HP NonStop SSH 544701-014 Reference Manual page 165

Enables users to enter free text to describe the entity or provide a short explanation of the intended use of the entity. All
comment text must be enclosed in double quotes if the comment includes spaces.
The content will not be used for any processing.
CONNECT-FROM
The attribute CONNECT-FROM restricts which host systems a user can connect from. Whenever an incoming
connection for the user is accepted, the CONNECT-FROM restrictions are applied.
The value can be one host pattern or a list of patterns used to match the address or name of the client system connecting
to SSH2 on the NonStop server. The format of each pattern and the pattern matching done is the same as in OpenSSH for
parameter from=.
If a list is specified, it must be enclosed in parentheses.
One pattern represents a host name or its IP address and can include wildcard characters '*' (matching any number of
characters) and '?' (matching exactly one character). A pattern may be prefixed by '~' indicating negation, that is, if the
matching pattern is preceded by a tilde, the incoming connection will be rejected.
Examples for valid CONNECT-FROM values include:
103.10.0.37
dev*
(34.45.56.*, ~34.45.56.12)
(201.30.*.*, tandem1, 120.10.20.?, ~ 120.10.20.7)
CONNECT-TO
The CONNECT-TO attribute restricts a user's outgoing connections to configured host/port combinations. The
CONNECT-TO restrictions are applied whenever the user tries to connect via SSH2 using SSH, SSHOSS, SFTP and
SFTPOSS clients.
The value for this attribute can be one host/port range or a list of host/port ranges. A comma-separated list must be
enclosed in parentheses.
Each host/port range is a pair of host and port ranges, separated by a colon as follows: <host>:<port-range>. A port range
can be a single port, a single port range or a list of ports and port ranges separated by + and enclosed in brackets.
Examples of valid values for CONNECT-TO include:
103.10.0.47:22
1.2.3.4:1025-1999
yourhost.domain.com:[2013]
abc.domain.com:[2013-2100]
(xyz.domain.com:[22 + 2013-2100 + 5000-5099], 4.5.6.7:[300-301 + 5555])
FORWARD-FROM
The FORWARD-FROM attribute restricts a user's ability to do port forwarding, enabling only a specified set of hosts to
use forwarding tunnels opened by a given user.
The value can be one host pattern or a list of patterns used to match the address or name of the client system connecting
SSH2 on a NonStop server.
Please see the section on the CONNECT-FROM attribute for examples.
PERMIT-LISTEN
The PERMIT-LISTEN attribute restricts a user's ability to do port forwarding, enabling only a specified set of hosts to
use forwarding tunnels opened by a given user. Only the configured ports are allowed for listening on the host opening
the forwarding tunnel.
The configuration requires the specification of a host and a port range, but for PERMIT-LISTEN the "host" must either
be 0.0.0.0 (indicating gateway ports to follow after the ':') or 127.0.0.1 (indicating non-gateway ports to follow).
PERMIT-OPEN
HP NonStop SSH Reference Manual
SSHCOM Command Reference • 165