https://community.hpe.com/t5/operating-system-openvms/ssh-in-a-captive-account/m-p/3785822#M52190 I just tried to run an ssh and scp command from a captive account, and I got this error:<BR /><BR />' System error message: 'captive account - spawn command not allowed'<BR /><BR />Is there any workaround to this? Or are SSH commands not going to work from a captive account? Wed, 10 May 2006 10:04:52 GMT Thomas A. Williams 2006-05-10T10:04:52Z https://community.hpe.com/t5/operating-system-openvms/ssh-in-a-captive-account/m-p/3785822#M52190 I just tried to run an ssh and scp command from a captive account, and I got this error:<BR /><BR />' System error message: 'captive account - spawn command not allowed'<BR /><BR />Is there any workaround to this? Or are SSH commands not going to work from a captive account? Wed, 10 May 2006 10:04:52 GMT https://community.hpe.com/t5/operating-system-openvms/ssh-in-a-captive-account/m-p/3785822#M52190 Thomas A. Williams 2006-05-10T10:04:52Z https://community.hpe.com/t5/operating-system-openvms/ssh-in-a-captive-account/m-p/3785823#M52191 Correction - the SSH command actually works from a captive account. It's just the SCP command that doesn't Wed, 10 May 2006 14:17:36 GMT https://community.hpe.com/t5/operating-system-openvms/ssh-in-a-captive-account/m-p/3785823#M52191 Thomas A. Williams 2006-05-10T14:17:36Z https://community.hpe.com/t5/operating-system-openvms/ssh-in-a-captive-account/m-p/3785824#M52192 I don't know anything, but SHOW PROCESS<BR />/SUBPROCESSES (/IDENTIFICATION = xxxxxxxx)<BR />does show a subprocess when SCP is run, and<BR />a quick dump of the executable<BR />(SYS$SYSTEM:TCPIP$SSH_SCP2.EXE) does show<BR />what looks like message text mentioning<BR />"sys$creprc()", so I'd guess that you're<BR />doomed.<BR /><BR />A quick Google search for:<BR />scp subprocess<BR />turns up a few places which say things like:<BR /><BR />Recall that the command:<BR /><BR /> $ scp ... S:file ...<BR /><BR />actually runs ssh in a subprocess to connect to S and invoke a remote scp server. [...]<BR /><BR />(<A href="http://www.unix.org.ua/orelly/networking_2ndEd/ssh/ch11_05.htm)" target="_blank">http://www.unix.org.ua/orelly/networking_2ndEd/ssh/ch11_05.htm)</A><BR /><BR />All of which seems to reinforce the initial<BR />impression of doom. Wed, 10 May 2006 16:37:50 GMT https://community.hpe.com/t5/operating-system-openvms/ssh-in-a-captive-account/m-p/3785824#M52192 Steven Schweda 2006-05-10T16:37:50Z https://community.hpe.com/t5/operating-system-openvms/ssh-in-a-captive-account/m-p/3785825#M52193 Thomas,<BR /><BR /> The big hammer fix would be to set bit 6 in the SYSGEN parameter SECURITY_POLICY - this allows SPAWN from CAPTIVE accounts. Depending on your environment, it might not be appropriate to open this hole.<BR /><BR /> Note SECURITY_POLICY is NOT dynamic so it's a reboot to set or clear it.<BR /><BR /> If the SPAWN command is in DCL, you could add /TRUSTED, or if you can get at the source code, add the flag CLI$M_TRUSTED to the LIB$SPAWN FLAGS parameter.<BR /><BR /> I checked the SCP command for a "TRUSTED" flag, nothing obvious. Wed, 10 May 2006 18:00:45 GMT https://community.hpe.com/t5/operating-system-openvms/ssh-in-a-captive-account/m-p/3785825#M52193 John Gillings 2006-05-10T18:00:45Z https://community.hpe.com/t5/operating-system-openvms/ssh-in-a-captive-account/m-p/3785826#M52194 Thanks for the replies. I also opened a call with HP support and this was their reply:<BR /><BR />"Iâ ve confirmed the behavior, and have contacted TCPIP engineering about it, and waiting for a response."<BR /><BR /> Thu, 11 May 2006 07:42:36 GMT https://community.hpe.com/t5/operating-system-openvms/ssh-in-a-captive-account/m-p/3785826#M52194 Thomas A. Williams 2006-05-11T07:42:36Z