Restricting Incoming And Outgoing Connections; Rejecting Gateway Ports; Restricting External Access To Ssh2 Process; Restricting Internal Access To Remote Ssh2 Hosts - HP NonStop SSH 544701-014 Reference Manual

Explicit Authorization
Explicit authorization involves defining an access control list containing specific Kerberos principals authorized to
access an account. The access control list can be defined using the SSHCOM USER PRINCIPAL attribute.
For example, if the NonStop host is configured as nonstop@COMPANY.COM, a user JohnSmith@COMPANY.COM
can be explicitly authorized to logon as SUPER.OPERATOR as follows:
% ALTER USER SUPER.OPERATOR, PRINCIPAL JohnSmith@COMPANY.COM
OK, user SUPER.OPERATOR altered.
%
Note: You can authorize multiple Kerberos principals to logon as a specific NonStop user by specifying multiple
PRINCIPAL attributes in one or more ALTER USER commands. HP does not currently offer a Kerberos solution, but
such a solution can be purchased from an HP NonStop partner and applied to your system.

Restricting Incoming and Outgoing Connections

Port forwarding on a global level is determined by the SSH2 parameter ALLOWTCPFORWARDING. The user attribute
ALLOW-TCP-FORWARDING is used to grant or deny port forwarding on a user level.
Sometimes a finer granularity is needed to restrict forwarding to specific hosts. The RESTRICTION-PROFILE objects
and the user attribute ALLOW-GATEWAY-PORTS can be used to configure forwarding restrictions with more
granularity.

Rejecting Gateway Ports

If a user specifies the "–g" SSH2 option when initiating a port forwarding request, the listening on the local port will not
occur on the loopback IP address 127.0.0.1 (localhost) but on all subnets defined for the TCP/IP process. Such a port is
called a gateway port as the host can be used as a gateway to a third host. A port forwarding request will be denied if the
value of the user attribute ALLOW-GATEWAY-PORTS is set to FALSE. The user can still open non-gateway ports
listening on 127.0.0.1.

Restricting External Access to SSH2 Process

The restriction profile attribute CONNECT-FROM can be used in environments in which some remote hosts should not
be allowed to connect to a specific SSH2 instance running on a NonStop server. The value is a list of host names and IP
addresses or patterns that are allowed to connect to the port SSH2 is listening to for SSH requests (default: 22).
The SSH user specified in the incoming SSH request is checked against the corresponding user record in SSHCTL. The
user attribute RESTRICTION-PROFILE is used to access the RESTRICTION-PROFILE object, which contains the
setting for CONNECT-FROM. If a RESTRICTION-PROFILE object and a CONNECT-FROM value is configured, the
host/IP address of the incoming SSH connection request will be checked against the list of hosts/IP addresses defined in
CONNECT-FROM. The incoming SSH2 request is accepted only if a match is found, otherwise it is rejected.

Restricting Internal Access to Remote SSH2 Hosts

If a user should not be allowed to connect to all available remote SSH instances, the SSH2 user configuration can be
used to restrict outgoing access via the RESTRICTION-PROFILE attribute CONNECT-TO. The CONNECT-TO
attribute defines a list of host/port combinations that a user is allowed to reach via a specific SSH2 instance. No pattern
matching is allowed but several hosts can be defined and several ports can be specified per host.
118 • Configuring and Running SSH2
HP NonStop SSH Reference Manual