HP-UX Secure Shell Getting Started Guide
Table 4-6 Behavior of the ssh, scp, and sftp commands with Different Combinations of
EnforceSecureTTY and PermitRootLogin (continued)
Behavior of the scp and sftp
Commands
Behavior of the sshCommandPermitRootLoginEnforceSecureTTY
Superusers can execute the
scp and sftp commands,
regardless of the settings in
the etc/securetty file.
Superusers must authenticate
with a method other than
password authentication.
Host login is allowed for all
superusers. Superusers must
authenticate with a method
other than password
authentication. However this
requirement is not related to
EnforceSecureTTY.
Host command execution is
allowed for all users,
regardless of the setting in
the etc/securetty file.
Without PasswordNO
1 Host login refers to a client directly logging into a host. Following is an example of host login:
$ ssh hostxyz
2 Host command execution refers to a client executing only one command against a server. The client logs into the
server, executes the command, and exits. Following is an example of the host command execution:
$ ssh hostxyz ls /tmp
3
The execution of the scp and sftp commands is similar to that of host command. However, no pty is allocated for
scp and sftp, and the /etc/securetty file is not checked. Any combination of EnforceSecureTTY and
PermitRootLogin that allows host command execution for ssh allows scp and sftp execution.
4
Forced-command execution refers to a client executing a command predefined in the authorized_keys file of
the client. This file is located in the home directory of the client on the server.
Behavior of EnforceSecureTTY With the UseLogin Configuration Directive
The EnforceSecureTTY configuration directive works in conjunction with the UseLogin
configuration directive. Although the login(1) function has the code to check the etc/
securetty file, this code is part of authentication. If UseLogin is set to YES, HP-UX Secure
Shell invokes the login(1) function with the do not authenticate option. As a result, the
section of the login(1) code related to the etc/securetty file is ignored. HP-UX Secure
Shell reads and processes the etc/securetty file even if UseLogin is set to YES.
Behavioral Differences Between telnet and ssh Logins Because of EnforceSecureTTY
The addition of the EnforceSecureTTY configuration directive modifies the behavior of the
ssh login, causing it to differ from a telnet login. In telnet, a pty is allocated to a user
connection before authentication. In HP-UX Secure Shell, a user must authenticate successfully
before the sshd daemon allocates a pty. Once a user is successfully authenticated, the sshd
daemon does not prompt the user for a password. Table 4-7 describes the difference between a
telnet and an ssh login.
Table 4-7 Difference in Behavior Between telnet and ssh Logins
An ssh LoginA telnet Login
If the EnforceSecureTTY configuration directive is set
to YES, and a superuser attempts an ssh login with a tty
that is not listed in the etc/securetty file, HP-UX Secure
Shell continues to prompt the user for a password as long
as the user types invalid passwords. Once a user types the
valid password, the sshd daemon does the following:
• Authenticates the user
• Allocates a pty
• Finds out that the pty is not permitted
• Closes the connection
When a superuser tries to login using telnet with a
tty that is not listed in the etc/securetty file,
telnet continues to prompt the user for a password
regardless of whether the user types a valid or invalid
password.
Configuring User-Specific Authentication 51