HP NonStop SSH 544701-014 Reference Manual page 157

Note: Specifying a wildcard pattern as principal is useful when delegating authorization to the resource started for this
user (i.e. CI-PROGRAM or SHELL-PROGRAM).
CAUTION: When specifying a wildcard PRINCIPAL, user access should be properly locked down to avoid security
breaches in which per-user authorization is bypassed (e.g. by setting SYSTEM-USER *NONE*).
The Kerberos principal name authenticated and authorized during "gssapi-with-mic" authentication will also be
displayed in the audit log and thus can be used to correlate the Kerberos principal name with the NonStop user name.
To delete a PRINCIPAL from the access control list, use the DELETE PRINCIPAL attribute.
PRIORITY
All user processes (except SFTPSERV processes) started directly by SSH2 will have the configured priority assigned.
Following are the values allowed in this parameter and their meanings:
Value Meaning
1-199 Use the given priority value
-1 Use the same priority as the SSH2 process starting the process.
Note: SFTPSERV processes will be prioritized as specified via the SFTP-PRIORITY attribute.
PUBLICKEY
This attribute is used to add or alter a public key with the provided <key-name>. For details on the syntax of that
attribute, please see the "ADD USER" command.
To delete a specific public key for a user use the DELETE PUBLICKEY <key-name> attribute syntax. To delete all
public keys for a user, use the DELETE PUBLICKEY * attribute syntax.
Both the PUBLICKEY and the DELETE PUBLICKEY attributes can be repeated multiple times within a single ALTER
USER command.
RESET
This option is used to reset an attribute of the current user to the default value. For each attribute that should be reset,
there must be a separate occurrence of the RESET option. An attempt to set and reset an attribute will result in an error
message.
The following attributes can be reset:
•
SFTP-INITIAL-DIRECTORY
•
SYSTEM-USER
•
SFTP-SECURITY
•
SFTP-PRIORITY
•
SFTP-GUARDIAN-FILESET
RESTRICTION-PROFILE
Specifies the name of a RESTRICTION-PROFILE entity. If configured for a user, then the restrictions defined in the
RESTRICTION-PROFILE record will be applied for all incoming and outgoing connections related to the user.
SFTP-CPU-SET
Defines a set of CPUs used when SFTPSERV processes are invoked directly by SSH2 (for non-SFTPSERV processes
the attribute CPU-SET is used instead). CPUs are assigned via a round-robin algorithm among all the configured CPUs
that are available.
HP NonStop SSH Reference Manual
SSHCOM Command Reference • 157