HP-UX Secure Shell Getting Started Guide
Steps by Which the sshd Daemon Uses the Configuration Directives in the Auth Selection Patch
Following is the sample process outlined in Figure 4-1 (page 46):
1. The sshd daemon checks if the PasswordAuthDenyUsers configuration directive is
specified in the sshd_config file.
2. If the PasswordAuthDenyUsers configuration directive is specified, then the sshd daemon
checks to see if user U1 is specified in the list. If the PasswordAuthDenyUsers configuration
directive is not specified, the user can authenticate using password authentication.
3. If user U1 is specified in the list, the user cannot authenticate using password authentication.
4. If user U1 is not specified in the list, the sshd daemon checks if the
PasswordAuthAllowUsers configuration directive is specified.
5. If the PasswordAuthAllowUsers configuration directive is not specified, user U1 can
authenticate using password authentication. If the PasswordAuthAllowUsers configuration
directive is specified, the sshd daemon checks if user U1 is specified in the list.
6. If user U1 is specified in the list, the user can authenticate using password authentication.
7. If user U1 is not specified in the list, then user U1 cannot authenticate using password
authentication.
The EnforceSecureTTY Configuration Directive
This configuration directive honors the settings in the etc/securetty file. Use this configuration
directive to specify if the sshd daemon must restrict superuser logins to the tty (terminal types)
names listed in the /etc/securetty file. When EnforceSecureTTY is set to NO (the default
value), HP-UX Secure Shell ignores the settings in the etc/securetty file.
You can use the EnforceSecureTTY configuration directive in conjunction with the
PermitRootLogin configuration directive. Table 4-6 describes the behavior of the ssh, scp,
and sftp commands with different combinations of EnforceSecureTTY and
PermitRootLogin.
Configuring User-Specific Authentication 47