routeadm - administer access routes for user classes


routeadm -l [-hs] [-u userclass]
routeadm -a -u userclass -z route [-Z programdef ] [-b time] [-e time] [-w weekdays] [-m modifiers]
routeadm -d -u userclass [ -z route [ -Z programdef ] ] [-b time] [-e time] [-w weekdays] [-m modifiers]
routeadm -y [-z route] [-v]


routeadm is used to list, add and delete access routes for user classes. It can also be used to verify the syntax
of an access route.


List access routes for one or all user classes.

Add an access route to a user class.

Delete an access route from a user class. If no access route is specified, all access routes for that
user class are deleted.

Verify the syntax of an access route. If the access route specified is correct routeadm exits with
status zero. If it is not correct, it exits with a non zero status, and if the -v flag is specified, an error
is printed on stderr.

Used with the -l Option to get a header printed.

Used with the -l Option to show only the access routes in a compact format.

-u userclass
Used to specify the user class to act on with the -l, -a or -d option.

-z route
Used to specify the access route in format
The following are some of the access methods which may be specified:

TELNET Access using the telnet protocol
RLOGIN Login using the rlogin program
XDM Loginfrom a X-terminal
RSH Remoteexecution/copy using the rsh and rcp commands
REXEC Remoteexecution using rexec
FTP Filetransfer using ftp
LOGIN Login through a standard tty
SU Changing user id using the su command
SUEXEC Executing a program as another user using the
suexec program
WINLOGIN Login at Windows console
WINRDP Remote Windows Login
WINRUNAS Execute a program as another Windows user
WINNETSHARE Windows Netlogon (the FromHost field is ignored for
this method)
BOKSADM Remote administration
* All methods except BOKSADM

Be sure to single quote the access route string since it contains shell meta characters.

-Z programdef
Should be used for SUEXEC, WINRUNAS and NETSHARE routes to specify program component
or program group or, for NETSHARE, share name. Programdef may be just the full path of a
program (any arguments allowed), full path followed by "" (no arguments allowed) or full path followed
by an expression as accepted by fnmatch to specify what arguments are allowed to match.
It may also be the name of a program group. For the WINRUNAS access method the program
path component must always be enclosed in double quotes. See the PROGRAM DEFINITION
section for details.

-b time
Used to specify the starting time of the access route in HHMM format (default 0000).

-e time
Used to specify the end time for the access route in HHMM format (default 0000 which is equal to

-w weekdays
Used to specify weekdays the access route is valid. It is a string of digits representing the days of
the week, where Monday is is 1 and Sunday is 7. Default is 12345, i.e. working days. The day 8
means working day. Working day is defined as Monday through Friday except days which are holidays
as given by holidays(4).
-m modifiers
Used to specify any modifiers (options) for the access route. The authentication method modifiers

locked accessroute locked
syspsw systempassword
psw userpassword
psw,syspsw system and user password
uucp,psw compatibility mode (e.g. use with uucp)
stdlogin standard UNIX login (BoKS off)
su_fromtoken Usefrom-users password generator on SU and SUEXEC
use_frompsw Ask for from-user’s password on SU and SUEXEC
bosas BoKS-to-BoKS automatic authentication
alltaas "Allterminal" validation with smart cards
securid SecurID password generator if user has one
hardsecurid SecurID password generator must always be used
desgold Safeword token if user has one
harddesgold Safeword token must always be used
ldapauth Use LDAP bind authentication if user has ldap authenticator
hardldapauth LDAP bind authentication must always be used
kerberos Usekerberos authentication if user has kerberos authenticator (SU, SUEXEC and SSH only)
hardkerberos kerberos authentication must be used (SU, SUEXEC and SSH only)
optional_kerberos Same as kerberos, but fallback authentication can be used if client does not support kerberos or kerberos_ticket only is set and no ticket is available.(SU, SUEXEC and SSH only)
kerberos_allow_ticket For SU and SUEXEC, when kerberos authentication is to be used, allow authentication with kerberos ticket if present. No password will be required. Use with care.
kerberos_ticket_only When kerberos authentication is to be used, only try kerberos ticket, not kerberos password (SSH only)
kerberos_or_password When kerberos password authentication is to be used, if given password is not the correct kerberos password, check if it matches the BoKS password. (SSH only)
ssh_hb Hostbased SSH if the user has such authenticator
hard_ssh_hb Host based SSH must always be used
ssh_cert SSHX509v3 certificate authentication if user has such authenticator
hard_ssh_cert SSH X509v3 certificate authentication must always be used
ssh_pk PublicKey SSH if the user has such authenticator
hard_ssh_pk Public Key SSH must always be used
optional_ssh_cert Same as ssh_cert, but can be specified together with a fallback authentication method. E.g:
First try authenticating with ssh_cert, but if that fails (e.g. ssh client does not support X509v3 certificates), then try public key.
optional_ssh_pk Same as ssh_pk, but can be specified together with a fallback authentication method. e.g:
It should be noted that the SSH authentication methods only applies to routes for the ’SSH’
Access Method.

Example of other modifiers are:

The login process will execute the chroot(1) command, using the given path.
Only valid for SSH routes.
suexec_touserenv Run suexec command in touser environment, see suexec (1B).
Checks that SUEXEC program path components not are writable by users/groups other than trusted system users/groups.
Trusted system UIDs and GIDs are 0,1,2 and 3.
The SUEXEC safepath modifier can only be applied on the SUEXEC access route.
For more information about modifiers and a complete list, please see $BOKS_etc/method.conf
Used with the -y option to get an error message printed on stderr when an illegal access route is


A program definition is used for SUEXEC or WINRUNAS and specifies what programs a user may run and
with what arguments. It may be just the full path of a program, or there may be a space separated list specifying
what arguments match. No list means any arguments are allowed, "" means no arguments are
allowed, otherwise the list is an expression that must match the arguments given.
Note, program and arguments are assumed to be separated by exactly one space. Any extra spaces are
assumed to be part of the argument.
Rules for expression matching:
[abc] matches a, b or c
[a-z] matches any character in the range a-z
[!abc] matches any character but a, b and c
[-a] matches - or a
[[a] matches [or a
[]a] matches ] or a
* matches zero or more of any characters except within []
? matches any one character except within []
backslash escapes the meaning of any character except within []
Other characters match themselves


If the -y option is used, routeadm exits with a non zero exit status if the access route is invalid. For other
options, routeadm exits with a non zero exit status if a usage error is generated. Otherwise it exits with a
zero exit status.


# routeadm -l -h
Will print a header, and the access routes for the user classes that has an access route defined.

# routeadm -a -u GURU -z ’rlogin:*->*’ -b 0700 -e 1700 -w 12345
Will add the rlogin access route to the user class GURU. (Users in the user class GURU will be able to do
rlogin from any host any host defined in the BoKS database, to any UNIXBOKSHOST between 0700 and
1700 on all days except Saturday and Sunday).

# routeadm -d -u GURU -z ’rlogin:*->*’ -b 0700 -e 1700 -w 12345
The above access route is deleted again.

# routeadm -y -z ’foobar’
# echo $?
# routeadm -y -z ’rlogin:*->*’
# echo $?


pgrpadmin(1B), ttyadmin(1B), classadm(1B), chroot(1), $BOKS_etc/method.conf

Still have questions? We can help. Submit a case to Technical Support.

Last Modified On: August 28, 2019