routeadm - administer access routes for user classes
routeadm -l [-hs] [-u userclass]
routeadm -a -u userclass -z route [-Z programdef ] [-b time] [-e time] [-w weekdays] [-m modifiers]
routeadm -d -u userclass [ -z route [ -Z programdef ] ] [-b time] [-e time] [-w weekdays] [-m modifiers]
routeadm -y [-z route] [-v]
routeadm is used to list, add and delete access routes for user classes. It can also be used to verify the syntax
of an access route.
List access routes for one or all user classes.
Add an access route to a user class.
Delete an access route from a user class. If no access route is specified, all access routes for that
user class are deleted.
Verify the syntax of an access route. If the access route specified is correct routeadm exits with
status zero. If it is not correct, it exits with a non zero status, and if the -v flag is specified, an error
is printed on stderr.
Used with the -l Option to get a header printed.
Used with the -l Option to show only the access routes in a compact format.
Used to specify the user class to act on with the -l
Used to specify the access route in format
The following are some of the access methods which may be specified:
TELNET Access using the telnet protocol
RLOGIN Login using the rlogin program
XDM Loginfrom a X-terminal
RSH Remoteexecution/copy using the rsh and rcp commands
REXEC Remoteexecution using rexec
FTP Filetransfer using ftp
LOGIN Login through a standard tty
SU Changing user id using the su command
SUEXEC Executing a program as another user using the
WINLOGIN Login at Windows console
WINRDP Remote Windows Login
WINRUNAS Execute a program as another Windows user
WINNETSHARE Windows Netlogon (the FromHost field is ignored for
BOKSADM Remote administration
* All methods except BOKSADM
Be sure to single quote the access route string since it contains shell meta characters.
Should be used for SUEXEC, WINRUNAS and NETSHARE routes to specify program component
or program group or, for NETSHARE, share name. Programdef may be just the full path of a
program (any arguments allowed), full path followed by "" (no arguments allowed) or full path followed
by an expression as accepted by fnmatch to specify what arguments are allowed to match.
It may also be the name of a program group. For the WINRUNAS access method the program
path component must always be enclosed in double quotes. See the PROGRAM DEFINITION
section for details.
Used to specify the starting time of the access route in HHMM format (default 0000).
Used to specify the end time for the access route in HHMM format (default 0000 which is equal to
Used to specify weekdays the access route is valid. It is a string of digits representing the days of
the week, where Monday is is 1 and Sunday is 7. Default is 12345, i.e. working days. The day 8
means working day. Working day is defined as Monday through Friday except days which are holidays
as given by holidays(4).
Used to specify any modifiers (options) for the access route. The authentication method modifiers
||system and user password
||compatibility mode (e.g. use with uucp)
||standard UNIX login (BoKS off)
||Usefrom-users password generator on SU and SUEXEC
||Ask for from-user’s password on SU and SUEXEC
||BoKS-to-BoKS automatic authentication
||"Allterminal" validation with smart cards
||SecurID password generator if user has one
||SecurID password generator must always be used
||Safeword token if user has one
||Safeword token must always be used
||Use LDAP bind authentication if user has ldap authenticator
||LDAP bind authentication must always be used
||Usekerberos authentication if user has kerberos authenticator (SU, SUEXEC and SSH only)
||kerberos authentication must be used (SU, SUEXEC and SSH only)
||Same as kerberos, but fallback authentication can be used if client does not support kerberos or kerberos_ticket only is set and no ticket is available.(SU, SUEXEC and SSH only)
||For SU and SUEXEC, when kerberos authentication is to be used, allow authentication with kerberos ticket if present. No password will be required. Use with care.
||When kerberos authentication is to be used, only try kerberos ticket, not kerberos password (SSH only)
||When kerberos password authentication is to be used, if given password is not the correct kerberos password, check if it matches the BoKS password. (SSH only)
||Hostbased SSH if the user has such authenticator
||Host based SSH must always be used
||SSHX509v3 certificate authentication if user has such authenticator
||SSH X509v3 certificate authentication must always be used
||PublicKey SSH if the user has such authenticator
||Public Key SSH must always be used
||Same as ssh_cert, but can be specified together with a fallback authentication method. E.g:
First try authenticating with ssh_cert, but if that fails (e.g. ssh client does not support X509v3 certificates), then try public key.
||Same as ssh_pk, but can be specified together with a fallback authentication method. e.g:
It should be noted that the SSH authentication methods only applies to routes for the ’SSH’
Example of other modifiers are:
The login process will execute the chroot(1) command, using the given path.
Only valid for SSH routes.
||Run suexec command in touser environment, see suexec (1B).
Checks that SUEXEC program path components not are writable by users/groups other than trusted system users/groups.
Trusted system UIDs and GIDs are 0,1,2 and 3.
The SUEXEC safepath modifier can only be applied on the SUEXEC access route.
For more information about modifiers and a complete list, please see $BOKS_etc/method.conf
Used with the -y option to get an error message printed on stderr when an illegal access route is
A program definition is used for SUEXEC or WINRUNAS and specifies what programs a user may run and
with what arguments. It may be just the full path of a program, or there may be a space separated list specifying
what arguments match. No list means any arguments are allowed, "" means no arguments are
allowed, otherwise the list is an expression that must match the arguments given.
Note, program and arguments are assumed to be separated by exactly one space. Any extra spaces are
assumed to be part of the argument.
Rules for expression matching:
[abc] matches a, b or c
[a-z] matches any character in the range a-z
[!abc] matches any character but a, b and c
[-a] matches - or a
[[a] matches [or a
a] matches ] or a
* matches zero or more of any characters except within 
? matches any one character except within 
backslash escapes the meaning of any character except within 
Other characters match themselves
If the -y option is used, routeadm exits with a non zero exit status if the access route is invalid. For other
options, routeadm exits with a non zero exit status if a usage error is generated. Otherwise it exits with a
zero exit status.
# routeadm -l -h
Will print a header, and the access routes for the user classes that has an access route defined.
# routeadm -a -u GURU -z ’rlogin:*->*’ -b 0700 -e 1700 -w 12345
Will add the rlogin access route to the user class GURU. (Users in the user class GURU will be able to do
rlogin from any host any host defined in the BoKS database, to any UNIXBOKSHOST between 0700 and
1700 on all days except Saturday and Sunday).
# routeadm -d -u GURU -z ’rlogin:*->*’ -b 0700 -e 1700 -w 12345
The above access route is deleted again.
# routeadm -y -z ’foobar’
# echo $?
# routeadm -y -z ’rlogin:*->*’
# echo $?
pgrpadmin(1B), ttyadmin(1B), classadm(1B), chroot(1), $BOKS_etc/method.conf