target host and address 40 str1 received password from FTP client sending SSH authentication request method none str1 Session Name 40 str1 received quit command from FTP client str1 Session Name 40 str1 received FT...

Page 338: ...yright notes All patent rights of the various contributors to the open source components of SSH2 are acknowledged OpenSSL Copyright Statement The OpenSSL toolkit is licensed under a dual license the OpenSSL license and the original SSLeay license See the license text below OpenSSL License Copyright c 1998 2000 The OpenSSL Project All rights reserved Redistribution and use in source and binary form...

Page 339: ...wing conditions are aheared to The following conditions apply to all code found in this distribution be it the RC4 RSA lhash DES etc code not just the SSL code The SSL documentation included with this distribution is covered by the same copyright terms except that the holder is Tim Hudson tjh cryptsoft com Copyright remains Eric Young s and as such any Copyright notices in the code are not to be r...

Page 340: ...inland All rights reserved As far as I am concerned the code I have written for this software can be used freely for any purpose Any derived versions of this software must be clearly marked as such and if the derived work is incompatible with the protocol description in the RFC file it must be called by a name other than ssh or Secure Shell Tatu continues However I am not implying to give any lice...

Page 341: ...HE PROGRAM TO THE EXTENT PERMITTED BY APPLICABLE LAW EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND OR OTHER PARTIES PROVIDE THE PROGRAM AS IS WITHOUT WARRANTY OF ANY KIND EITHER EXPRESSED OR IMPLIED INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH ...

Page 342: ...E Ariel Futoransky futo core sdi com http www core sdi com 3 ssh keyscan was contributed by David Mazieres under a BSD style license Copyright 1995 1996 by David Mazieres dm lcs mit edu Modification and redistribution in source and binary forms is permitted provided that due credit is given to the author and the OpenBSD project by leaving this copyright notice intact 4 The Rijndael implementation ...

Page 343: ... are permitted provided that the following conditions are met 1 Redistributions of source code must retain the above copyright notice this list of conditions and the following disclaimer 2 Redistributions in binary form must reproduce the above copyright notice this list of conditions and the following disclaimer in the documentation and or other materials provided with the distribution 3 Neither ...

Page 344: ...yright notice this list of conditions and the following disclaimer in the documentation and or other materials provided with the distribution THIS SOFTWARE IS PROVIDED BY THE AUTHOR AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRE...

Reviews:

No comments

Brands by name

Popular brands

Load more brands