Table of Contents
Advertisement
PARTIALSSHCOMACCESSGROUP1 admin
PARTIALSSHCOMACCESSGROUP2 super
Considerations
•
Some of the privileged commands in SSHCOM are critical to the security of the system. Therefore granting
access to other user accounts than super.super must be carefully considered.
•
The parameters must be set contiguously, i.e. if one parameter PARTIALSSHCOMACCESSGROUP<p> is not
defined the checking of PARTIALSSHCOMACCESSGROUP<n> parameters stops.
•
This parameter set is valid whether a thawed OBJECTTYPE USER record exists in Safeguard or not. But if a
user is configured with C access in the OBJECTTYPE USER record as well as included in the parameter set
PARTIALSSHCOMACCESSGROUP<n>, then the user has full SSHCOM access.
•
If a user is included in parameter sets PARTIALSSHCOMACCESSGROUP<n> as well as sets
FULLSSHCOMACCESSUSER<i> or FULLSSHCOMACCESSGROUP<j>, then the user has full SSHCOM
access.
See also:
•
PARTIALSSHCOMACCESSUSER<i>, FULLSSHCOMACCESSUSER<i>,
FULLSSHCOMACCESSGROUP<j>, LIFECYCLEPOLICYPUBLICUSERKEY
•
See table in
"SSHCOM Access
PARTIALSSHCOMACCESSUSER<k>
This parameter set allows granting limited administrative SSHCOM command privileges to users other than super.super.
Admin users with limited SSHCOM access are defined via the parameter set PARTIALSSHCOMACCESSUSER<k>
where <k> is a number between 1 and 99.
Limited administrative SSHCOM access includes viewing and altering USER records, i.e. execution of daemon mode
commands INFO USER and ALTER USER. All USER attributes can be modified but the most critical ones, which are
ALLOWED-AUTHENTICATIONS and SYSTEM-USER. These fields can only be modified by users with full
SSHCOM access.
Additional restrictions apply depending on the setting of parameter LIFECYCLEPOLICYPUBLICUSERKEY: Users
with partial SSHCOM access can specify the LIVE-DATE and EXPIRE-DATE when adding or altering a user's public
key only if LIFECYCLEPOLICYPUBLICUSERKEY is set to VARIABLE.
Parameter Syntax
PARTIALSSHCOMACCESSUSER<k> <group>.<user>
Arguments
<group>.<user>
The Guardian logon name of the account that will have partial SSHCOM access. Logon ids and alias names are
not supported.
Default
By default, none of the parameters are set, i.e. only users with full SSHCOM access can execute privileged commands.
Example
PARTIALSSHCOMACCESSUSER1 admin.joe
PARTIALSSHCOMACCESSUSER2 admin.jim
PARTIALSSHCOMACCESSUSER3 super.jane
Considerations
HP NonStop SSH Reference Manual
Summary" in section "SSHCOM Command Reference".
Configuring and Running SSH2 • 91
- Quick Links:
- The Ssh2 Solution
- Secure Sftp Transfer
Hide quick links:
Advertisement
Table of Contents
