ttyadmin - administration of user access routes
ttyadmin -a -l user -z route [-Z programdef] [-b start time] [-e end time] [-w days of week] [-m modifiers]
ttyadmin -r -l user -z route [-Z programdef] [-b start time] [-e end time] [-w days of week] [-m modifiers]
ttyadmin -y [-v] -z route
ttyadmin -s display_opts [-l user]
ttyadmin -T [-l user]
ttyadmin -N [-l user]
ttyadmin -L A|P|C
Ttyadmin administers user access routes for BoKS users (see routeadm(1B) for administrating user class
access routes). A BoKS user must have an access route allocated by ttyadmin to be able to access the system
A user may be authorized to access the system from any number of access routes. A user may also have
several authorizations per route. At access time all the entries are scanned for a possible match.
List authorizations. display_opts is one or more of the characters hPsT. Exactly one of P and T
should be included. T displays a table. P produces a terser format, similar to the output from -T.
h adds a header. s suppresses a delimiting line following the header.
Authorize a user to access the system using the specified access route. The user must previously
have been created by mkbks(1B).
List access routes through which a user is authorized to access the system. If no access route is
specified, all routes which at least one user is authorized to access are shown.
The negation of -T.
Show all known terminals. This is done by scanning the /dev directory for possible terminals.
This option is used to specify a full access route in the format:
The following are some of the access methods which may be specified:
TELNET Access using the telnet protocol
RLOGIN Login using the rlogin program
XDM Loginfrom a X-terminal
RSH Remoteexecution/copy using the rsh and rcp commands
REXEC Remoteexecution using rexec
FTP Filetransfer using ftp
LOGIN Login through a standard tty
SU Changing user id using the su command
SUEXEC Executing a program as another user using the
WINLOGIN Login at Windows console
WINRDP Remote Windows Login
WINRUNAS Execute a program as another Windows user
WINNETSHARE Windows Netlogon (the FromHost field is ignored for
BOKSADM Remote administration
* All methods except BOKSADM
Methods may be entered either upper or lower case letters. The wild card ’*’ may be used. Surround
the access route with single quotes.
If the access method is SU, SUEXEC or LOGIN the FromHost part should be a valid terminal name
instead of a host. For the WINRUNAS access method the FromHost part should alway be set to wild card
’*’ as terminals are currently not supported on Windows. If the access method is SU, SUEXEC or WINRUNAS
ToHost should be the name of the user, or user@host (to restrict access to a specific host or hostgroup)
where "user" is only the user name part of the BoKS username.
Should be used used for SUEXEC, WINRUNAS and NETSHARE routes to specify program
component or program group or, for NETSHARE, the share name. Programdef may be just the
full path of a program (any arguments allowed), full path followed by "" (no arguments allowed)
or full path followed by an expression as accepted by fnmatch to specify what arguments are
allowed to match. It may also be the name of a program group. For the WINRUNAS access
method the program path component must always be enclosed in double quotes. See the PROGRAM
DEFINITION section for details.
-b start time
Specifies the start time, since midnight, for access through the specified route. The format is
HH[MM] or HH:[MM] where HH is hours (24 hour clock) and MM is minutes.
-e end time
End time. See -b for a format description.
-w days of week
Day of week for access through the specified route. The format is a string with digits (1-7) without
any spaces. 1 is Monday and 7 is Sunday. Example: -w12356 means Monday, Tuesday, Wednesday,
Friday and Saturday. The default for days of week is Monday through Friday (-w12345). The
day 8 means working day. Working day is defined as Monday through Friday except days which
are holidays as given by holidays(4).
Used to specify any modifiers (options) for the access route. The authentication method modifiers
||system and user password
||compatibility mode (e.g. use with uucp)
||standard UNIX login (BoKS off)
Usefrom-users password generator on SU and SUEXEC
||Ask for from-user’s password on SU and SUEXEC
||BoKS-to-BoKS automatic authentication
||"Allterminal" validation with smart cards
||SecurID password generator if user has one
||SecurID password generator must always be used
||Safeword token if user has one
||Safeword token must always be used
Use LDAP bind authentication if user has ldap authenticator
||LDAP bind authentication must always be used
||Usekerberos authentication if user has kerberos authenticator (SU, SUEXEC and SSH only)
||kerberos authentication must be used (SU, SUEXEC and SSH only)
||Same as kerberos, but fallback authentication can be used if client does not support kerberos or kerberos_ticket only is set and no ticket is available.(SU, SUEXEC and SSH only)
||For SU and SUEXEC, when kerberos authentication is to be used, allow authentication with kerberos ticket if present. No password will be required. Use with care.
||When kerberos authentication is to be used, only try kerberos ticket, not kerberos password (SSH only)
||When kerberos password authentication is to be used, if given password is not the correct kerberos password, check if it matches the BoKS password. (SSH only)
||Hostbased SSH if the user has such authenticator
||Host based SSH must always be used
||SSHX509v3 certificate authentication if user has such authenticator
||SSH X509v3 certificate authentication must always be used
||PublicKey SSH if the user has such authenticator
||Public Key SSH must always be used
||Same as ssh_cert, but can be specified together with a fallback authentication method. E.g:
First try authenticating with ssh_cert, but if that fails (e.g. ssh client does not support X509v3 certificates), then try public key.
||Same as ssh_pk, but can be specified together with a fallback authentication method. e.g:
It should be noted that the SSH authentication methods only applies to routes for the ’SSH’
Example of other modifiers are:
The login process will execute the chroot(1) command, using the given path.
Only valid for SSH routes.
Run suexec command in touser environment, see suexec (1B).
Checks that SUEXEC program path components not are writable by users/groups other than trusted system users/groups.
Trusted system UIDs and GIDs are 0,1,2 and 3.
The SUEXEC safepath modifier can only be applied on the SUEXEC access route.
For more information about modifiers and a complete list, please see $BOKS_etc/method.conf
Used to check if a access route entered together with the -z option is valid.
Verbose mode, used together with -y.
A List all defined access routes.
P List all pre-defined access routes.
C List all custom-defined access routes.
-S List all users access routes.
-#level Turn on debug with the level specified.
A program definition is used for SUEXEC or WINRUNAS and specifies what programs a user may run and
with what arguments. It may be just the full path of a program, or there may be a space separated list specifying
what arguments match. No list means any arguments are allowed, "" means no arguments are
allowed, otherwise the list is an expression that must match the arguments given.
Note, program and arguments are assumed to be separated by exactly one space. Any extra spaces are
assumed to be part of the argument.
Rules for expression matching:
[abc] matches a, b or c
[a-z] matches any character in the range a-z
[!abc] matches any character but a, b and c
[-a] matches - or a
[[a] matches [or a
a] matches ] or a
* matches zero or more of any characters except within 
matches any one character except within 
backslash escapes the meaning of any character except within 
Other characters match themselves
To enable user host1:bill to login through terminal tty34 between 8am and 5pm from Monday through
ttyadmin -a -l host1:bill -z ’LOGIN:tty34->host1’ -b 0800 -e 23 -w 123
ttyadmin supports multiple access route entries. So if user host1:bill only works in the afternoon on Thursdays
and Fridays the following should also be entered:
ttyadmin -a -l host1:bill -z ’LOGIN:tty34->host1’ -b 1300 -e 23 -w 45
To revoke user host1:bill’s authorization on terminal tty34:
ttyadmin -r -l host1:bill -z ’LOGIN:tty34->host1’
The following authorizes the user balder:tom to always access the host balder from the host foo through
the ftp server:
ttyadmin -a -l balder:tom -z ’FTP:foo->balder’ -w 1234567
The following allows the user balder:tom
to run the mount command with the specified options as root
the machine balder.
ttyadmin -a -l balder:tom -z ’suexec:*->root@balder’ -Z ’/bin/mount -t iso9660 /cdrom’
The access route below allows user balder:tom to start the telnet service as user administrator.
ttyadmin -a -l balder:tom -z ’winrunas:*->administrator@balder’ -Z ’"c:\windows\system32\net" start telnet’
mkbks(1B), pgrpadmin(1B), routeadm(1B), chroot(1), $BOKS_etc/method.conf