How it Works
HP
Loading...
N
Loading...
Loading...
NonStop SSH 544701-014
Reference Manual
344 pgs2.38 Mb0

HP NonStop SSH 544701-014 Reference Manual

HP NonStop SSH Reference Manual
HP Part Number: 544701-014
Published: February 2013 Edition: HP NonStop SSH 4.1
G06.21 and subsequent G-series RVUs H06.07 and subsequent H-series RVUs J06.03 and subsequent J-series RVUs
Hewlett-Packard Company
3000 Hanover Street
Palo Alto, CA 94304-1185
© 2013 HP
All rights reserved
© Copyright 2013 Hewlett-Packard Development Company, L.P. Confidential computer software. Valid license from HP required for possession, use or copying.
Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor’s standard commercial license.
The information contained herein is subject to change without notice. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein.
Export of the information contained in this publication may require authorization from the U.S. Department of Commerce.
Microsoft, Windows, and Windows NT are U.S. registered trademarks of Microsoft Corporation. Intel, Pentium, and Celeron are trademarks or registered trademarks of Intel Corporation or its
subsidiaries in the United States and other countries. Java is a U.S. trademark of Sun Microsystems, Inc. Motif, OSF/1, UNIX, X/Open, and the "X" device are registered trademarks, and IT DialTone and The
Open Group are trademarks of The Open Group in the U.S. and other countries. Open Software Foundation, OSF, the OSF logo, OSF/1, OSF/Motif, and Motif are trademarks of the
Open Software Foundation, Inc. OSF MAKES NO WARRANTY OF ANY KIND WITH REGARD TO THE OSF MATERIAL PROVIDED HEREIN, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. OSF shall not be liable for errors contained herein or for incidental consequential damages in connection with the furnishing, performance, or use of this material.
© 1990, 1991, 1992, 1993 Open Software Foundation, Inc. The OSF documentation and the OSF software to which it relates are derived in part from materials supplied by the following:© 1987, 1988, 1989 Carnegie-Mellon University. © 1989, 1990, 1991 Digital Equipment Corporation. ©
1985, 1988, 1989, 1990 Encore Computer Corporation. © 1988 Free Software Foundation, Inc. © 1987, 1988, 1989, 1990, 1991 Hewlett-Packard Company. © 1985, 1987, 1988, 1989, 1990, 1991, 1992 International Business Machines Corporation. © 1988, 1989 Massachusetts Institute of Technology. © 1988, 1989, 1990 Mentat Inc. © 1988 Microsoft Corporation. © 1987, 1988, 1989, 1990, 1991, 1992 SecureWare, Inc. © 1990, 1991 Siemens Nixdorf Informationssysteme AG. © 1986, 1989, 1996, 1997 Sun Microsystems, Inc. © 1989, 1990, 1991 Transarc Corporation.OSF software and documentation are based in part on the Fourth Berkeley Software Distribution under license from The Regents of the University of California.
OSF acknowledges the following individuals and institutions for their role in its development: Kenneth C.R.C. Arnold, Gregory S. Couch, Conrad C. Huang, Ed James, Symmetric Computer Systems, Robert Elz. © 1980, 1981, 1982, 1983, 1985, 1986, 1987, 1988, 1989 Regents of the University of California.
Contents
Preface 13
Who Should Read This Gui de ................................................................................................. 13
Related Reading ....................................................................................................................... 13
Document History .................................................................................................................... 15
Introduction 25
The SSH2 Solution .................................................................................................................. 25
The SSH Protocol .................................................................................................................... 26
Components of the SSH2 Software Package ........................................................................... 27
Architecture Overview ............................................................................................................. 28
Fully Compliant with the SSH Protocol Specification .............................................. 25
Strong Authentication and Multiple Cipher Suites .................................................... 25
Support of Full Screen Terminal Access ................................................................... 25
Built-in User Base ..................................................................................................... 25
Central Key Store ...................................................................................................... 26
Secure SFTP Transfer ................................................................................................ 26
TCP and FTP Port Forwarding .................................................................................. 26
Single Sign-on ........................................................................................................... 26
TCP/IPv6 ................................................................................................................... 26
SSH2 Running as SSH Daemon (Server) .................................................................. 28
SSH2 Running as SSH Client .................................................................................... 29
Installation & Quick Start 31
System Requirements .............................................................................................................. 31
Acquiring the Product Archives .............................................................................................. 31
Installation on the NonStop Server .......................................................................................... 32
Installing the SSH Components on the NonStop System .......................................... 32
Unlocking the Product wi th a License File ................................................................ 33
SSH2 License and Versio n Information .................................................................................. 34
Updating to a new version of the SSH2 file set ....................................................................... 34
Download of the object file set .................................................................................. 34
Installation of the new version ................................................................................... 34
Where configuration data is stored ............................................................................ 35
Migration Considerations ........................................................................................................ 35
Installation of SFTPAPI........................................................................................................... 35
Quick Start and Guided Tour ................................................................................................... 35
Quick-Starting the SSH2 System .............................................................................. 36
Secure Shell Access to the NonStop Server .............................................................. 38
Secure Shell Access from NonStop to Remote Systems ........................................... 39
Encrypted File Transfer ............................................................................................. 41
Using Public Keys to Authenticate Remote Users .................................................... 43
Using Public Keys to Logon to Remote Systems ...................................................... 44
Configuring and Running SSH2 47
HP NonStop SSH Reference Manual Contents iii
Configuration Overview .......................................................................................................... 47
The Configuration Fil e .............................................................................................. 48
PARAM Commands .................................................................................................. 48
Startup Line Parameters ............................................................................................ 49
Starting SSH2 .......................................................................................................................... 49
SSH2 Parameter Reference ...................................................................................................... 50
Parameter Overview .................................................................................................. 50
ALLOWEDAUTHENTICATIONS .......................................................................... 53
ALLOWEDSUBSYSTEMS ...................................................................................... 53
ALLOWFROZENSYSTEMUSER ........................................................................... 54
ALLOWINFOSSH2 .................................................................................................. 55
ALLOWPASSWORDSTORE .................................................................................. 55
ALLOWTCPFORWARDING .................................................................................. 56
AUDITCONSOLE .................................................................................................... 56
AUDITEMS .............................................................................................................. 57
AUDITFILE .............................................................................................................. 58
AUDITFILERETENTION ........................................................................................ 58
AUDITFORMAT ...................................................................................................... 59
AUDITFORMATCONSOLE .................................................................................... 59
AUDITFORMATEMS .............................................................................................. 60
AUDITFORMATFILE .............................................................................................. 60
AUDITMAXFILELENGTH ..................................................................................... 61
AUTOADDSYSTEMUSERS ................................................................................... 61
AUTOADDSYSTEMUSERSLIKE .......................................................................... 62
BACKUPCPU ........................................................................................................... 63
BANNER .................................................................................................................. 63
CIPHERS .................................................................................................................. 64
CLIENTALLOWEDAUTHENTICATIONS ............................................................ 65
COMPRESSION ....................................................................................................... 65
CONFIG .................................................................................................................... 66
CONFIG2 .................................................................................................................. 66
CPUSET .................................................................................................................... 66
CUSTOMER ............................................................................................................. 67
DISCONNECTIFUSERUNKNOWN ....................................................................... 68
ENABLESTATISTICSATSTARTUP ...................................................................... 68
FULLSSHCOMACCESSGROUP<j>....................................................................... 69
FULLSSHCOMACCESSUSER<i> .......................................................................... 69
GSSAUTH ................................................................................................................ 70
GSSGEXKEX ........................................................................................................... 71
GSSKEX ................................................................................................................... 71
GUARDIANATTRIBUTESEPARATOR ................................................................ 72
HOSTKEY ................................................................................................................ 72
INTERFACE ............................................................................................................. 73
INTERFACEOUT ..................................................................................................... 74
INTERVALLIVEPRIVATEUSERKEY ................................................................... 74
INTERVALLIVEPPUBLICUSERKEY ................................................................... 75
INTERVALPENDINGPRIVATEUSERKEY........................................................... 76
INTERVALPENDINGPUBLICUSERKEY ............................................................. 76
IPMODE .................................................................................................................... 77
LICENSE .................................................................................................................. 78
LIFECYCLEPOLICYPRIVATEUSERKEY ............................................................ 78
LIFECYCLEPOLICYPUBLICUSERKEY ............................................................... 79
LOGCACHEDUMPONABORT ............................................................................... 80
LOGCACHESIZE ..................................................................................................... 80
LOGCONSOLE ........................................................................................................ 81
LOGEMS .................................................................................................................. 81
iv Contents HP NonStop SSH Reference Manual
LOGEMSKEEPCOLLECTOROPENED .................................................................. 82
LOGFILE .................................................................................................................. 82
LOGFILERETENTION ............................................................................................ 83
LOGFORMAT .......................................................................................................... 83
LOGFORMATCONSOLE ........................................................................................ 84
LOGFORMATEMS .................................................................................................. 85
LOGFORMATFILE .................................................................................................. 86
LOGLEVEL .............................................................................................................. 86
LOGLEVELCACHE ................................................................................................. 87
LOGLEVELCONSOLE ............................................................................................ 87
LOGLEVELEMS ...................................................................................................... 88
LOGLEVELFILE ...................................................................................................... 88
LOGMAXFILELENGTH ......................................................................................... 89
LOGMEMORY ......................................................................................................... 89
MACS ........................................................................................................................ 90
PARTIALSSHCOMACCESSGROUP<n> ............................................................... 90
PARTIALSSHCOMACCESSUSER<k> .................................................................. 91
PORT ......................................................................................................................... 92
PTCPIPFILTERKEY ................................................................................................ 92
PTCPIPFILTERTCPPORTS ..................................................................................... 93
PTYSERVER ............................................................................................................ 93
RECORDDELIMITER ............................................................................................. 94
RESTRICTIONCHECKFAILEDDEFAULT ........................................................... 94
SAFEGUARD-PASSWORD-REQUIRED ............................................................... 95
SFTPALLOWGUARDIANCD ................................................................................. 95
SFTPCPUSET ........................................................................................................... 96
SFTPDISPLAYGUARDIAN .................................................................................... 96
SFTPEDITLINEMODE ............................................................................................ 97
SFTPEDITLINENUMBERDECIMALINCR ........................................................... 97
SFTPEDITLINESTARTDECIMALINCR ................................................................ 98
SFTPEXCLUSIONMODEREAD ............................................................................. 99
SFTPIDLETIMEOUT ............................................................................................. 100
SFTPMAXEXTENTS ............................................................................................. 100
SFTPPRIMARYEXTENTSIZE .............................................................................. 100
SFTPSECONDARYEXTENTSIZE ........................................................................ 101
SFTPUPSHIFTGUARDIANFILENAMES ............................................................ 101
SOCKETKEEPALIVE ............................................................................................ 102
SOCKETRCVBUF ................................................................................................. 102
SOCKETSNDBUF .................................................................................................. 103
SOCKTCPMINRXMT ............................................................................................ 103
SOCKTCPMAXRXMT .......................................................................................... 103
SOCKTCPRXMTCNT ............................................................................................ 104
SOCKTCPTOTRXMTVAL .................................................................................... 104
SSHAUTOKEXBYTES .......................................................................................... 105
SSHAUTOKEXTIME ............................................................................................. 105
SSHCTL .................................................................................................................. 106
SSHCTLAUDIT ...................................................................................................... 107
SSHKEEPALIVETIME .......................................................................................... 107
STOREDPASSWORDSONLY ............................................................................... 107
STRICTHOSTKEYCHECKING ............................................................................ 108
SUBNET ................................................................................................................. 108
SUPPRESSCOMMENTINSSHVERSION ............................................................. 109
TCPIPHOSTFILE ................................................................................................... 109
TCPIPNODEFILE ................................................................................................... 110
TCPIPRESOLVERNAME ...................................................................................... 110
USETEMPLATESYSTEMUSER ........................................................................... 111
HP NonStop SSH Reference Manual Contents v
Enabling Full TTY Access .................................................................................................... 112
Enabling 6530 Terminal Access ............................................................................................ 112
Configuring an Alternate Command Interpreter ...................................................... 112
Configuring a Service Menu.................................................................................... 113
Configuring an STN Service or Window ................................................................ 113
Forcing TACL Access via Server-side Configuration ............................................. 114
Using TELSERV as Service Provider ..................................................................... 114
Granting Access without SSH Authentication ....................................................................... 115
Single Sign-on with GSSAPI Authentication ........................................................................ 116
Overview ................................................................................................................. 116
Prerequisites ............................................................................................................ 116
Configuration of the GSSAPI Interface Process...................................................... 116
Enabling GSSAPI Authentication for a User Account ............................................ 116
Authorizing Kerberos Principals for Logon ............................................................ 117
Restricting Incom i ng and Outgoing Connecti ons .................................................................. 118
Rejecting Gateway Ports ......................................................................................... 118
Restricting External Access to SSH2 Process ......................................................... 118
Restricting Internal Access to Remote SSH2 Hosts ................................................ 118
Restricting Local Ports used for Port Forwarding ................................................... 119
Restricting Remote Hosts/Ports for Port Forwarding .............................................. 119
Restricting access to forwarding tunnels ................................................................. 119
Load Balancing ...................................................................................................................... 119
Load-Balancing Outbound SSH Sessions ............................................................... 119
Load-Balancing Inbound SSH Sessions .................................................................. 120
Fault Tolerance ...................................................................................................................... 120
Configuring SSH2 as a NonStop Process Pair......................................................... 120
Configuring SSH2 as a Generic Process ................................................................. 121
Choosing a Persistence Mechanism ........................................................................ 121
Processing of DEFINEs ......................................................................................................... 122
Setting of Environment Variables .......................................................................................... 122
TCP/IPv6 Configuration ........................................................................................................ 123
IPv6 Address Formats ............................................................................................. 123
Usage of IPv6 Addresses ......................................................................................... 124
IP Mode ................................................................................................................... 125
TCP/IPv6 Migration and Backout ......................................................................................... 125
Start Using TCP/IPv6 .............................................................................................. 125
Reverting Back to Pre-IPv6 SSH2 Release ............................................................. 125
The SSH User Database 127
Overview of SSH Operati on Modes ...................................................................................... 127
Database for Daemon Mode .................................................................................................. 128
Database for Client Mode ...................................................................................................... 130
Creating and Accessing the Database .................................................................................... 131
Exporting the Database .......................................................................................................... 131
SSHCOM Command Reference 133
SSHCOM Overview .............................................................................................................. 133
Miscellaneous commands in SSHCOM ................................................................................. 139
vi Contents HP NonStop SSH Reference Manual
Standard NonStop Commands and Features ........................................................... 134
Startup Values for the MODE and ASSUME USER Commands ........................... 135
Security within SSHCOM ....................................................................................... 135
Ownership and Management of Client Mode Entities ............................................. 137
MODE ..................................................................................................................... 139
SET .......................................................................................................................... 139
INFO SSH2 ............................................................................................................. 140
CLEAR LOGCACHE ............................................................................................. 142
FLUSH LOGCACHE .............................................................................................. 142
INFO DEFINE ........................................................................................................ 142
PROMPT "<text>" .................................................................................................. 143
RESOLVE HOST-NAME ....................................................................................... 143
ROLLOVER AUDITFILE ...................................................................................... 143
ROLLOVER LOGFILE .......................................................................................... 144
EXPORT SSHCTL .................................................................................................. 144
INFO HOST-KEY ................................................................................................... 145
EXPORT HOST-KEY ............................................................................................. 145
Daemon Mode Commands - Overview ................................................................................. 146
Daemon Mode Commands Operating on the USER Entity ................................................... 146
ADD USER ............................................................................................................. 146
ALTER USER ......................................................................................................... 153
DELETE USER ....................................................................................................... 159
FREEZE USER ....................................................................................................... 160
INFO USER ............................................................................................................ 160
RENAME USER ..................................................................................................... 162
THAW USER .......................................................................................................... 162
Daemon Mode Commands Operating on the RESTRICTION-PROFILE Entity .................. 162
ADD RESTRICTION-PROFILE ............................................................................ 162
ALTER RESTRICTON-PROFILE ......................................................................... 164
DELETE RESTRICTION-PROFILE ...................................................................... 166
INFO RESTRICTION-PROFILE ........................................................................... 166
RENAME RESTRICTION-PROFILE .................................................................... 166
Client Mode Commands - Overview ..................................................................................... 167
ASSUME USER ...................................................................................................... 168
INFO SYSTEM-USER ........................................................................................... 168
Client Mode Commands Operating on the KEY Entity ......................................................... 169
ALTER KEY ........................................................................................................... 169
DELETE KEY ......................................................................................................... 170
EXPORT KEY ........................................................................................................ 170
FREEZE KEY ......................................................................................................... 171
GENERATE KEY ................................................................................................... 171
IMPORT KEY ......................................................................................................... 172
INFO KEY .............................................................................................................. 173
RENAME KEY ....................................................................................................... 175
THAW KEY ............................................................................................................ 176
Client Mode Commands Operating on the PASSWORD Entity ........................................... 176
ADD PASSWORD .................................................................................................. 176
ALTER PASSWORD ............................................................................................. 177
DELETE PASSWORD ........................................................................................... 177
FREEZE PASSWORD ............................................................................................ 178
INFO PASSWORD ................................................................................................. 178
RENAME PASSWORD ......................................................................................... 179
THAW PASSWORD .............................................................................................. 180
Client Mode Commands Operating on the KNOWNHOST Entity ....................................... 180
ADD KNOWNHOST .............................................................................................. 180
ALTER KNOWNHOST ......................................................................................... 181
DELETE KNOWNHOST ....................................................................................... 181
FREEZE KNOWNHOST ........................................................................................ 182
INFO KNOWNHOST ............................................................................................. 182
RENAME KNOWNHOST ..................................................................................... 184
THAW KNOWNHOST .......................................................................................... 184
Status Commands .................................................................................................................. 185
HP NonStop SSH Reference Manual Contents vii
STATUS SSH2 ........................................................................................................ 185
STATUS SESSION ................................................................................................. 185
STATUS CHANNEL .............................................................................................. 187
STATUS OPENER ................................................................................................. 187
Statistics Related Commands ................................................................................................. 189
STATISTICS SESSION .......................................................................................... 189
DISABLE STATISTICS ......................................................................................... 189
ENABLE STATISTICS .......................................................................................... 189
RESET STATISTICS .............................................................................................. 189
STATUS STATISTICS ........................................................................................... 190
Abort Session Comm a nd ....................................................................................................... 190
SSH and SFTP Client Reference 191
Introduction ........................................................................................................................... 191
Starting the Guardian Client Programs .................................................................................. 191
Starting the OSS Client Programs.......................................................................................... 192
Configuring the SSH2 Process to Use ................................................................................... 194
Inquiring User Name If Not Supplied .................................................................................... 194
Suppressing the Banner printed by Clients ............................................................................ 195
Automating the SFTP/SSH clients ......................................................................................... 195
FILE I/O parameters for SFTP/SFTPOSS ............................................................................. 195
SSH Client Command Reference........................................................................................... 196
Command-Line Reference ....................................................................................... 196
Using the SSH client to create a shell controlling a remote system ........................ 200
Using the SSH client to create a port forwarding daemon ....................................... 201
Using the SSH client to create an FTP port forwarding daemon ............................. 202
SFTP Client Command Reference ......................................................................................... 203
Command-Line Reference ....................................................................................... 203
SFTP Commands ..................................................................................................... 206
Transfer Progress Meter .......................................................................................... 208
Controlling Transfer Summary ................................................................................ 208
Specifying File Names on the NonStop System ...................................................... 209
Extended Syntax for Creation of New Guardian Files ............................................ 209
Transfer Modes for Str uc t ured Guardian Files ........................................................ 210
Transferring ASCII files .......................................................................................... 211
Fix Command and Command History ..................................................................... 211
Creation of Format 2 Guardian Files ....................................................................... 213
SSH Protocol Reference 215
The SSH Protocol .................................................................................................................. 215
Implementation Overview ..................................................................................................... 215
Authentication using User Names and Passwords ................................................................. 216
Public Key Authentication ..................................................................................................... 216
STN Reference 219
Introduction ........................................................................................................................... 219
Running STN as Pseudo TTY Server for SSH2 .................................................................... 219
viii Contents HP NonStop SSH Reference Manual
Supported Versions ................................................................................................. 215
Cipher Suites ........................................................................................................... 215
Implementation of the S SH protocol ....................................................................... 215
Introduction to Public Key Authentication, Terminology ....................................... 216
Public Key Authentication and SSH ....................................................................... 216
Assuring Host Authenticity ..................................................................................... 217
Client logon ............................................................................................................. 217
Starting STN from TACL ........................................................................................ 219
Running STN as Persistent Process ....................................................................................... 221
STNCOM ............................................................................................................................... 222
Comments ................................................................................................................ 223
STNCOM Commands ........................................................................................................... 223
ABEND ................................................................................................................... 223
ABORT SERVICE .................................................................................................. 223
ABORT SESSION .................................................................................................. 223
ABORT WINDOW ................................................................................................. 224
ADD IPRANGE ...................................................................................................... 224
ADD SCRIPT .......................................................................................................... 224
ADD SERVICE ....................................................................................................... 225
ADD WINDOW ...................................................................................................... 231
AUDITCOLL OFF | <ems-collector> ..................................................................... 232
AUDITMSG <text> ................................................................................................ 233
AUTO_ADD_WIN DYNAMIC | STATIC | OFF ................................................... 233
AUTODEL_WAIT <seconds> ................................................................................ 233
BACKUP[CPU] <cpu> | NONE | BUDDY | ANY ................................................ 234
BANNER Y | N ....................................................................................................... 234
BANNER_TIMEOUT <minutes> ........................................................................... 234
BLAST <message> ................................................................................................. 235
BREAK_ON_DISCON Y|N ................................................................................... 235
BUFFER_SIZE ....................................................................................................... 235
CHOICE_PROMPT Y | N ....................................................................................... 235
CHOICE_TEXT <text> .......................................................................................... 235
CONN_CLR_SSH Y | N ......................................................................................... 235
DELETE IPRANGE <iprange-name> | * ................................................................ 235
DELETE SCRIPT <script-name> | * ...................................................................... 235
DELETE SERVICE <service-name> | * ................................................................. 236
DELETE WIN[DOW] <window-name> | * ............................................................ 236
DEV_SUBTYPE B05COMP | WINDOW | <nn> ................................................. 236
DYNAMIC_PRI <nnn> .......................................................................................... 236
DYN_CPU (cpu,cpu) .............................................................................................. 236
DYN_WIN_MAX <nnn> ........................................................................................ 236
EXIT ........................................................................................................................ 237
FC ............................................................................................................................ 237
FESESSDOWN <error-code> ................................................................................. 237
FRAGSIZE <n> ...................................................................................................... 237
GWN [ALLOC] ...................................................................................................... 237
HELP ....................................................................................................................... 238
IDLE_WARNING <n> ........................................................................................... 238
INFO ALL ............................................................................................................... 238
INFO IPRANGE <iprange-name> | * ..................................................................... 238
INFO PROCESS ..................................................................................................... 238
INFO SCRIPT <script-name> | * ............................................................................ 239
INFO SER[VICE] <service-name> | * .................................................................... 239
INFO STN ............................................................................................................... 240
INFO WIN[DOW] <window-name> | * .................................................................. 240
INPUT_TIMEOUT <minutes> ............................................................................... 241
KILL_DYNAMIC Y|N ........................................................................................... 242
LICENSE <location> .............................................................................................. 242
LISTOPENS ............................................................................................................ 242
MAX_OPENERS <n> ............................................................................................ 242
MAX_OUTQ <n> ................................................................................................... 243
NBOT Y|N .............................................................................................................. 243
NBOT_TIMEOUT <seconds> ................................................................................ 243
HP NonStop SSH Reference Manual Contents ix
NEGOT_TIMEOUT <seconds>.............................................................................. 243
OBEY <edit-file-name> .......................................................................................... 243
OPEN <STN-process-name> .................................................................................. 243
OPENER_WAIT <seconds> ................................................................................... 243
OUTPUT_RESET Y | N .......................................................................................... 244
PAUSE .................................................................................................................... 244
POOL ...................................................................................................................... 244
PROMPT "<text>" .................................................................................................. 244
PTY_REPLY_LEN <n> .......................................................................................... 245
REPLY_DELAY_MAX <seconds> ........................................................................ 245
RESET SERVICE <service-name> | * .................................................................... 245
RSCMGR_DEPTH <n> .......................................................................................... 245
SAVECFG <filename> ........................................................................................... 245
SECURITY [<letter>] ............................................................................................. 246
SHUTDOWN .......................................................................................................... 246
SSH_DEFAULT_SVC <service-name> | *NONE* ............................................... 246
START SERVICE <service-name> | * ................................................................... 246
START WINDOW <#window-name> | * ............................................................... 246
STATUS SERVICE [ <service-name> | * ] ............................................................ 246
STATUS SESSION [ <session-name> | * ] ............................................................ 247
STATUS WINDOW [ <#window-name> | * ] ........................................................ 248
STIX [RESET] ........................................................................................................ 248
STNCOM_PROMPT "<text>" ................................................................................ 248
STNLOG <text> ...................................................................................................... 250
STOP SERVICE <service-name> | * ...................................................................... 250
STOP SESSION <session-name> | * ...................................................................... 250
STOP WINDOW <#window-name> | * .................................................................. 250
TIME ....................................................................................................................... 250
TRACE .................................................................................................................... 250
VERSION ................................................................................................................ 251
WELCOME_SEQ BEFORE | AFTER | BOTH ...................................................... 251
WELCOME <filename> | OFF | LIST .................................................................... 251
WIN_AVAIL_ALWAYS Y | N .............................................................................. 252
WIN_AVAIL_C11 Y | N ...................................................................................... 252
WSINFO NONE | QUERY | REQUIRED | MATCH ............................................. 252
WINSCRIPT_FIRST Y | N ..................................................................................... 252
Session and Window Naming ................................................................................................ 253
GWN Related STNCOM Commands ...................................................................... 254
GWN Related EMS Events ..................................................................................... 255
EMS Events ........................................................................................................................... 255
Client Messages at the Remote Workstation ......................................................................... 269
STN Application I/O Handling .............................................................................................. 276
Monitoring and Auditing 279
Introduction ........................................................................................................................... 279
Log Messages ........................................................................................................................ 279
Audit Messages ...................................................................................................................... 282
x Contents HP NonStop SSH Reference Manual
Content of Log Messages ........................................................................................ 279
Log Level ................................................................................................................ 280
Destinations for Log Messages ................................................................................ 281
Customizing the Log Format ................................................................................... 282
Content of Audit Messages ..................................................................................... 282
Destinations for Audit Messages ............................................................................. 283
Customizing the Audit Format ................................................................................ 283
Audit Reports .......................................................................................................... 283
List of Audit Messages ............................................................................................ 283
Log File/Audit File Rollover ................................................................................................. 293
Viewing File Contents from Guardian with SHOWLOG ...................................................... 294
Viewing File Contents from OSS .......................................................................................... 297
Performance Considerations 299
Introduction ........................................................................................................................... 299
Performance Analysis of SSH Session Establishment ........................................................... 300
Performance Running as SSH Daemon ................................................................... 300
Performance Analysis of SFTP Traffic .................................................................................. 300
SFTPSERV Performance of ls Command with Wildcards ...................................... 300
Performance When Running as SSH Client ............................................................ 301
Summary ................................................................................................................................ 301
Troubleshooting 303
Introduction ........................................................................................................................... 303
Information Needed By Support ............................................................................................ 303
General SSH2 Error Messages .............................................................................................. 304
Session Related SSH2 Errors ................................................................................................. 305
Session Related Error Messages of SSH2 Daemon ................................................. 305
Session Related Messages of SSH2 in Client Mode ................................................ 309
Client Error Messages ............................................................................................................ 312
Appendix 315
Event Summary ..................................................................................................................... 315
Event Category ERROR .......................................................................................... 315
Event Category WARNING .................................................................................... 319
Event Category INFO .............................................................................................. 330
Copyright Statements ............................................................................................................. 338
OpenSSL Copyright Sta t ement ............................................................................... 338
OpenSSH Copyright Statement ............................................................................... 340
HP NonStop SSH Reference Manual Contents xi
xii Contents HP NonStop SSH Reference Manual
Preface
Who Should Read This Guide
This document is for system administrators who are responsible for installing, configuring and maintaining SSH2 components, including those delivered with the HP NonStop SSH product (T0801), and those that come with comForte's SecurSH or SecurFTP/SSH product.
This document also contains sections useful for users of ssh/sftp clients on NonStop systems, namely
section “Quick Start and Guided Tour“ without sub-section “Quick-Starting the SSH2 System”
section “SSHCOM Command Reference” (mainly regarding client mode commands)
section “SSH and SFTP Client Reference”
Related Reading
This documentation is intended as a reference for the configuration and use of SSH components. Please also refer to additional documentation for the other products that come with the SSH2 package:
For HP NonStop SSH: T0801 SOFTDOC, README or Suppo rt Notes as appropriate
For SecurFTP: SecurFTP Quick Start Guide
The following reading is seen as prerequisite documentation for administrators installing HP NonStop SSH or comForte SecurSH and SecurFTP/SSH:
HP NonStop documenta tion “Guardian User’ s G uide”
HP NonStop documentation “Open System Services Shell and Utilities Reference Manual”, if using OSS
HP NonStop documenta tion “Guardian Proce du r e E rrors and Messages Manua l ”
HP NonStop documentation “Safeguard User’s Manual”
HP NonStop documenta tion “Safeguard Administrator’s Manual”
HP NonStop documentation “SCF Reference Manual for the Kernel Subsystem”
HP NonStop documentation “TCP/IP Configuration and Management Manual”
HP NonStop documentation "HP NonStop TCP/IPv6 Configuration and Management Manual"
HP NonStop documenta tion “HP NonStop Cluster I/O Protocols (CIP) Configuration and Management
Manual”
HP NonStop documenta tion “EMS Manual”
HP NonStop SSH Reference Manual Preface 13
The following reading is recommended documentation for NonStop users of SSH/SFTP clients and users connecting to NonStop using remote ssh/sftp/scp clients:
HP NonStop documenta tion “Guardian User’ s G uide”
HP NonStop documentation “Open System Services Shell and Utilities Reference Manual”, if using OSS
HP NonStop documentation “HP NonStop TACL Reference Manual”
HP NonStop documenta tion “File Utility Program (FUP) Reference Manual”
Generally, users should get familiar with Guardian name space, Guardian file attributes and Guardian structured files when connecting from remote sftp/scp clients planning to transfer Guardian specific files to and from a NonStop system. This is not required if only files from and to the OSS environment will be transferred.
It is expected that administrators and users gain knowledge about the SSH standard before using SSH implementations. There are many good books about SSH. Here we only mention one:
"SSH The Secure Shell The Definitive Guide", Daniel J. Barret et. al., O'Reilly
The following links may also serve as a starting point for SSH related information:
http://tools.ietf.org/html/rfc4251
http://tools.ietf.org/html/draft-ietf-secsh-filexfer-02
http://en.wikipedia.org/wiki/Secure_Shell
http://wiki.filezilla-project.org/SFTP_specifications
http://www.openssh.org/
The Kerberos/GSSAPI relate d li n ks s h ow n be l o w a re of i n terest if Single Sign-on will be configured (see section “Single Sign-on with GSSAPI Authentication”):
http://web.mit.edu/Kerberos/
http://www.ietf.org/rfc/rfc4462.txt
The following reading prerequisite documentation for administrators configuring SSH2 for IPv6 support:
HP NonStop documentation "TCP/IPv6 Migration Guide"
HP NonStop documentation "TCP/IPv6 Configuration and Management Manual"
The following TCP/IPv6 related links may be helpful when preparing SSH2 IPv6 configuration:
http://en.wikipedia.org/wiki/IPv6
http://tools.ietf.org/html/rfc1639 - FTP Operation Over Big Address Records (FOOBAR)
http://tools.ietf.org/html/rfc2428 - FTP Extensions for IPv6 and NATs
http://tools.ietf.org/html/rfc2460 - Internet Protocol, Version 6 (IPv6) S p ecification
http://tools.ietf.org/html/rfc4291 - IP Version 6 Addressing Architecture
http://www.tcpipguide.com/free/t_IPv6Addressing.htm
http://tools.ietf.org/html/draft-ietf-6man-text-addr-representation-04
http://tools.ietf.org/html/rfc4038
14 Preface HP NonStop SSH Reference Manual
Document History
Version 4.1
Describes changes in the SSH2 release 93. Documentation for the following new features has been added:
Added Migration Considerations section
Added description of new parameter SFTPDISPLAYGUARDIAN controlling the format of filenames in SFTP
informational messages.
Added additional information displayed by the STNCOM VERSION command, and an example showing the
new startup banner and version info.
Added SSHCOM command EXPORT SSHCTL now supporting export to an OSS directory.
Added description of additional timestamp options in utility SHOWLOG.
Noted that macro SSH2INFO now prints warning messages if the objects SSH2, SFTPSERV and STN do not
have a Safeguard DISKFILE entry with PRIV-LOGON set to ON. The warnings will also be logged at SSH2 startup.
Added description of new STNCOM commands to provide for unique session and window name generation.
Added description of the PROGRESS meter command option "?".
The section "STNCOM Commands" has been updated to be in synch with STN help. New
commands/parameters and EMS events for session/window naming have been added. Setmode 212 and 214 have been added in the setmode table.
Changes in SSH2 release 93 that are incompatible with previous releases:
The STN AUTO_ADD_WIN configuration parameter is no longer supported. All openers of STN must refer to
an existing window name.
The SSHCOM STATUS SESSION brief output no longer contains the SESSION-LOG-ID field. It also now
uses abbreviated column headings.
Version 4.0
Describes changes in SSH2 release 92. Documentation for the following new features has been added:
Added section IPv6 and des cription of relate d pa ra meter IPMODE.
Description for new SSH2 TCP/IP related parameters PTCPIPFILTERTCPPORTS, SOCKTCPMINRXMT,
SOCKTCPMAXRXMT, SOCKTCPRXMTCNT, and SOCKTCPTOTRXMTVAL has been added.
Added description of new SSHCOM client mode command INFO SYSTEM-USER to section "Client Mode
Commands - Overview".
Added description for new parameters LIFECYCLEPOLICYP UB LICUSERKEY,
INTERVALPENDINGPUBLICUSERKEY and INTERVALLIVEPUBLICUSERKEY.
Added description for new parameter ALLOWI N FOSSH2.
Added description for new parameters PARTIALSSHCOMACCESSGROUP<n> and
PARTIALSSHCOMACCESSUSER<k>.
Added description for new SFTP[OSS] comma nds a ppend and lappend.
Added description for new support for creation of format 2 files in an SFTP session.
HP NonStop SSH Reference Manual Preface 15
Added description for support of option -oBindAddress for SFTP[OSS] and SSH[OSS] clients.
Added description of option LIKE for SSHCOM command ADD RESTRICTION-PROFILE.
Updated section "Starting SSH2" with new run modes.
Added documentation of additional commands in section "Statistics Related Commands".
Added sections "Transfer Progress Meter" and "Controlling Transfer Summary".
Updated section "Viewing File Contents from Guardian with SHOWLOG".
Added description of new commands FESESSDOWN and REPLY_DELAY_MAX in section "STNCOM
Commands".
Added appendix "Event Summary".
Changes in SSH2 release 92 that are incompatible with previous releases:
Output of SSHCOM commands that contains IP addresses in some form has been modified to allow for the
greater length of IPv6 addresses
Version 3.9
Describes changes in SSH2 release 91. Documentation for the following new features has been added:
Added description for new parameters CPUSET and SFTPCPUSET.
Added description for param et ers AU DITEMS, AUDITFORMATCONS OLE, AUDITFORMATEMS,
AUDITFORMATFILE.
Enhanced description of SET command in section “Miscellaneous commands in SSHCOM”
Added description for new SFTP/SFTPOSS com mands FC and HISTORY.
Added new sections “Checking SSH2 Installation”, "SSH2 License and Version Information", and "Installation
of SFTPAPI".
Added description of SSHCOM command ABORT SESSION in ne w se ction “Other Session Related
Commands”.
Added description of SSHCOM command PROMPT in section “Miscellaneous commands in SSHCOM”.
Documentation for the following already existing STN pseudo-TTY features has been added:
Uses of STN runtime options IN/OUT.
STNCOM: multiple line command continuation.
Example display of INFO STN (update).
STNCOM commands CONN_CLR_SSH, DEV_SUBTYPE, FRAGSIZE, INFO ALL, NBOT,
OPENER_WAIT, PROMPT, SAVE_CFG, STNCOM_PROMPT.
Documentation for the following new STNCOM commands has bee n a dded:
DYN_CPU (global cpu/cpu-range specification for dynamic service processes).
NBOT_TIMEOUT
Version 3.8a
Describes changes in SSH2 release 90a. Documentation modified for the following enhancement:
Alphabetically sorted help items displayed within SFTP and SFTPOSS when 'help' command entered.
16 Preface HP NonStop SSH Reference Manual
Version 3.8
Describes changes in SSH2 release 90. Documentation for the following new features has been added:
Added description for new parameters ENABLESTATISTICSATSTARTUP, INTERFACEOUT,
LOGEMSKEEPCOLLECTOROPENED, LIFECYCLEPOLICYPRIVATEUSERKEY, INTERVALPENDINGPRIVATEUSERKEY and INTERVALLIVEPRIVATEUSERKEY.
Added description for new host key related SSHCOM commands INFO HOS T-KEY, EXPORT HOST-KEY
Modified description for SSHCOM client mode commands ALTER KEY, GENERATE KEY, IMPOR T KEY
and INFO KEY
Added description for new statistics related SSHCOM command STATISTICS SESSION
Added description of new audit event SftpServerFatalErrorEve nt
Added section “FILE I/O parameters for SFTP/SFTPOSS”
Enhanced section " Installation on the NonStop Server"
Added an example for “Forwarding Remote Port to Local Port” in section "To Establish a Port Forwarding
Tunnel with the NonStop SSH Client"
Changes in SSH2 release 90 that are incompatible with previous releases:
In previous releases the value for INTERFACE had not been used for outgoing connections, i.e. if a TCP/IP
process defined several subnets, then it was undetermined, which of the local IP addresses was used when connecting to remote systems. Now the IP address configured via INTERFACEOUT is used or, if that is not set, the value of parameter INTERFACE determines the local IP address selected for outgoing connections. The previous behavior can be activated by setting the ne w parameter INTERFACEOUT to value 0.0.0.0.
The output of SSHCOM command INFO KEY has changed: The brief information contains the life-cycle state
(header LIFE-CYCLE) instead of the LAST-MODIFIED field.
Version 3.7
Describes changes in SSH2 release 89. Documentation for the following new features has been added:
Description for SSH2 parameters ALLOWFROZENSYSTEMUSER, CLIENTMODEOWNERPOLICY and
SUPPRESSCOMMENTINSSHVERSION have been added.
Description for parameter RECORDDELIMITER now lists newly supported values CR and CRLF.
Added description for new SSH/SFTP Client parameters SUPPRESSCLIENTBANNER, SSHERRORPREFIX,
SSHINFOPREFIX and SSHQUERYPREFIX.
Added description for new SSH/SFTP Client opt ions -Z (corresponding to SUPPRESSCLIENTBANNER), -H
(corresponding to SSHERRORPREFIX), -J (corresponding to SSHINFOPREFIX) and -K (correspo nding to SSHQUERYPREFIX).
Description of the SSH2 database was enhanced.
Added description for new parameter SFTPEXCLUSIONMODEREA D.
Added description of new USER attribute ALLOW-MULTIPLE-REMOTE-HOSTS
Added section about modified behavior if an OBJECTTYPE USER record exists in Safeguard.
Added section listing all audit messages.
Added section for SSHCOM client mode commands RENAME KNOWNHOST and RENAME PASSWORD
HP NonStop SSH Reference Manual Preface 17
Changes in SSH2 release 89 that are incompatible with previous releases:
Previous client mode owner policy was to use the Guardian user id to store client mode records. This
corresponds to value GUARDIA NN AM E for new parameter CLIENTMODEO WNERPOLICY. The default value for this parameter is BOTH, i.e. in order to get the previous behavior the parameter CLIENTMODEOWNERPOLICY must be explicitly set to GUARDIANNAME.
With the introduction of parameter CLIENTMODEOWNERPOLICY it is no longer possible to execute
SSHCOM GENERATE KEY for an alias if CLIENTMODEOWNERPOLICY is set to GUARDIANNAME. In previous releases thi s wa s possible although such a key had never been use d ( o nly those keys, which we re stored under the Guardian id underlying an alias.
Users that are frozen in Safeguard are no longer accepted per default (new parameter
ALLOWFROZENSYSTEMUSER has default value FALSE). Previous releases allowed authentication and if that was successful (methods none, publickey and gssapi-with-mic) the user was granted access. The previous behavior can be re-established by setting parameter ALLOWFROZENSYSTEMUSER to TRUE.
Auditing of executed SF TP commands for outgoi ng connections has bee n a dded. Previously there wa s s uc h
support for incoming connections. If an SFTP[OSS] client of release 89 or later connects via an SSH2 process of previous releases, an exception occurs (error 48) during audit initialization, i.e. an SFTP[OSS] client of release 89 or later must be used with an SSH2 process of version 89 or later.
The AUDIT messages have been modified to include the SESSION-LOG-ID to be able to relate AUDIT
messages to LOG messages and STATUS SESSION output.
A different behavior ha s be e n implemented if an OBJE C T TYPE USER record exists in S a fe guard: parameter
sets FULLSSHCOMACCESSGROUP<j> and FULLSSHCOMACCESSUSER<i> will be ignored.
SUPER.SUPER no longer has full access to SSHCOM if an OBJECTTYPE USER record exists which
explicitly denies SUPER.SUPER the Create authority. In previous releases SUPER.SUPER always had full access, independent of the OBJECTTYPE USER record.
The format of audit messages has changed. Main change is the addition of the SESSION-LOG-ID at the
beginning of each audit message (allowing to relate log messages and STATUS SESSION information to audit messages).
SFTP informational messages like "Uploading ..." and "Fetching ..." now display Guardian file names in
standard ssh format (Unix style with OSS prefix /G or /E) to better conform to the SFTP standard; before that, the Guardian style was the default.
Version 3.6
Describes changes in SSH2 release 88. Documentation for the following new features has been added:
Description for SSH2 TCP/IP related parameters SOCKETSNDBUF and SOCKETRCVBUF have been added.
Parameter KEEPALIVE has been renamed to SOCKETKEEPALIVE.
The "ASLINEMODE" command has been added to SFTP client commands.
Description of newly supported SFTP transfer modes.
Added description for new parameter SFTPEXCLUSIONMODEREA D.
Version 3.5
Describes changes in SSH2 release 87. Documentation for the following new features has been added:
18 Preface HP NonStop SSH Reference Manual
Description for SSH2 log message memory cache related parameters LOGCACHESIZE, LOGLEVELCACHE
and LOGCACHEDUMPONABORT have been added,
Log cache related SSHCOM commands SET LOGCACHESIZE, SET LOGLEVELCACHE, SET
LOGCACHEDUMPONABORT, FLUSH LOGCACHE and CLEAR LOGCACHE were described,
Added description for SSHCOM commands STATUS SSH2, STATUS SESSION, STATUS CHANNEL and
STATUS OPENER,
The document now contains a description for file retention related SSHCOM commands ROLLOVER
LOGFILE and ROLLOVER AUDITFILE.
Version 3.4
Describes changes in SSH2 release 86j. Documentation for the following new features has been added:
A description for SSH2 parameter ALLOWEDSUBSYSTEMS has been added,
Parameter CLIENTALLOWEDAUTHENTICATIONS and ssh client option AllowedAuthentications has been
added,
Finer control of full SSHCOM access via SSH2 parameters FULLSSHCOMACCESSUSER<i> and
FULLSSHCOMACCESSGROUP<j> are now described,
The document now contains text about parameters SFTPEDITLINESTARTDECIMALINCR ,
SFTPEDITLINENUMBERDECIMALINCR and SFTPEDITLINEMODE, enhancing the control over Guardian edit lines written to NonStop (line numbers, handling of edit lines that are too long),
Added description for param et er SFTPUPSHIFTGUARDIANFILE N AM ES
SSH2 parameter STOREDPASS WORDSONLY has been described.
Version 3.3
Describes changes in SSH2 release 0086. Documentation for the following new features has been added:
Support of GSSAPI/Kerberos-based user authentication and key exchange in accordance with the RFC 4462
standard, including capabilities such as gssapi-with-mic, gssapi-keyex user authentication, gss-group1-sha1, and gss-gex-sha1 key exchange employing Kerberos. The new feature is addressed in new and updated documentation of the following parameters:
o new SSH2 parameter GSSAUTH o new SSH2 parameter GSSKEX o new SSH2 parameter GSSGEXKEX o extended SSH2 parameter ALLOWEDAUTHENTICATIONS o extended USER attribute ALLOWEDAUTHENTICATIONS o new USER attribute PRINCIPAL
The section "Single Sign-on with GSSAPI Authentication" has been added to the chapter "Configuring and
Running SSH2"
Version 3.2
Describes changes in SSH2 release 0085. Documentation for the following new features has been added:
New SSH2 parameter RECORDDELIMITER
HP NonStop SSH Reference Manual Preface 19
Version 3.1
Describes changes in SSH2 release 0084. Documentation for the following new features has been added:
New environment variable INQUIREUSERNAMEIFNOTSUPPLIED checked by ssh/sftp clients.
New ADD USER option LIKE.
New SSH2 parameter DISCONNECTIFUSERUNKNOWN.
Version 3.0
Describes changes in SSH2 release 0083. Documentation for the following new features has been added:
New database object RESTRICTION-PROFILE.
New SSHCOM commands for manipulating of RESTRICTION-PROFILE records.
Support for EXPORT of RESTRICTION-PROFILE records.
New SSH2 parameter RESTRICTIONCHECKFAILEDDEFAULT.
New USER attributes RESTRICTION-PROFILE, ALLOW-GATEWAY-PORTS, PRIORITY, COMMENT,
CPU-SET and SFTP-CPU-SET.
New attribute WIDTH for SSHCOM command EXPORT SSHCTL.
New option FORCE for USER attributes CI-PROGRAM and SHELL-PROGRAM.
New SSH2 parameter USETEMPLATESYSTEMUSER.
Version 2.9
Describes changes in SSH2 release 0082. Documentation for the following new features has been added:
Newly supported scp server functionality.
Propagation of defines from SSH2 to shell/TACL processes started by SSH2.
New define =SSH2^PROCESS^NAME added to shell/TACL processes started by SSH2.
New parameter <service> after *MENU* property of USER attribute SHELL-PROGRAM.
New USER attribute SHELL-ENVIRONMENT controlling environment for non-login shells.
New SSH2 parameter GUARDIANATTRIBUTESEPARATOR.
A topic has been added listing the environment variables set by SSH2 when a shell is started.
Version 2.8
Describes changes in SSH2 release 0081. Documentation for the following new features has been added:
Documentation for new STN features: PARAM LICENSE, commands ABEND, BANNER_TIMEOUT,
INPUT_TIMEOUT, IDLE_WARNING, OUTPUT_RESET, BLAST , B UFF ER_SIZE, and ADD SCRIPT, and ADD SERVICE parameters RESILIENT, LIMIT, HOME, USER, LOGON, DEBUGOPT, LOGAUDIT, and SCRIPT.
New SSHCOM commands SET AUDITFILE
New parameter <service> after *MENU* property of USER attribute CI-PROGRAM
20 Preface HP NonStop SSH Reference Manual
Version 2.7
Manual has been revised to correctly reflect the way HP NonStop SSH is delivered.
Version 2.6
Describes changes in SSH2 release 0080. Documentation for the following new features has been added:
Configuration of an alternate command interpreter or a service menu for USERs working with a 6530 SSH
sessions
Granting access without SSH user authentication
The chapter "STN Reference" has been added, documenting the STN pseudo TTY server. The chapter "SFTP Client Reference" has been renamed to "SSH and SFTP Client Reference", reflecting that the chapter
does now also document the SSH client program.
Version 2.5
Describes changes in SSH2 release 0074.
Added documentation for several new SSH2 parameters: BANNER, SAFEGUARD-PASSWORD-
REQUIRED, SSHAUTOKEXBYTES, SSHAUTOKEXTIME and SSHKEEPALIVETIME.
Changes reflecting support of keyboard-interactive authentication in SSH2 DAEMON run mode.
The documentation now re flects that HP NonStop SSH is also delivered as an independent product for G-Series.
Version 2.4
The documentation now reflects that SSH2 is also delivered with the HP NonStop H-series release version updates (RVU) for HP Integrity N on Stop servers (beginning with H06.11), under t he product name HP NonStop SSH.
Version 2.3
Describes changes in SSH2 release 0070.
Added section "Enabling 6530 Terminal Access" in chapter “Configuring and Running SSH2”.
Updated Guardian SSH description in section "Secure Shell access from NonStop to Remote Systems" to reflect
new capabilities.
Version 2.1
Describes changes in SSH2 releases 0062 and later. The manual now reflects the additional functionality implemented for the SecurSH product, a complete SSH suite
including shell client and server capabilities with full pseudo TTY support, as well as port forwarding. The manual contains the following major changes and additions:
The "Installation & Quickstart" chapter has been rewritten.
The "Configuring and Running SSH2" chapter describes additional SSH2 parameters.
Sections for "Enabling PTY Access" and "Load Balancing" have been added.
The "SSHCOM reference" now describes some additional USER attributes.
The following additio na l new features are also de s cribed:
Running SSH2 as a nonstop process pair.
The new mechanism for rolling over log and audit files.
HP NonStop SSH Reference Manual Preface 21
Version 1.8
The new SFTP-PRIORITY attribute of user entity allows administrators to specify the priority of the SFTPSERV process started by SSH2. This feature enables SSH2 to run at a high priority, while SFTPSERV runs at a priority below other critical application or system processes. This will minimize the impact SFTP transfers have on overall system performance, while ensuring fast response times of SSH2 during SSH session establishment.
The same effect can be achieved with SFTP clients by setting the SFTP [OSS] process priority to an appropriate value.
Version 1.7
Describes changes in SSH2, releases 0044 and later: The SFTP client now supports passwords as means as authentication. This is reflected in the following changes:
The new entity "PASSWORD" has been added to the SSH2 user database in client mode. This is documented in
the sections "SSH User Database" and "SSHCOM Command Reference".
The Quickstart section has been updated to reflect an easier way to configure the SFTP client for a new remote
host.
Version 1.6
Added description of new parameters, which allow setting of DEFINES per config file to enable configuration as a generic process:
TCPIPHOSTFILE (sets =TCPIP^HOST^FILE)
TCPIPNODEFILE (sets =TCPIP^NODE^FILE)
TCPIPRESOLVERNAME (sets =TC PIP^ RESOLVER^NAME)
Version 1.5
Added documentation f or t he PT C P IPFILTERKEY param et e r.
Version 1.4
Describes changes in SSH2, release 0040. This release has the following new features:
OSS is no longer required to run the SSH2 process.
New SSH2 configuration parameters: SFTPPRIMARYEXTENTSIZE, SFTPSECONDARYEXTENTSIZE,
SFTPMAXEXTENTS (see section "SSH2 Parameter Reference" in chapter "Configuring and Running SSH2").
The "touch" command has been added to SFTP client commands.
Guardian filename syntax is supported in commands working on NonStop files or subvolumes residing in the
Guardian file system (see chapter "SFTP Client Reference", section "Specifying Filenames on the NonStop System").
The attributes of files created on the NonStop system can be specified using an extended syntax in the get or put
commands (see chapter "SFTP client reference", section "Extended syntax for creation of new Guardian files").
Version 1.3
Describes changes in SSH2 release 0038. This release has the following new features:
An SFTP client to run under Guardian is supplied (see chapter "SFTP Client Reference").
The new property SFTP-GUARDIAN-FILESET has been added to the USER property of the daemon mode
database (see chapter "SSHCOM Reference").
New commands FREEZE KEY, THAW KEY and EXPORT SSHCTL have been added to SSHCOM (see
chapter "SSHCOM Reference").
22 Preface HP NonStop SSH Reference Manual
Version 1.2a
Some general improvements in layout have been implemented.
The heading structure has been slightly revised in various places.
Two parameters, ALLOWIP and DENYIP, have been deleted.
Version 1.2
Describes changes in SSH2 release 0036. Starting with this release, SecurFTP also supports running as an SFTP client under OSS. Documenting this new capability resulted in changes throughout the manual.
Version 1.1
Describes changes in SSH2 release 0025.
One user now can have multiple public keys (see SSHCOM)
New SSH2 configuration parameter: COMPRESSION
USERBASE and USERBASEAUDIT parameters have been renamed to SSHTCL and SSHCTLAUDIT
INFO USER command in SSHCOM now supports brief and DETAILED version of the command
Version 1.0
This is the first version of this documentation.
HP NonStop SSH Reference Manual Preface 23
24 Preface HP NonStop SSH Reference Manual
Introduction
The SSH2 Solution
SSH2 is a set of programs delivered when the customer purchases one of the following products:
HP NonStop SSH. HP NonStop SSH is a comprehensive, enterprise Secure Shell solution for HP NonStop
servers. In the fall of 2010, it became available from HP with the purchase of the NonStop Operating System Kernel for H Series and J Series NonStop platforms. For G Series releases, HP NonStop SSH continues to be available from HP as an RVU for which a license is required to obtain full functionality. For details on licensing and availability, please contact your HP Sales representative.
comForte SecurSH. SecurSH is identical with HP NonStop SSH. It includes a remote shell and SFTP client and
a shell server with full pseudo terminal support. It also offers SFTP, TCP and FTP port forwarding capabilities. The complete functionality is delivered by SSH2 programs.
comForte SecurFTP. SecurFTP provides secure file transfer for HP NonStop systems. To protect data
confidentiality across the network, it supports FTP session encryption, either via the SSL/TLS protocol (SecurFTP/SSL) or via the SSH/SFTP protocol (Secur FTP/SSH). For SecurFTP/SSH, SSH2 delivers t he SFTP functionality, which is a subset of the comForte SecurSH functionality.
Fully Compliant with the SSH Protocol Specification
SSH2 is fully compliant with version 2 of the SSH (Secure Shell) protocol standard as described in various Internet draft documents (see www.ietf.org). It can be integrated with any SSH solution on UNIX, Windows or other platforms.
Strong Authentication and Multiple Cipher Suites
SSH2 supports public key authentication with key sizes of up to 2048 bits. Various ciphers, including AES and 3DES, and MACing algorithms can be selected.
Support of Full Screen Terminal Access
SSH2 supports pseudo terminals on the NonStop platform, allowing SSH clients to execute full screen applications, such as Emacs or vi within Secure Shell.
Built-in User Base
A built-in user base allows administrators to flexibly control who can access a system. Remote users can logon with virtual user names ins t e a d of a Gua rdian userid, eliminating the potential exposure of system credentials to file transfer clients. Access can be limited to a part of the file system and to a specific set of operations (e.g. only download).
HP NonStop SSH Reference Manual Introduction 25
Central Key Store
Instead of storing keys in the file system, SSH2 includes a key and password store with central access control, providing maximum security for user credentials. This enables the easy and secure implementation of batch processes without requiring the use of passwords in batch files.
Secure SFTP Transfer
SSH2 includes an OSS and a Guardian SFTP client, as well as an SFTP server that provides remote SFTP client access to both Guardian and OSS files. All components allow users to navigate the Guardian file system and specify files using the OSS or Guardian file name syntax, regardless of whether OSS is running. Additionally, just as with standard NonStop FTP, attributes for ta rget files can be specified, allowing direct transfers of structured Guardian files.
TCP and FTP Port Forwarding
TCP port forwarding allows secure tunneling of Telnet sessions, as well as other connections. SSH2 also tunnels FTP sessions, securing existing FTP procedures with minimal changes. Both local and remote forwarding are supported.
Single Sign-on
SecurSH now supports user authentication and key exchange based on the GSSAPI/Kerberos 5 standards (RFC 4462). When used with a Kerbero s s of tware package on the NonStop server, this enables integration with Microsoft Active Directory and other Kerberos-based single sign-on solutions.
Note: HP does not offer a Kerberos product today, it must be purchased separately from a NonStop partner.
TCP/IPv6
Starting with version 0092 SSH2 supports IPv6 specified in RFC 246 0 (Internet Protocol, Ve rs ion 6).
The SSH Protocol
SSH (Secure Shell), consisting of a suite of network connectivity protocols, is especially popular in UNIX environments. SSH2 supports version 2 of the Secure Shell protocol. This version also includes specifications for a file transfer
protocol. Although t he na me implies otherwise , thi s s t a ndard bears no relationship to the popular fil e transfer protocol known as FTP.
26 Introduction HP NonStop SSH Reference Manual
Components of the SSH2 Software Package
The SSH2 software package consists of the following components:
The SSH2 component is the central component of the implementation. Depending on the mode it is started in, it
can serve different purposes: o It implements a server process for the SSH2 protocol. It listens for incoming connections on a specific
TCP/IP port (typical l y port 22), authenticat e s the us er and the service and the n spawns other processes it communicates with.
o It is opened by the SSHCOM component to maintain the SSH configuration database. o It is opened by the SFTP or SSH client components to initiate Shell or SFTP-based file transfers to other
platforms running an SSH daemon.
The SSH2 component accesses a user database that contains the following entries for incoming SFTP connections:
o remote user names o the mapping of remote user names to Guardian system users o user’s public keys o user’s credentials on the system o selected status information, such as the last time a user accessed the system
The SSHOSS component implements a Secure Shell client running under OSS to connect to a remote SSH
daemon. It provides Secure Shell sessions as well as TCP and FTP port forwarding capabilities.
The SSH component implements a Secure Shell client running under Guardian to connect to a remote SSH
daemon. It provides Secure Shell sessions as well as TCP and FTP port forwarding capabilities.
The SFTPSERV component is started by SSH2 for each SFTP client that connects to SSH2 components. The
SFTPSERV component then handles the file I/O associated with the file transfers initiated by the SFTP client. Because SFTPSERV is started by the SSH2 component, configuration of SFTPSERV is implicit by the configuration of the SSH2 component.
The SFTPOSS component implements an SFTP client running under the OSS personality.
The SFTP component implements an SFTP client running under the Guardian personality.
The SSHCOM component allows the maintenance of the SSH user database. To do so, it communicates with
the SSH2 component.
The PAUTH component is used by SSH2 for authenticating user passwords against the system user base.
The STN component is a pseudo TTY server providing full screen shell access to remote SSH clients.
The SCPOSS component is the scp server implementation. It is started on request of a remote scp client via
shell command. The scp client on Guardian/OSS has not been added yet.
HP NonStop SSH Reference Manual Introduction 27
Architecture Overview
This section shows how the various components work together in different usage scenarios.
SSH2 Running as SSH Daemon (Server)
The following figure shows how the components of SSH2 work together to implement SSH server processes (often referred to as a “daemon” in UNIX environments) on the NonStop system. These SSH processes provide shell, file transfer and port forwarding access to remote SSH clients, such as OpenSSH on UNIX:
Figure 1: SSH2 running as SSH daemon
The SSH2 component accepts the incoming TCP/IP session and authenticates the remote user against the user database, optionally verifying user passwords with the PAUTH process. Upon request it …
spawns an OSS shell, TACL or SFTPS ERV process.
allocates a PTY (a pseudo terminal) by communicating to an STN process acting as a PTY server.
forwards TCP/IP or FTP connections from the remote SSH client to a local server process or vice versa.
The SSHCOM component is used to maintain the user database, allowing administrators to configure remote user's public keys and control access rights to server functionality and the file system for file transfer.
28 Introduction HP NonStop SSH Reference Manual
SSH2 Running as SSH Client
The following figure shows how the components of SSH2 work together to implement an SSH client running on the NonStop platform:
Figure 2: SSH2 running as SSH client
SSH2 can interface with a range of client components, including SSH, SFTP or the equivalent OSS programs, such as SSHOSS or SFTPOSS. With SSH2, a client component opens the SSH2 component and forwards the user commands and the startup configuration.
The SSH2 component connects to the remote system via TCP/IP and does the setup of the SSH session. The client component and the SSH2 component keep exchanging messages via $RECEIVE until the client is terminated by the user.
Additionally, a client can establish port forwarding to forward TCP/IP or FTP connections from local socket programs to the remote SSH server or vice versa.
The SSHCOM component is used to maintain the key store containing the local system user's key pairs, remote passwords and remot e SSH host's public keys.
HP NonStop SSH Reference Manual Introduction 29
30 Introduction HP NonStop SSH Reference Manual
Loading...
+ 314 hidden pages
Buy Points How it Works FAQ Contact Us Questions and Suggestions Privacy Policy Cookie Policy Terms of Use