Restricting Local Ports Used For Port Forwarding; Restricting Remote Hosts/Ports For Port Forwarding; Restricting Access To Forwarding Tunnels; Load Balancing - HP NonStop SSH 544701-014 Reference Manual

If the user attribute RESTRICTION-PROFILE is defined and the CONNECT-TO attribute of the restriction profile is
set, the SSH2 process limits access to the configured host/port combinations only when starting an outgoing connection
for that user.

Restricting Local Ports used for Port Forwarding

In an environment in which some users should not be allowed to listen on any (unused) local ports for forwarding
purposes, a list of allowed 0.0.0.0/port and 127.0.0.1/port combinations can be defined. The RESTRICTION-PROFILE
attribute PERMIT-LISTEN holds this list.
For remote clients, the user specified in the incoming SSH request is checked against SSHCTL.
This forwarding listen port restriction is applied if the attribute RESTRICTION-PROFILE of the user record is set and
the PERMIT-LISTEN attribute of the corresponding restriction profile record is configured.

Restricting Remote Hosts/Ports for Port Forwarding

If a user should not be permitted to open a tunnel to any host/port for forwarding purposes, administrators can configure
specific host/port combinations for specific users. Host/port combinations can be specified via the RESTRICTION-
PROFILE attribute PERMIT-OPEN, which corresponds to the OpenSSH "permitopen=" option.
For remote clients, the user specified in the incoming SSH request is checked against SSHCTL.
This forwarding restriction is applied if the attribute RESTRICTION-PROFILE is set in the user record and the
PERMIT-OPEN attribute is configured in the corresponding restriction profile.

Restricting access to forwarding tunnels

In scenarios in which a user is allowed to create a forwarding tunnel, administrators can require the definition of which
hosts have access to the tunnel. Using the RESTRICTION-PROFILE attribute FORWARD-FROM, a list of hosts/IP
addresses/patterns can be defined that identify those hosts that are allowed to use a tunnel created by a specific user. In
this case, the list of allowed hosts is determined by the user who opened the tunnel, if configured accordingly.
For remote clients the user specified in the incoming SSH request is checked against SSHCTL.
This forwarding-from restriction is applied if the RESTRICTION-PROFILE attribute of the user record is set and the
FORWARD-FROM attribute of the corresponding restriction profile record is configured.

Load Balancing

With SSH2, it is possible to distribute the CPU load generated by the encryption of SSH sessions across multiple
processors of a NonStop system. This is true for both inbound and outbound sessions.

Load-Balancing Outbound SSH Sessions

For outbound sessions, CPU load balancing can be achieved by starting multiple SSH2 instances and distributing client
processes across processors. The load-balancing for outbound ssh sessions depends on client processing and can only be
influenced by settings in the client environment controlling the client's processing.
All clients delivered with SSH2 (SSH, SSHOSS, SFTP, and SFTPOSS) employ a heuristic method in which an SSH2
process is opened to create the outbound session. The heuristic method works as follows:
1. If no explicit SSH2 process is configured (which is done by specifying the –S option on the command line), the
client evaluates first the define =SSH2^PROCESS^NAME and then the environment variable
SSH2_PROCESS_NAME to determine the process name of the SSH2 instance to connect to.
HP NonStop SSH Reference Manual
Configuring and Running SSH2 • 119